To Shauna Daly, a veteran Democratic operative, the idea seemed like an obvious answer to an urgent problem in the months after the 2016 election: a new nonprofit that could help campaigns guard against hacks and share critical threat intelligence.
At the time, US officials were detailing the extent to which Russians had launched a series of massive cyberattacks across the party. Operatives who’d lived through the hacks looked back on 2016 as a traumatic event: Hillary Clinton’s campaign chair, John Podesta, saw a decade’s worth of personal emails exposed. At the Democratic National Committee, staffers became scared and paranoid. The office was swept for bugs. Next door, at the Democratic Congressional Campaign Committee — the arm of the party tasked with electing House candidates — officials spent the final three months of the election in a state of blind panic, with nothing to do but wait as Russian hackers operating as “Guccifer 2.0” leaked a new cache of stolen documents every few days.
So last year, when Daly and her cofounder launched the Progressive Security Corps, they believed donors and campaigns would see cybersecurity as a top priority.
“It just turned out that that wasn't really the case,” she said in an interview.
Not only has Daly, a former research director at the DNC, been unable to secure funding for the project — she’s had trouble generating interest at all. At panel discussions on the topic of cybersecurity and campaigns, she said, “turnout is low — and it’s a self-selected group of people who come. Unless people are really interested in it, they don’t come.”
Seven months from the next election, US officials agree that hackers pose an imminent threat to 2018 campaigns. And yet Daly and other concerned operatives see a troubling pattern across the Democratic Party: While some campaigns have taken steps to shore up their security, far too many simply don’t care enough to meaningfully change their practices. And, even more alarming to some, there’s been no hardline effort by party committees like the DCCC to enforce its own recommendations on cybersecurity.
“How do you get people to be interested?” asked Daly. “You force them.”
Last June, the DCCC became the first known party entity to use Wickr, a secure workplace messaging software offering end-to-end encryption, a technology meant to make messages indecipherable to any third party. Officials there said they would also be extending Wickr to the staff and consultants on some of its most competitive races, a group of incumbent Democrats known as the DCCC’s 2018 “Frontline Members.”
But when contacted, a number of those Frontline campaigns said they don’t have access to Wickr, or aren’t using it. Democrats in other House races, from incumbents to primary candidates, said they haven’t received cybersecurity guidance from the DCCC. Across the board, operatives said, staffers and consultants still rely heavily on email.
“We haven’t gotten that access, as far as I’m aware. I’m not on Wickr myself,” said Tess Whittlesey, a spokesperson for one of the DCCC’s Frontline candidates, Salud Carbajal, up for reelection in California’s 24th District. “So far we haven’t jumped to Wickr.”
Richard Ojeda, the populist candidate running in West Virginia’s 3rd District with little party support, said his campaign hasn’t “heard anything concerning cybersecurity” from the DCCC. The same was true for far more prominent candidates like Rep. Eric Swalwell in California. A spokesperson said that Swalwell has taken his own steps to secure his campaign operation, but has “not received any particular direction from the DCCC.”
A DCCC official said that the organization did advise Frontline candidates to sign up for Wickr last year, but that campaigns are free to use other vendors. The committee also offered a voluntary cybersecurity briefing for candidates. In that briefing, the official said, the DCCC laid out a number of recommendations on cybersecurity practices.
“Ultimately it is up to their campaign to adopt and enforce these recommendations,” the DCCC official said.
The tricky matter of enforcement raises a string of open questions heading into the 2018 midterms: Are party committees responsible for the security of their campaigns? (In the case of the DCCC, that means a decentralized universe of hundreds of House races — but that leaves aside campaigns for Senate, governor, attorney general, and state legislatures.) And can any party entity really compel a campaign to abide by certain rules or standards? (Some operatives who work on independent expenditure groups — PACs that operate in tandem with but separately from the party — have discussed writing provisions about secure technology, such as Wickr, into vendor contracts.)
“It’s distressing to me that we’re seeing people make many of the same mistakes now that resulted in the theft of a lot of information in 2016,” said Hillary Clinton’s former campaign manager, Robby Mook, who, after witnessing foreign-sponsored hacks at close range, helped found Defending Digital Democracy, a bipartisan cybersecurity project at Harvard, alongside Mitt Romney’s 2012 campaign manager Matt Rhoades.
“One organization being well-protected is nice, but the goal is to get everybody,” said Daly. “It's just a very wide range at this point. Some are taking things very seriously, but tons of individuals, campaigns, and organizations have done little or nothing.”
Another Democratic operative put it this way: “Candidates are either very concerned about it, or they haven’t even asked about it — and there’s nothing in between.”
When Raffi Krikorian arrived in Washington as the DNC’s new chief technology officer, the Silicon Valley engineer said the party needed a sweeping “culture change” around cybersecurity: “It has to be part of on-boarding,” he said last fall, six weeks into his first job in politics, “part of every conversation, every time we have a meeting.”
Enforcing that “culture change” becomes an inherently difficult task in politics, where campaigns can begin as small shoestring operations, run from a single email account, before growing quickly into a vast and shifting web of staffers, consultants, and volunteers — all communicating daily, all across different mediums. For campaign managers, if cybersecurity is a priority at all, it can quickly fall to the bottom of the list.
“It does continue to be a challenge to get people to spend a little bit of time and focus on this,” said Mook, the Defending Digital Democracy cofounder. “And I’m incredibly sympathetic to campaign managers who feel like they have way too much else going on to worry about this and that there are just simply bigger priorities. I’ve obviously been there myself.”
Last year, Mook was among a small group of operatives who helped introduce Wickr’s CEO, Joel Wallenstrom, to political players in Washington. After 2016, Mook said, there was an “enormous amount of interest in the tech sector to be helpful,” a sentiment that helped draw tech figures like Krikorian, formerly of Uber and Twitter, and Bob Lord, who joined the DNC as chief security officer after leading the same division at Yahoo.
On the political side, the response remains far more uneven.
Before the cyber security presentation, party officials were seen scanning the halls of the hotel, trying to convince more people to attend.
Earlier this month, at the DNC’s annual winter meeting in Washington, Lord hosted a cybersecurity briefing for attendees. Before the presentation, party officials were seen scanning the halls of the Marriott Wardman Park Hotel, trying to convince more people to attend. “We need you!” one staffer said, running up to a guest. “We need bodies.”
At Wickr, the San Francisco–based encryption software company, officials are attempting to bridge the political and security worlds. By their own estimates, they are working with Democrats and Republicans in about 10% of House races and 50% of Senate races. They say about 70 consultants are using their software so far, including at Democratic firms like Global Strategy Group and PACs such as House Majority.
The company recently hired Audra Grassia, an operative with extensive experience across the Democratic Party, to help lead its efforts in politics and government.
“Hacking and leaking was probably the single most potent weapon during the campaign.”
Wallenstrom, the CEO, said he believes campaigns are now moving from the “planning stage” to thinking more seriously about “execution.” But there’s no doubt that political operatives, candidates, and lawmakers are still working to grasp the basics of security. (Wallenstrom says that in meetings on Capitol Hill, he still gets questions about the company’s work on voting machines — a separate threat to the security of elections that has nothing to do with what campaigns can do to protect their communications.)
“What I’ve been encountering is people don’t understand the issue very well,” said Mook. “They just have a lot of other things going on. But what I’ve been trying to tell people is it’s there — the threat is there — and ignoring it isn’t going to make it go away.”
That there isn’t more urgency among political operatives about the threat of another cyberattack has been bewildering for some watching from the outside.
“Hacking and leaking was probably the single most potent weapon during the campaign,” said Ben Nimmo, an information defense fellow at the Atlantic Council.
“I used to be a press officer. Can you imagine being a press officer for the Clinton campaign? Waking up every morning for the month before the election and the first thing you see is, ‘Here’s what WikiLeaks just leaked from your campaign.’ Every day, for a month. There’s no way you can generate a positive narrative or get something going when the first thing you’re doing every morning is firefighting. You can’t do it.”
For the majority of US officials, there’s no doubt that the Russian government hacked Democratic candidates and leaked their files to hurt the party’s chances in 2016. There’s also little doubt that they’ll be back, at least in some capacity, ahead of 2018.
In January 2017, a rare declassified joint report from the top US intelligence agencies declared that Russia’s foreign military intelligence agency, the GRU, had, on orders from President Vladimir Putin, broken into the email accounts of Democratic officials in March 2016. Those files leaked online in ensuing months through several channels, including the Guccifer 2.0 persona, who leaked candidates’ opposition research files stolen from the DCCC.
Researchers who track GRU hackers say they regularly target politicians and candidates. At ThreatConnect, a cybersecurity firm, private threat intelligence researchers say they’ve discovered phishing campaigns against French President Emmanuel Macron’s campaign, Turkey’s Justice and Development Party, and the German Free Party.
Toni Gidwani, ThreatConnect’s director of research operations, said she was unaware of a campaign against a political party in which the group was unable to get at least one person to fall for a fraudulent email. “Phishing works,” Gidwani said, as does figuring out when an employee reuses the same password they’d previously set for an older, already compromised account. “They don’t have to use malware to get in,” she said.
US officials expect that Russia, in particular, could strike again.
“Russia is likely to continue to pursue even more aggressive cyberattacks,” Trump’s Director of National Intelligence, Dan Coats, testified this month. “Russia perceives its past efforts as successful and views the 2018 US midterm elections as a potential target.”
“President Putin has clearly come to the conclusion there’s little price to pay here, and that therefore [he] can continue this activity,” Adm. Mike Rogers, the director of the NSA and head of US Cyber Command, said in Senate testimony last month. “Everything both as a director of NSA and what I see on the Cyber Command side leads me to believe that if we don’t change the dynamic here this is going to continue, and 2016 won’t be viewed as something isolated. This is something that will be sustained over time.”
About a month before he was fired, former secretary of state Rex Tillerson warned that the US still wasn’t prepared to ward off Russian election meddling. “If it's their intention to interfere, they're going to do that,” he said in an interview with Fox News.
This month, the Treasury Department issued sanctions against a number of Russians, including members of the GRU, which the agency described as “directly involved in interfering in the 2016 US elections through cyber-enabled activities.” It’s not clear if that will deter future attacks. In a statement, California Democrat Adam Schiff said the sanctions were “a grievous disappointment” and “fall far short of what is needed to respond to that attack on our democracy.” Texas Republican Will Hurd said the sanctions were “an important first step, but we must continue to demonstrate to Vladimir Putin, and other bad actors, that America won’t tolerate this behavior.”
And the concern isn’t limited to just the GRU. The group is known for being particularly noisy and “one of the most active adversaries,” said Adam Meyers, a researcher in the intelligence division at CrowdStrike, the firm hired to protect the DNC. But, Meyers added, “it is equally likely that it is one of the more visible ones” — and that other effective state-sponsored hackers simply make hiding their tracks more of a priority.
Already this year, Democrats have noticed signs of suspicious activity.
Officials at EMILY’s List, a prominent liberal group that aims to recruit and elect pro–abortion rights women, were recently notified of a spoof account for the organization on Facebook. Earlier this month, Democrats flagged a phishing email addressed from a fake DNC account for Luis Miranda, an official who had his emails stolen in the 2016 hack and is no longer working at the DNC. In North Carolina, a congressional candidate, Democrat Linda Coleman, said that Russians had purchased the domain for one of her old campaign websites. And in Tennessee, in what security experts have described as perhaps the most troubling development so far, the leading Democratic candidate for Senate, Phil Bredesen, alerted the FBI that he had received emails from an account posing as the campaign’s media buyer. The sender knew the dates of a planned ad buy, leading Bredesen aides to believe that hackers had infiltrated their campaign.
Since early March, when Bredesen’s letter to the FBI became public, officials at Wickr said they’ve seen a slight uptick in interest and concern from political campaigns.
“My Wickr and my inbox have blown up, very similar to what happens when there's a breach in the corporate world,” said Wallenstrom, who became Wickr’s CEO in 2016. “The thing that was number five on the to-do list suddenly becomes number two or one.”
"Operationally there's a little more urgency now.”
The lack of guidance and enforcement from entities like the DCCC highlights a fundamental difficulty for private American organizations targeted by sophisticated and malicious foreign hackers: Who, exactly, is responsible for keeping them safe?
“Decades ago, as a matter of public policy, we made a decision that because the internet is free and open and belongs to everybody — and in this country is provided as a service by private companies — that people are going to by and large defend themselves,” said Michael Sulmeyer, a former policy director at the Department of Defense now serving as the director of the Harvard Belfer Center’s Cyber Security Project. “We’re now getting to a point where we want to look at who is accountable for protecting the masses.”
There’s no government agency directly tasked with guarding Americans from hackers, though the FBI often works as a clearinghouse for intelligence on cyberattacks, sending alerts to Americans it sees being targeted. In 2015, the FBI tried to notify the DNC about possible Russian activity, but a miscommunication meant its warning wasn’t heeded.
“The FBI continues to coordinate with federal and state partners not only on what transpired in 2016, but looking forward to what may come in the 2018 election cycle,” an agency spokesperson said.
At Harvard, the political operatives and tech leaders behind Defending Digital Democracy hope to position the group as a centralized resource for campaigns — and eventually, as a first-of-its-kind “information sharing” network where Democrats and Republicans can exchange threat intelligence. “Our goal is to build an information-sharing organization that includes political parties, campaigns, state and local election officials, and tech companies,” Alex Stamos, Facebook’s chief security officer and a member of Defending Digital Democracy’s advisory board, told Gizmodo last summer. (Stamos will leave Facebook later this year amid questions about the company’s role in the 2016 election, according to the New York Times.)
So far, Democrats and Republicans have resisted any collaboration on cybersecurity.
In 2016, the DCCC criticized its Republican counterpart, the National Republican Congressional Committee, for using a hacked document in a digital attack ad. After the election, when the DCCC proposed a joint initiative to guard against cyberattacks, the NRCC responded by dismissing the idea as a “stunt.” And as Democrats spoke publicly about their move to Wickr, Republicans made a point of keeping quiet — even as they adopted similar security measures. “The first rule of effective cybersecurity is not bragging about your cybersecurity procedures,” NRCC spokesperson Jesse Hunt said last year. “Clearly the DCCC believes cybersecurity is merely a public relations issue.”
For operatives like Daly, there are more immediate and basic concerns: a lack of interest, a lack of urgency, a lack of enforcement. “Obviously we'd like 2018 to be a practice run for 2020,” she said. “It just matters if there's buy-in at the top.”
Daly is still speaking about cybersecurity at conferences. But her audiences are still self-selecting. And her nonprofit, the Progressive Security Corps, is still struggling to attract enough funding and engagement to make the project a full-time endeavor.
The reality, she said, is “I need to go find a job, because I can't do just this.” ●
Adam Meyers' name was misspelled in an earlier version of this post.