It’s been six months since a presidential election roiled by Russian cyberattacks, and there’s little reason to think Donald Trump and Hillary Clinton will be the last U.S. candidates to face challenges from overseas hackers. Just last month, French President Emmanuel Macron won a close election despite being targeted for phishing attacks by Fancy Bear, the same Russian government-sponsored hacking group tied to last year’s infamous hack of the Democratic National Committee and Clinton’s campaign chairman John Podesta. (And that group has reportedly already moved on to stir up trouble in upcoming elections in Germany and the U.K.)
Cyberattacks have become the new normal in the cutthroat world of political warfare, obsessed over by commentators and candidates such as Clinton, who laid out her theory of Fancy Bear’s methodology during an interview at the Recode conference on Wednesday. In her remarks, she also blamed the DNC for its poor data operation and emphasized how important it is to understand how these cyberattacks were carried out in order to better defend ourselves against them in the future. At this point, the details of the phishing attacks on the DNC have been exhaustively described (and the apparently failed attempt to hack the RNC’s servers).
So, what have the DNC and RNC done to improve their cybersecurity? Both political parties have been understandably tight-lipped about their cybersecurity plans and any upgrades they’ve made since the election, although some cybersecurity experts with knowledge of their operations tell Fast Company that they’ve seen the DNC move much aggressively than they have in the past, reaching out to Silicon Valley much more frequently for assistance with their efforts.
“Under the leadership of Tom Perez, we are rebuilding our party to meet the challenges of tomorrow, and that includes hiring a chief cybersecurity officer,” a DNC spokesperson said in an email to Fast Company. The spokesperson declined to comment on a timeline for hiring the security officer. CrowdStrike officials also declined to comment on the firm’s current relationship with the DNC.
The DNC had last year announced the creation of a cybersecurity advisory board following the disclosure of the hacks, but it has since shared little about the board’s activities or progress. Members of the board contacted by Fast Company referred inquiries back to the DNC.
Chris Finan, a former White House cybersecurity advisor who is now CEO of Bay Area security startup Manifold Technology, says he’s been impressed with the work DNC higher-ups have done so far on cybersecurity and preparing to combat fake news stories on social media, though he’s unable to share specifics.
“I have seen the DNC taking it quite seriously,” he says. “They’ve brought in some big names, some very prominent people, they’re coming out here to Silicon Valley at least once a quarter, probably more like once a month, to try to bring together a cross section of expertise, both from inside the Beltway–the policy community–but also across the tech and social media community.”
Similarly, a spokesperson for the Republican National Committee said simply that “the RNC takes cybersecurity seriously.” The RNC didn’t respond to subsequent inquiries from Fast Company seeking more detail.
During the 2016 election, Fancy Bear leaked internal DNC emails that suggested party insiders favored Hillary Clinton over Senator Bernie Sanders, her chief primary rival. The leaks led to the resignation of top party officials, including DNC chair Debbie Wasserman Schultz, shortly before the election. Clinton campaign chairman John Podesta was also the victim of a separate phishing attack, also linked to Fancy Bear, that led to the leak of about a decade’s worth of his email messages.
Russian hackers apparently also targeted Republican campaigns—Senator Lindsey Graham has said they breached his campaign systems, and a set of Republican campaign emails were leaked through a site linked to Fancy Bear. And while Trump has praised his party for avoiding hacks on the scale the Democrats saw, former FBI director James Comey has said “state-level campaigns” and “old domains of the RNC” were hacked using similar techniques. The Russian hackers, widely believed to have favored Trump’s candidacy, apparently didn’t release that material.
Without information from the party committees themselves, it’s difficult to say what steps they’ve since taken to improve digital security. Unlike some companies and government agencies that offer bug bounty programs where hackers are invited to probe their digital defenses, the two major parties don’t offer any public programs where experts can try to breach their systems without fear of prosecution.
But some security analysts have used publicly available information—data automatically delivered to anyone who accesses political sites or looks up information about them in public domain name databases—to partially assess the cyber practices of parties and particular candidates. Jonathan Lampe, the founder of political cybersecurity firm Cybertical, regularly scores political sites on factors like whether they serve pages through encrypted web connections, whether their content management software is up-to-date, and whether they show CMS usernames or allow password resets on publicly available pages. Taking a recent look at the sites of the two party committees with the help of an automated tool, Lampe gave both an “A” grade, saying they seem to have further locked down their security since the recent election.
“The national committees—it looks like they have definitely done some work very recently to clean up their act,” he says. “It definitely was post-election.”
And on a local level, candidates and local party organizations are increasingly turning to third-party providers to host and secure their digital platforms rather than attempting to manage them in-house, says Jim Gilliam , founder and CEO of NationBuilder. The Los Angeles company says its digital tools are the most-used political software in the world, with clients across the spectrum from California Governor Jerry Brown to former Senator Rick Santorum. The company offers protection against denial of service attacks, secure donation platforms, and database access controls to protect against insider attacks.
“There’s a lot of controls in NationBuilder to make it so someone can’t run away with someone’s email list,” Gilliam says.
Its scale and popularity help it offer security and reliability that smaller campaigns, in particular, previously found hard to achieve setting up servers on their own, Gilliam says.
“Your nephew or your niece was the one who did that for you, and the quality was really low, and yet the demands were really high,” he says.
Some campaigns are moving to mainstream cloud providers like Google for email, and they, too, with their dedicated security departments, can almost always offer better safeguards than an in-house team, Gilliam says.
“A lot are still running their own servers, but there is definitely a move to things like Gmail, in particular,” he says.
Still, the types of attacks the Russian hackers seem to prefer to initially gain access to networks, using sophisticated phishing emails that trick users into willingly sharing their passwords rather than exploiting network security flaws, are often considered difficult to defend against. Even with workers trained to recognize the signs of phishing, it’s easy for someone to be tricked into clicking on a dodgy link on a hectic afternoon.
The attack that ensnared Podesta was reportedly facilitated by a typo in an email from an IT worker, who accidentally declared the email “legitimate” when he meant to say just the opposite.
“The bad guys use those [phishing attacks] because they’re really effective: The success rate is just so high with that,” says Michael Buratowski, senior vice president of cybersecurity services at Fidelis Cybersecurity, one of the firms which attributed the DNC hack to Fancy Bear.
It’s effectively impossible to test an organization’s vulnerability to phishing attacks without permission, since neither IT managers nor legal authorities are likely to take kindly to anyone sending unsolicited, fraudulent emails to test an organization’s defenses. So it’s difficult to know for certain how well-equipped either party now is to head off such attacks, which will almost inevitably be tried again in the future.
“Unequivocally, we will see these tactics used again—we’re already seeing it in Europe,” Finan says. “I think they’re going to be emboldened to be even more aggressive, because frankly this campaign succeeded beyond their wildest expectations.”
Yet its latest ploy in France fell flat—partly because Emmanuel Macron’s party was prepared for such an assault. Fancy Bear attempted phishing attacks on Macron’s campaign throughout the election process, according to a recent report from security firm Trend Micro. One of its methods was to reportedly register domain names deceptively similar to those of Macron’s party, a technique that could be used to facilitate phishing attacks. The campaign reportedly took active steps to thwart phishing attempts, circulating warning lists of fake campaign-linked websites to staffers and even filling out forms on the bogus sites with fake credentials in an effort to slow down the hackers, according to a report in the Daily Beast.
A trove of apparently stolen Macron campaign documents was leaked shortly before the election, though it seemed to have little effect on election results, and it’s widely believed the hack was linked to the phishing attacks or to the Russian government.
“Even the average citizen might be impacted as Pawn Storm tries to manipulate people’s opinions about domestic and international affairs,” warned Trend Micro. “The group’s operations and methods might also serve as an example for other actors, who may copy tactics and repurpose them to fit their own objectives.”
At the same time, experts say, political campaigns can face particular security challenges as they rapidly add staff and volunteers during election cycles.
“Good security programs usually have the people, they have the technology, and they have established policies in them—it can take months and years for those programs to be built up and matured and made reliable and all that sorts of stuff,” says Matthew Gardiner, senior product marketing manager at email security firm Mimecast. “These campaigns are kind of like these temporarily assembled companies that more or less disband when the campaign’s over, which seem very likely to not have strong controls.”
Campaigns also require geographically dispersed workers to be able to share data, says Shawn Henry, chief security officer of CrowdStrike, a cybersecurity firm which worked with the DNC to investigate last year’s hacks. It’s just not practical to tell campaign workers they can only access their email from a locked-down computer in the office.
“Many of the individuals will likely be working from the field, outside of the VPN, using a variety of devices to access and share data,” Henry, also the president of CrowdStrike’s services division, wrote in an email to Fast Company. “Needless to say, as a result the risk exposure of the organization increases.”
Political organizations need to be ready to face unexpected attacks from well-funded spy organizations, which means they need digital tools to detect and stave off attacks—and policies designed to limit how much damage any successful attacks can do. That’s something the major parties are likely paying more attention to now, ” says Buratowski.
“I think that the DNC and the RNC probably have a bit more money to put into security measures in light of an event like this,” he says. “I would imagine there’s probably going to be a review of how they handle conversations and how long they retain data, along those lines.”
Ideally, the national party organizations should use their resources to take the lead on computer security matters, guiding local candidates and party groups in keeping their systems safe, says Finan.
“There is no sophistication at the sort of House district level and local levels among political operatives about security practices,” he says. “It’s not enough if the DNC and the RNC harden themselves if they’re not also passing knowledge, working with these campaigns early on to get them to think about and prioritize security.”