The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Biden campaign hires first top cybersecurity official to protect against digital threats

Placeholder while article actions load

Joe Biden, with four months until Election Day, is hiring a top cybersecurity official to secure his campaign against an array of digital threats. 

The campaign's decision to delegate security to an industry heavy hitter reflects the intense pressure to avoid a repeat of the Russian hacking and leaking operation that upended Hillary Clinton’s presidential effort four years ago.  

Those needs are perhaps only more critical as the campaign faces unprecedented security and technology challenges from staff and volunteers working remotely during the coronavirus pandemic. 

The new CISO, Chris DeRusha, will be running a team focused exclusively on security.

DeRusha was White House senior cybersecurity adviser and held a series of top cybersecurity jobs in the Department of Homeland Security during the Obama administration. He’s currently chief security officer for the state of Michigan and previously led Ford Motor Company's enterprise vulnerability management program. 

The campaign is also hiring a new chief technology officer: Jacky Chang will lead a team that develops products and ensures campaign tech runs smoothly

Chang was a senior engineer on Hillary Clinton’s 2016 campaign and worked on a Democratic National Committee team that built software to help ensure voter access during the 2018 midterms. Chang will be on leave from her role as senior technologist at Schmidt Futures, the philanthropic firm run by former Google executive Eric Schmidt. 

The CTO job previously included cybersecurity when it was held by former CTO Dan Woods. Woods left after the primary, a campaign official told me. The official described splitting the roles – and developing a full cybersecurity team – as a natural evolution of moving from the primaries to the general election. 

“Biden for President takes cybersecurity seriously and is proud to have hired high quality personnel with a diverse breadth of experience, knowledge and expertise to ensure our campaign remains secure,” the Biden campaign said in a statement. 

DeRusha and Chang “will be central to strengthening the infrastructure we've built to mitigate cyber threats, bolster our voter protection efforts, and enhance the overall efficiency and security of the entire campaign," the statement said. 

The Biden team is already hiring to fill out the rest of its cybersecurity staff. 

It has posted wanted ads for two senior cybersecurity jobs on its website — a senior cyber incident response/ threat analyst and a senior cloud security architect — as well as several technology jobs. 

The campaign is already the target of digital attacks. 

Woods, a former Target engineer, described his role handling the Biden campaign's cybersecurity efforts as a constant fight to fend off phishing attacks — misleading emails full of malicious software that can allow hackers to steal people’s personal information.

Woods didn’t identify the source of those malicious emails, but it was a phishing attack targeting Clinton campaign chairman John Podesta that allowed Russian government-linked hackers to worm their way into the Clinton campaign, according to an indictment filed by former special counsel Robert S. Mueller III.

Intelligence and DHS officials have routinely warned that Russia and other U.S. adversaries are eager to undermine the 2020 contest. During the primaries, intelligence officers warned that Russia was rooting for the Trump campaign and the campaign of Sen. Bernie Sanders (I-Vt.). Microsoft also uncovered an Iranian attempt to hack into email accounts belonging to one presidential campaign, which Reuters identified as the Trump campaign. 

The Biden campaign has been focusing on cybersecurity since its earliest days. 

More than six months before the Iowa caucuses, the campaign told me that it was providing staff with cybersecurity training and mandating they use extra protections when logging into digital accounts. “Biden for President is executing a comprehensive approach to defending, protecting and securing our digital ecosystem,” the campaign said in June 2019. 

But the cybersecurity challenges are sure to grow during the general election. That’s not least because it’s hiring up large swaths of new staff members and volunteers — any of whom could be victims of a phishing attack that later spreads throughout the campaign. 

It will also be far harder to secure the campaign during the pandemic. That’s because its far less likely staff members will be doing any work from a central office where security pros can monitor what goes in and out of the network. 

The Trump campaign has also hired someone to focus full-time on cybersecurity, a campaign official told me. 

The Trump campaign has consistently declined to answer questions about what sort of cybersecurity protections it has in place. The campaign says that answering such questions could help hackers. 

That reasoning doesn’t wash with most cybersecurity experts, but the hesitancy to talk about cybersecurity is broadly bipartisan. Several Democratic campaigns also declined to answer basic question about their cybersecurity protections during the primaries, including campaigns for Sanders and Sen. Elizabeth Warren (D-Mass.). 

The only Democratic campaign to publicly announce hiring a CISO during the primaries was that of former South Bend, Ind., Mayor Pete Buttigieg. That campaign’s CISO, Mick Baccio, quit shortly before the Iowa caucuses citing “fundamental philosophical differences." Baccio was also a former Obama administration cybersecurity official. 

As Michigan’s top cybersecurity official, DeRusha was responsible for the security of about 55,000 state employees.

He also testified before the Senate Homeland Security Committee, where he warned that states lack many vital resources to defend themselves against cyberattacks and urged more federal help. 

“Our country’s state and local governments are on the front lines of today’s digital conflict, attacked daily by highly resourced advanced persistent threats, and there remains a great deal of work in order to secure the networks we rely on to provide essential services to the public,” he said in February.  

The keys

Barring Huawei from the United Kingdom’s 5G networks will be a lengthy and costly process. 

It will take at least five years for UK telecoms to swap out all their Huawei gear if lawmakers follow the U.S. lead in banning the company from next-generation 5G networks, according to representatives from the telecoms BT and Vodafone, Bloomberg News’s Thomas Seal reports

Making the switch in three years as some UK lawmakers have urged would be “logistically impossible,” Howard Watson, BT’s chief technology and information officer, told a Parliamentary committee. The cost of the switch will also likely be in the “single-figure billions,” Andrea Dona, Vodafone’s head of U.K. networks, said.

The assessment comes as Prime Minister Boris Johnson and other UK lawmakers look increasingly likely to reverse an earlier decision that allowed Huawei to build less-sensitive portions of the nation’s 5G system. The Trump administration recently barred international chipmakers that sell to the United States from working with Huawei, which was a severe blow to the company. U.S. officials say Huawei can’t be trusted not to spy for the Chinese government, which Huawei denies.

House Foreign Affairs Committee leaders are launching a rare bipartisan effort to combat election interference. 

Their new bill would expand a State Department program that offers rewards for people who help U.S. authorities catch terrorists and drug traffickers to also apply to people who interfere in U.S. elections. It was sponsored by Committee Chairman Eliot L. Engel (D-N.Y.) and ranking Republican Michael McCaul (Tex.).

“This bipartisan legislation sends a clear message to malicious actors attempting to interfere in our democratic process: The United States will absolutely not tolerate it, and there will be consequences,” McCaul said in a statement. 

Bipartisan election security efforts have become increasingly rare amid a years-long standoff between Democrats who want to mandate new security requirements for states and Senate Majority Leader Mitch McConnell (R-Ky.), who opposes such mandates. A few minor bipartisan measures have passed the Senate, such as a bill that makes it a federal crime to hack voting systems. 

Researchers are warning about vulnerabilities in smartwatches for dementia patients. 

The watches are designed for patients to easily reach their caregivers and to remind them when to take pills and perform other medically necessary tasks. But researchers at the cybersecurity firm Pen Test Partners found they could hack the devices to make them send patients extra “take pills” reminders, Zack Whittaker at TechCrunch reports

A dementia sufferer is unlikely to remember that they had already taken their medication,” the company wrote in a blog post. “An overdose could easily result.” 

The vulnerable software that runs on the device is called SETracker and is owned by the Chinese company 3G Electronics, Pen Test Partners said. The company earlier found similar vulnerabilities in smartwatches marketed to parents to keep track of their children. 

Global cyberspace

Telecom Italia has excluded Huawei from a list of vendors building core 5G infrastructure in Italy and Brazil.

The list of approved vendors includes Cisco, Ericsson and Nokia, Reuters’s Elvira Pollina reports. Core parts of a network are those that have the greatest access to sensitive information. Nations including the United Kingdom have considered allowing Huawei to build only non-core parts of 5G. 

The move is another blow for the Chinese firm, which is struggling to maintain a foothold in Europe and the Americas amid an intense pressure campaign from the Trump administration, which says it’s a spying threat. 

More cybersecurity news:

TikTok Considers Changes to Distance App From Chinese Roots (Wall Street Journal)

Police Surveilled George Floyd Protests With Help From Twitter-Affiliated Startup Dataminr (The Intercept)

Verizon Adds Protection Against SIM Swapping Hacks in Mobile App (Vice)

Secret Service merging electronic and financial crime task forces to combat cybercrime (CyberScoop)

Chat room

Now, that’s personalized customer service. Encryption expert and Johns Hopkins professor Matthew Green and Signal creator Moxie Marlinspike:

Secure log off

Carl Reiner (1922-2020)