The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Campaign cybersecurity might be the weakest link in the midterms

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I think of myself as “pretty online,” but only learned of this copypasta over the weekend.

Below: The U.S. government sanctions an Iranian official over cyberattacks, and an Israeli campaign manager is arrested for trying to overwhelm their rival with phone traffic. First:

Political campaigns are short-changed when it comes to election cyber security

An official at the Cybersecurity and Infrastructure Security Agency (CISA) said last week that election security is light-years ahead” of where it was in 2016. But there’s one area lagging behind as the 2022 midterm vote looms: the cybersecurity of political candidates’ campaigns.

In the aftermath of Russia’s election interference in the 2016 cycle, Congress delivered hundreds of millions of dollars to state and local governments to spend on things like replacing less secure voting machines and giving cybersecurity training to election officials.

There’s been no comparable mobilization for campaign security. That’s noteworthy because Russian hackers breaking into the systems of the Democratic National Committee (DNC) and Hillary Clinton’s presidential campaign kicked off the big election security push in the first place.

And political campaigns — almost none of which have dedicated cybersecurity staffers, and are near-totally focused on dedicating every available dollar to victory — are highly vulnerable.

  • “They’re probably some of the least-equipped institutions in our society to prioritize cyberthreats because of the incentive structures that they face being short-term organizations, where the risk-benefit calculus … doesn't often come out in favor of creating more protections,” Lindsay Gorman, the emerging technologies fellow at the German Marshall Fund’s Alliance for Securing Democracy, told me.
Pop-up operation

It’s not that agencies like CISA aren’t offering to help campaigns. But it’s a trickier proposition due to the pop-up nature of campaign operations and the tendency of those running for office to be skeptical of welcoming outsiders into the fold, Matt Masterson, CISA’s former top election security official, told me.

  • Only a handful of campaigns have taken CISA’s assistance in past election cycles, he said, although he also worked with the DNC and Republican National Committee (RNC) to get the word out.

“There’s a natural paranoia that comes with campaigning,” said Masterson, now director of information integrity at Microsoft. “Inviting anybody in raises questions.”

That means what help campaigns do get usually comes from umbrella political parties and free or low-cost technology offerings, like Microsoft and Google services.

One organization, the nonprofit, nonpartisan Defending Digital Campaigns, helps organizations by connecting them with vendors who provide cybersecurity services to them at little or no cost. Last cycle, the nonprofit helped a little more than 180 campaigns, and it’s almost at that number for this cycle, Michael Kaiser, president and CEO of the four-member team there, told me. Another organization, U.S. CyberDome, also provides cybersecurity help to campaigns.

Attackers abound

The year 2016 isn’t the only election cycle where hackers caused trouble for political candidates. In 2008, alleged Chinese hackers broke into the campaigns of both Barack Obama and John McCain and took internal documents. In 2020, hackers briefly took over the website of Donald Trump’s campaign. Hackers reportedly targeted the campaigns of Trump and Joe Biden in otherways, too.

Kaiser said he worries about not only nation-state threats, but also hacktivists and cybercriminals.

“Money is changing hands, things are happening quickly,” Kaiser said. “It’s a good environment for cybercriminals.” In fact, hackers siphoned credit card information from donors to the National Republican Senatorial Committee in 2016.

Campaigns can be insecure for other reasons, too.

“Most of them have lots of third party kinds of help, whether it's data, fundraising, polling, digital ad buying, website building — they use a lot of other services that they don't do in-house,” Kaiser said. “So there's just a lot of vulnerable periphery around a lot of these campaigns, which is an obstacle because they don't control the security beyond their own campaign to a greater degree.”

The RNC said last year that hackers breached a third-party provider, for instance.

So what kind of help are campaigns getting from others?

“CISA offers no-cost technical assistance upon the request of federal and nonfederal entities, which can include political campaigns and partisan organizations,” Geoff Hale, director of CISA’s election security initiative, said in a written statement. “CISA provides such technical assistance, to include web application scanning and penetration testing, on a nonpartisan basis to help an entity reduce cyber risk to their systems and networks.”

Those services include free, voluntary vulnerability scanning.

The DNC regularly holds cybersecurity training sessions and provides resources to campaigns and state parties on best security practices.

  • “The DNC strongly advises Democratic campaigns, organizations, and staffers to follow our security checklist, which focuses on the simple things that make the most common attacks much harder, including guidance on securing devices, using a password manager and using strong two-factor authentication,” DNC spokesperson Elena Kuhn told me via email.
  • Democratic Congressional Campaign Committee spokesperson Nebeyatt Betre said via email: “The DCCC takes cybersecurity seriously and makes every effort to safeguard the committee and our campaigns' infrastructure.”
  • The RNC, both Senate campaign arms and the National Republican Congressional Committee didn’t respond to requests for comment.

It’s not entirely grim news for political campaign cybersecurity. Campaigns have grown increasingly aware of cyberthreats and receptive to doing something about them, Kaiser said.

As for this cycle, “it’s not too late,” Kaiser said. With less than two months until Election Day, “this is the moment that everybody should be worried about.”

The keys

U.S. government sanctions Iranian official after cyberattack on Albania

The sanctions announced Friday cover Iranian Intelligence Minister Esmail Khatib and his Ministry of Intelligence and Security (MOIS), the Treasury Department said. Hackers “sponsored by” Iran and the MOIS were behind a July cyberattack on government networks belonging to Albania, the Treasury Department said.

“Iran’s cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Treasury Undersecretary for Terrorism and Financial Intelligence Brian E. Nelson said. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.” 

Albania, a member of the NATO alliance, is still being targeted by hackers, officials said. This weekend, the country’s government had to turn off its Total Information Management System, which tracks people entering and leaving the country, CNN’s Sean Lyngaas reports. Albania’s Interior Ministry said the “same aggressors” behind the July cyberattack had carried it out, Lyngaas reports. The National Security Council condemned that cyberattack and said the U.S. government is “supporting” Albania's work to recover and mitigate in the wake of the cyberattack.

Iran has denied that it was responsible for the July cyberattack and blasted Albania’s decision to sever ties with the country over the cyberattack.

Israeli campaign manager is arrested for allegedly trying to bombard opponent with calls

Israeli officials arrested the campaign manager of former Israeli labor federation chief Ofer Eini after they apparently sent hundreds of thousands of text messages about payments they hadn’t made and directed them to call Eini's opponent’s headquarters, overloading them with messages, the Times of Israel’s Ash Obel reports.

“The manager was investigated by the police anti-corruption unit Lahav 433 after he allegedly spread fake text messages in an attempt to flood his opponent Arnon Bar-David’s campaign office with phone calls ahead of the elections for the leadership of the organization in May,” Obel writes. “In the election, Bar-David defeated Eini, winning 77.7 percent of the vote and the presidency of the Histadrut, which represents the majority of workers’ unions in Israel.”

The campaign manager was arrested “on suspicion of harassment using a telephone, [and] disrupting elections,” Israeli police said. Their investigation is ongoing, they added.

Industry report

Patreon security team layoffs cause backlash in creator community (CyberScoop)

Lawsuit filed against 49ers over ransomware attack that hacked identities of 20,000 (San Francisco Chronicle)

Government scan

CISA preps solicitation for public feedback on incident reporting rule (The Record)


  • Christel Schaldemose, a member of the European Parliament who is rapporteur for the Digital Services Act, discusses the DSA at an event hosted by the German Marshall Fund and Columbia’s School of International and Public Affairs today at noon.
  • Twitter whistleblower Peiter “Mudge” Zatko testifies before the Senate Judiciary Committee on Tuesday at 10 a.m.
  • Current and former executives at social media companies testify before the Senate Homeland Security Committee on Wednesday at 10 a.m.
  • A Senate Judiciary Committee panel holds a hearing on protecting Americans’ personal information from hostile foreign actors on Wednesday at 3:30 p.m.
  • The House Homeland Security Committee holds a hearing on the cybersecurity of industrial control systems on Thursday at 10 a.m. 

Secure log off

Thanks for reading. See you tomorrow.