THE KEY

As the coronavirus forces political campaigns to shift their operations online, they are bracing for increased cyberattacks, disinformation and pranks designed to undermine the 2020 election. 

Experts say campaigns need to pay more attention to the digital risks posed by increased document-sharing and video conferencing — and the onslaught of coronavirus-themed email and phone scams that could also try to trick voters. 

“Voter contact has shifted to digital and phones — and it's just primed for digital hackers and their shenanigans,” says Matt Rhoades, co-founder of Defending Digital Campaigns, a nonprofit group that connects political campaigns with free or reduced-price cybersecurity tools. 

Social distancing measures in the United States may give some people more time to cause disruptions, said Rhoades, a former presidential campaign manager for Mitt Romney. From a domestic digital threat we have a bunch of hackers sitting in their parents' basement eating ramen who have nothing to do but find weak spots in our elections, he said. 

But U.S. adversaries are also eager to find openings. Rhoades says that Iran and China – the latter of which has been behind a surge in hacking attempts during the pandemic aimed at stealing personal information – also “seem poised” to engage in cyberattacks against campaigns. 

DDC is emphasizing to campaigns that they must securely send and receive documents especially now that more work has moved online. “Campaigns are real targets of bad cyber actors,” Michael Kaiser, president and chief executive of DDC, told me. “If you work in a campaign you have to assume you are a target.” 

And Kaiser recommends campaigns use encrypted services such as Signal or Wickr, a DDC partner. Whichever they choose, Kaiser said, the key is enforcing consistent use across everyone in the campaign — which can be tricky for often loose-knit networks of staff and volunteers. “Making some of those cultural shifts about the way things get shared is a really important element right now,” Kaiser said. 

But campaigns have been less forthcoming on how they're protecting themselves as they shift online and embrace new ways to reach voters. 

“Biden for President takes cybersecurity seriously and has high quality personnel to ensure that the campaign's assets are secure,” a representative for former vice president Joe Biden said in a statement. “In furtherance of this goal, we will not be answering questions about specific methods used to ensure this security.”

The campaigns for Sen. Bernie Sanders (I-Vt.) and President Trump did not respond to questions about what digital security steps they're taking. 

While many campaigns have upped their efforts to protect email in the wake of the 2016 hack of Hillary Clinton's presidential campaign, there are deep concerns about the lack of protection for the virtual fundraisers, meetings and town halls that have boomed during the pandemic. 

Zoom, which the Biden campaign has used for town halls, has been blindsided by a number of security concerns, my colleague Cat Zakrzewski reported. After multiple reports of anonymous trolls targeting educators with racist and pornographic material, the FBI issued a warning last week advising that Zoom users should opt to keep meeting private and use participant-screening features. But my colleague Drew Harwell found thousands of private Zoom calls, including confidential therapy sessions, online last week, raising concerns about the company's privacy features. 

“I know that the larger campaigns are super-sensitive to it,” says Shomik Dutta, co-founder and partner at Higher Ground Labs, a political technology accelerator. “If you have a great broadcast experience that is truly two-way, you don't want you somebody crashing the party drawing something strange on their screen or hijacking control of the thing.” 

Higher Ground Labs has invested in a number of technologies, such as text-to-voter organizing tools, that are in demand as campaigns go digital, and has its eye on investing in more live event platforms. It encourages its start-ups to undergo frequent security and resiliency testing.

Disinformation and the threat of deepfakes are also another major concern for campaigns. U.S. officials have accused Russia, China and Iran of exploiting the global health crisis to spread misinformation about the disease and the United States' response to the pandemic. 

This could extend to the political space as the election draws near — especially as virtual and phone campaigning open up the door for pranksters to pose as candidates. 

But Rhoades says campaigns are in a box right now and security may not always be perfect. “Candidates have to be able to talk to voters,” Rhoades says. “Whether these systems are functioning at 110 percent, candidates have to move forward.” 

Scams targeting voters or campaign workers could also pose a threat. Agari, an email security firm, has seen a nearly 600 percent increase of coronavirus-themed attacks against the private sector. While so far there has been no similar uptick in phishing scams using coronavirus-themed bait to steal personal information from campaigns, Agari chief identity officer Armen Najarian tells me, it's possible that could change. 

Both the Sanders and Trump campaigns aren't fully using a security protocol that prevents hackers from sending emails pretending to be from their campaign website domains. 

And the personal emails of campaign members are also not immune from increased coronavirus-themed scams. 

“I think campaign staff are consumers, too, and while they might have a campaign email, they all have personal emails as well,” Kaiser says. “When it comes to the covid issues and the coronavirus, just like everyone else they're going to possibly be targeted during the crisis.” 

PINGED, PATCHED, PWNED

PINGED: The Wisconsin Supreme Court blocked an executive order by Gov. Tony Evers (D) that would have postponed today's elections until July, leaving pollworkers scrambling, my colleagues Amy Gardner, Elise Viebeck and Dan Simmons report. The decision could make it easier to challenge similar moves by other states to extend voting deadlines during the coronavirus pandemic.

The U.S. Supreme Court also struck down the state's plan for extended absentee voting with a 5-to-4 ruling in conservatives' favor. 

Wisconsin Republicans strongly lobbied against changing the primary date in the state, reflecting a growing national sentiment from the party questioning vote-by-mail and other measures introduced to lessen coronavirus risks. President Trump alleged on Friday that mail-in voting would allow more voters to “cheat.” 

“At the end of the day, this is about the people of Wisconsin,” Evers said Monday. “They frankly don’t care much about Republicans and Democrats fighting. They’re scared. We have the surgeon general saying this is Pearl Harbor. It’s time to act.” 

BYTES: Sen. Michael Bennet (D-Colo.) criticized Zoom's privacy practices in a letter yesterday videos of thousands of private meetings surfaced online on public sites such as YouTube. The Colorado Democrat joins a growing list of Democrats who have criticized the videoconferencing company for putting users' privacy and security at risk

“Many of these videos include intimate details of private businesses and personal relationships, potentially exposing users to significant financial, personal, and psychological harm,” Bennet wrote in a letter to Zoom CEO Eric Yuan. “In case after case, these issues consistently stem from Zoom’s deliberate decision to emphasize ease of use over user privacy and safety.”

Bennet wants to know all the data Zoom collects on users, how long it stores that data, and which third parties can access the data. He also wants to know what steps the company has taken to notify victims of the breach, which was first reported by my colleague Drew Harwell last week.

Zoom has taken a number of steps to address mounting security concerns with its platform and plans to make more privacy and security features available to users by default, Yuan told my colleague Cat Zakrzewski last week

PWNED: YouTube will remove videos promoting a conspiracy theory that 5G communications networks cause the coronavirus, Hadas Gold at CNN reports. The conspiracy theory, which traces back to the virus's emergence in China, exploded over social media in the United Kingdom last week and led to arson and vandalism of more than a dozen cellphone towers.

Content promoting the false link between the virus and the communications technology appears on Facebook and Twitter, as well. Both companies are set to meet with government leaders about curbing the misinformation this week, Alex Hern and Jim Waterson at the Guardian report

PUBLIC KEY

Industry groups representing U.S. chipmakers are pushing back against proposed changes that would prevent foreign merchants from selling chips made with U.S. technology without a license, Karen Freifeld at Reuters reports

The rule change could hurt advanced medical equipment essential to coronavirus response, the groups argued in a letter to U.S. Commerce Secretary Wilbur Ross. The groups are asking for the department to allow a public comment period before the rules go into place.

The proposal is aimed at Chinese telecommunications giant Huawei, but could lead to reprisals against the United States by China, the company's chairman warned last week.

— More cybersecurity news from the public sector:

By splitting some of their teams, U.S. spy services are taking steps similar to those being implemented or considered by some large private employers.
The Wall Street Journal
President Trump is facing backlash for recently firing the intelligence community’s watchdog, with critics accusing him of seeking further impeachment revenge while the country is focused on the coronavirus crisis.
The Hill
FCC Chairman says the agency will now act on a rulemaking it’s been sitting on since 2016.
Nextgov

PRIVATE KEY

— Cybersecurity news from the private sector:

Facebook is developing new tools that use aggregated, anonymized information about users' location to help public health officials figure out who's adhering to the social distancing guidelines.
CNBC
Even after being warned by researchers, some companies still haven’t fixed systems that make it easy for hackers to take over accounts.
Vice
Here’s how to record abuse without being discovered, safeguard your devices, and, ultimately, protect yourself.
The New York Times

THE NEW WILD WEST

— Cybersecurity news from abroad:

Police in India lodged a case this week against an unknown online fraudster who tried selling the world's largest statue for $4 billion, claiming the proceeds would be used to help the Gujarat state government fund its fight against the coronavirus.
Reuters
Europe
Moscow held back on requiring digital bar codes to leave home, but other regions are pushing ahead with mobile tracking.
Isabelle Khurshudyan
Cracking down on offshore cyber criminals who are targeting Australian households and businesses through devious scams and attacks amid the coronavirus outbreak.
ZDNet
European police continue to fight criminal activity linked to the spread of COVID-19.
ZDNet