cyber security

Inside the Midterm Campaigns’ Fight to Ward Off Cyberattacks — Before It’s Too Late

A worker at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in Arlington, Virginia, on August 22, 2018. Photo: Cliff Owen/AP/REX/Shutterstock/Cliff Owen/AP/REX/Shutterstock

Melting in South Florida’s humidity, a young congressional campaign manager let his nerves show. Sitting across from a pair of visitors on a café patio, he widened his eyes when they asked if there was any tool he wished he had to help protect his campaign from cyberattacks. “I have no idea! I don’t even know what that would be, to be honest.”

Weeks away from Election Day, the operative’s fear is increasingly common — practically unavoidable in 2018, in fact. Midterm campaigns are entering the fall more anxious than ever about looming threats of email phishing, text hacking, and countless other ominous possibilities that could derail their hopes with the touch of a Muscovite button. And it’s becoming increasingly clear to many that they may just not be ready for what’s coming — or what’s already occurred.

The campaign manager leaned forward when asked to consider whether he would even know if his staff had been successfully phished. No idea, he admitted. He’d spoken with a security consultant about best practices months earlier, and made his employees communicate with an encrypted app. But he had little time to think about cybersecurity, and no one from his national party had yet given him much advice. “There’s no [plan],” he said. “You know, the plan is, ‘Don’t say stupid shit over emails.’” The pair across from him nodded. They were visitors from Jigsaw — a relatively obscure tech incubator working on digital vulnerabilities, owned by Google’s parent company Alphabet. They’d come to Florida to try to help.

Their offer was embraced in South Florida, where 2016 still stings: That summer, a promising Democratic House candidate’s campaign tanked after internal party research on her leaked as part of the broader Russian operation. Yet the fears of politicos in Miami and beyond are only intensifying with recent reports about Russian break-in attempts ahead of 2018’s voting. Just as Missouri Senator Claire McCaskill ramped up for her tough midterm reelection campaign, her Senate computer system faced a phishing attempt from the Russian intelligence agency behind the 2016 attacks. New Hampshire Senator Jeanne Shaheen said her staff also faced phishing attempts, and that a person impersonating a Latvian official tried calling her office to arrange a conversation about Russian sanctions and Ukraine. This summer a Microsoft exec said the corporation had already detected three Russian email hack attempts on 2018 candidates, and the DNC warned candidates not to use Chinese-made ZTE or Huawei phones.

Cyber attacks concentrated around voting have only gotten more popular, more sophisticated, and more widely distributed since November 2016. Nation-states are far from the only aggressors, and while hacked email leaks remain a popular tactic — Emmanuel Macron’s campaign emails were published two days before his election — they’re far from alone: A Tennessee county election-commission website displaying local election-night results was knocked offline by a distributed denial of service (DDoS) attack just this May. A semi-savvy internet user can buy and order up that kind of crippling attack for as little as $5.

In the United States there’s been limited progress in directing federal money to state officials to begin protecting their own systems, but each report about local election agencies stepping up their security is matched by another like the news that the White House in May eliminated the cybersecurity coordinator position on its National Security Council — or just last week blocked a Senate bill that would have stepped up federal measures against election interference. Some independent groups have tried stepping in to help candidates: Hillary Clinton’s campaign manager worked with Mitt Romney’s lead operative and a Harvard team to write a campaign security playbook. Still, campaigns themselves remain a tempting target for adversaries. They’re transient start-ups packed with overworked, hyper-busy, geographically scattered volunteers and contractors, and only on the rarest of occasions do they have security professionals at hand.

This is where the Jigsaw team has offered to step in, with its “Protect Your Election” project. The goal is to make a suite of tech tools to defend against attacks like DDoS and email phishing as accessible as possible for campaigns, political groups, independent news outlets, human rights groups working on elections, election workers, and activists. The effort launched abroad in 2017, as Ecuadorian news sites and journalists suffered attacks ahead of their presidential election. It’s grown. Part of the plan is to make it easy for participants to set up two-factor authentication on their systems, deterring phishing and other email hack attempts. Another is to protect websites against DDoS attacks that take their systems offline, like in Tennessee. The service is free, which, itself, is a significant step: DDoS protection can run around a quarter of a million dollars per year from most firms offering the service. Already, in March of 2017, digital attacks took out two major publicly funded voter-guide sites just as polls were about to open in the Netherlands. The Jigsaw team, including 60 Manhattan engineers, swooped in and migrated the sites to their own proprietary system — “Project Shield” — defending against such denial of service strikes, and restored them before the next morning’s Election Day. A year later, the team introduced a service, “Outline,” that allows users to create their own virtual private networks to circumvent prying eyes or blocks on information. In May, they started offering their services to all American political organizations.

Jigsaw wasn’t built to protect voting: It began in 2010 as Google Ideas, a think tank. After the presidential election, it began focusing on election protection. Now, with the target-rich midterms approaching, Jigsaw’s show is on the road. The group has spoken with over 10,000 people and trained hundreds of election officials on how to use the tech in recent months. It has handed out over 5,000 two-factor authentication security keys — small digital devices that affirm users’ identity — and it’s held trainings and meetings from Nicaragua to South Korea. Domestically, it’s deploying tools to users in nearly a dozen top-tier battleground states. The day before meeting with the campaign manager, a Jigsaw team assembled two dozen journalists at the Miami Herald’s headquarters for their own wake-up call–cumtutorial.

Still, with great concern comes great skepticism about those offering cybersecurity solutions. Much of political pros’ wariness stems from the lack of a centralized, independent, or government-driven program to help. And given Donald Trump’s reluctance to embrace the conclusion that Russia targeted 2016’s race, experts no longer consider Washington reliable.

“Government is part of the solution, and is obviously necessary, but is insufficient,” James Stavridis, the former NATO supreme allied commander, said. “While there must be government insight into any private-sector cybersecurity effort, we are not going to solve this challenge by relying on government, which is too slow, hide-bound, and relentlessly shoots behind the target on all things cyber.”

Not that tech firms have much of a political reputation to brag about. When Dan Keyserling, a senior Jigsaw executive, said, wryly, “We’re from the tech sector, and we’re here to help,” the Florida operative eyed him and Jamie Albers, the Jigsaw marketing chief who runs the Protect Your Election project, and shot back: “I don’t know if those words are comforting or not anymore.”

Post-2016, Facebook and Twitter are still struggling to restore trust. Google has not been widely blamed for any part of the mess, but Jigsaw’s protection push, and attempt to win over political pros, is still no simple maneuver for a corporation that relies so heavily on user data just as the technology industry’s overall credibility tanks in D.C. Election officials and other experts who’ve worked to secure campaigns are skeptical of much of tech companies’ work these days, dismissing the bulk of it as either well-intentioned but piecemeal, or mere PR. And it’s the notion of corporate altruism that most often stops other cybersecurity pros and campaign workers short with the obvious question: What’s in it for Alphabet?

“Most of what we do is given away for free,” says Jigsaw CEO Jared Cohen, a former State Department veteran. “So that kind of answers that question.” It is true that defending these organizations gives Alphabet, and Google, more data for studying the threats they each face, Jigsaw officials readily concede. Centering their work around voting is as much about protecting democracies as it is about examining potential dangers, Cohen said: “Elections are a predictable context, but they’re also, as a result, typically target practice for adversaries to pop their head up and show their best stuff.”

It’s that stuff that’s worrying. “Based on what I’ve told you, are we really vulnerable?” asked the campaign manager, clearly expecting a yes. He was taking the right steps by updating his software and using two-factor authentication, Keyserling told him. But it’s a hard question to answer, he said. The strategist looked relieved. The Jigsaw team didn’t. Something new is always coming. Even if campaigns internalize 2016’s lessons, they’re still likely behind on preempting the next round of threats.

“We did 11 elections last year all over the world, and that’s great. But I asked the question: What else can we be doing. And the two dates that everybody is going to be fixated on is May of 2019, which is the European parliamentary elections, and November 2020, the U.S. presidential election. Those are elections where you know that attempts are going to be made,” Cohen said. “They’re going to do it with, you know, 2019 tools. Not 2016 tools.”

Inside the Midterm Campaigns’ Fight to Prevent Cyber Attacks