The desperate need for better campaign cybersecurity should be clear just from the past few weeks, if it wasn’t already, after reports that Russian hackers were digging around Ukrainian computer servers, possibly searching for dirt on Joe Biden, and that Pete Buttigieg’s chief information security officer — the only known, dedicated cybersecurity staffer in the entire Democratic field — had departed, replaced only by an outside contractor.
And yet, even with growing evidence of systemic vulnerabilities to foreign interference four years after Russia’s unprecedented, expensive and expansive attack on the 2016 election, we’re still relying on a patchwork of nonprofit and private companies to pitch in and protect us. Despite lots of words from well-meaning officials at the Department of Homeland Security, the Justice Department and the FBI, election security remains woefully undermanned and underfunded; former homeland security secretary Kirstjen Nielsen was reportedly told not to bring up the issue with the president, on the advice of acting White House chief of staff Mick Mulvaney, who allegedly told her that it “wasn’t a great subject.”
In the face of such high-level inaction and willful blindness, the fact that we need companies like Cloudflare to help defend candidates is a failure. Protecting our democracy shouldn’t be the responsibility of civic-minded businesses. We strictly limit corporate involvement in other areas of campaigns: We wouldn’t allow Blackwater to “donate” protective details to candidates, nor would we let Chase “donate” banking services. Boeing, Lockheed Martin and Chevrolet aren’t allowed to donate special planes, helicopters or armored vehicles to help keep candidates safe as they move about the country.
But after lobbying, the Federal Election Commission changed its rules last year to permit campaigns and candidates to accept discounted cybersecurity services. And no one seems troubled that cybersecurity companies will be able to develop special relationships with campaigns, as candidates entrust their biggest secrets to private firms with policy interests in how the winners will govern.
None of this is meant to slight Cloudflare or to impugn its motives; it’s a great company and a critical part of the Internet ecosystem, and I’m friends with some of the firm’s leaders. But the fact is that Cloudflare and other companies, including Microsoft, Wickr, Area 1 and Cybrary, needed to step up, and the FEC had to create special rules, because the U.S. government and the political parties are refusing — and don’t know how — to do what’s necessary to protect candidates and campaigns.
Easy solutions are rarely as simple as they seem. Some suggest that the Secret Service — which, thanks to its mission of fighting financial crimes, has amazing expertise in cybersecurity — should protect presidential campaigns from hackers, just as it safeguards the top candidates themselves. But the Trump administration’s extreme politicization of the Department of Homeland Security surely would make Democratic campaigns wary of accepting such help and granting the deep, unfettered access to email and networks that the Secret Service would need to provide digital protection. And it’s not clear how wide a net the perennially underfunded and overworked agency could or should throw around a campaign: Does it protect only the candidate, only an inner circle, or should every Iowa volunteer be surrounded by a digital security blanket?
On Capitol Hill, where the sergeants-at-arms of the House and the Senate are responsible for protecting the IT networks of lawmakers, well-meaning campaign finance rules legally prevent those officials from helping members of Congress secure their personal cellphones, email accounts or campaign networks — even though such accounts are probably the most valuable targets for hackers. Those same rules require legislators to maintain separate phones and email for official business and campaign business, all but guaranteeing that sensitive conversations occur on nonofficial accounts. When he was in the House, Jason Chaffetz (R-Utah) included his Gmail address on his business cards, and it was, after all, John Podesta’s personal Gmail account, not a campaign account, that was targeted by Russia in 2016.
The Democratic and Republican national committees, or their respective House and Senate campaign arms, could offer centralized cybersecurity resources. But recent Democratic Congressional Campaign Committee policy changes aim to limit primary challengers’ access to such resources, meaning someone like Alexandria Ocasio-Cortez, who challenged a Democratic incumbent, would have been cut off until at least after winning a primary contest, potentially leaving campaigns on their own until weeks before the general election. Advanced hackers often spend weeks or even months probing a system — and it can take an expert adversary like Russia just 19 minutes to break in. So that security would almost certainly come too late.
Leaving cybersecurity choices to individual candidates and campaigns, which are often technically unsophisticated and strapped for cash, doesn’t seem like the best answer when we’re trying to protect the cornerstones of our elections from well-resourced threats by nation-state adversaries. Besides, many candidates don’t really understand the threats or the necessary defenses. Sen. Bernie Sanders (I-Vt.), in a New York Times interview published this month, made clear he’s not a typical digital citizen of the 21st century; he said he doesn’t have any apps on his phone and didn’t appear to know what two-factor authentication is. Instead, as he explained, he relies entirely on a woman in his office named Melissa to know what to do security-wise. Is his campaign prepared to deal with Russian incursions?
The best security exists at the beginning and continues forever, but most campaigns — particularly new ones — start on a shoestring. It’s hard to imagine using scarce dollars to fund bulletproof cybersecurity when candidates might not make it far enough for the investment to pay off. Similarly, campaign infrastructure mostly disappears after Election Day, yet the threat remains just as real; documents stolen from email accounts or file servers in odd-numbered years can be held and released closer to elections. And as “digital natives” begin to run for office, people who have lived their entire adult lives with the same Facebook account, the same Gmail account, the same iCloud account may find that those are treasure troves for hackers seeking blackmail or embarrassment. (Former congresswoman Katie Hill will surely not be the last officeholder to face a “revenge porn” scandal, either from a formerly trusted partner or a nation-state hacker.)
These individual complications and competing agendas make clear that the best cybersecurity isn’t done campaign by campaign, but instead is focused on overall deterrence. We need the federal government, starting with the president, to take the strongest possible stance — in the strongest possible language — to make clear to all adversaries that U.S. elections, candidates and campaigns are off-limits. The Trump administration has failed to do this. And in fact, Trump has done the opposite. A key factor in the impeachment proceedings is his call, on the White House lawn last year, for Ukraine and China to investigate Joe and Hunter Biden — making clear that he’s fine with foreign governments meddling in domestic politics.
If Ukraine, Russia or China helped dig up dirt on his opponents, Trump would love it. Such foreign interference seems to be an important part of his reelection strategy. This active betrayal of democracy should chill Democrats and Republicans alike. As I’ve argued in the past, the GOP’s willingness to tolerate Trump’s inaction is confounding, in part because there’s no guarantee that the next nation to attack our democracy will side with Trump or the Republicans. In light of the president’s policy toward Iran, for instance, it seems likely that the Islamic republic’s accomplished hackers might prefer to help his opponent win. Similarly, China’s Ministry of State Security is surely considering that one easy path out of the trade war Trump started would be for a Democrat to win in November.
We can’t allow our elections to become proxy battlegrounds, with the Russian GRU aiding the GOP as Iran’s Revolutionary Guard Corps seeks revenge for Trump’s killing of Qasem Soleimani by helping elect Elizabeth Warren or Joe Biden. Trump’s refusal to acknowledge these stakes is the biggest indictment of his failure to protect our country. And that willful blindness underscores the historic necessity of his impeachment trial.
As the senators sit on the jury, they should all be wondering: What’s the most embarrassing secret lurking in their email accounts or their camera rolls — and who’s looking for it right now?