2020 Campaigns Remain Vulnerable as Signs of Russian Hackers Re-Emerge

But they are falling short in important areas, according to current and former U.S. officials, cybersecurity experts and people familiar with the operations of various campaigns. Those include an unwillingness to share information among campaigns about attempted hacks, regulations that prevent campaigns from accepting free or discounted security services, and technological advances that make deterring threats more difficult.

Already there are signs that the same foreign forces that targeted the Clinton campaign are resurfacing.

Microsoft
Corp.’s

threat intelligence team in recent months detected Russian attempts to hack U.S. think tanks, academics and nongovernmental organizations that may be involved in U.S. politics or become advisers to campaigns, said Tom Burt, Microsoft’s senior vice president of customer security and trust.

“We are seeing activity by the same Russian actors that we saw target 2016 and 2018,” Mr. Burt said.

The attempts, waged by a group known as Fancy Bear that is believed to have ties to Russia’s military intelligence, may be routine espionage, he said. But the actions resemble the ones Fancy Bear previously took when it sought to interfere in elections in the U.S. and Europe.

“They appear to start by doing that reconnaissance and espionage prior to the hacking of campaigns,” Mr. Burt said.

Mr. Trump said in an interview with ABC News on Wednesday that he wouldn’t consider it wrong to look at information gathered by a foreign country about his campaign rivals without alerting the Federal Bureau of Investigation. FBI Director Chris Wray told Congress last month that campaigns should report to his agency contact from foreign governments seeking to influence U.S. elections.

Mr. Trump, in the ABC interview, likened material from foreign governments to political-opposition research and said he might contact the FBI after listening to the information. “I think you can do both,” he said.

Critics said it amounted to an invitation to hostile governments to launch cyberattacks that might yield damaging information on his rivals’ campaigns. “The president gave us once again evidence that he does not know right from wrong…This is an invasion in our democracy,” House Speaker Nancy Pelosi said Thursday.

Senior U.S. intelligence officials have repeatedly warned that Russia and other hostile foreign powers remain intent on interfering in elections, including the 2020 presidential contest, and experts say the candidates and their campaigns remain an important—and likely the most vulnerable—target.

Campaigns also face new technologically advanced threats, especially on the disinformation front. Chief among them is so-called deepfake technology—the use artificial intelligence to create exceptionally realistic-looking fake videos of a person. The House Intelligence Committee held a hearing Thursday to discuss threats to democracy posed by deepfakes.

“I’m much more confident about where election officials have come since 2016 or 2018 than the campaigns,” said Joseph Lorenzo Hall, an election security expert and chief technologist at the nonprofit Center for Democracy and Technology, referring to the strides states and counties have taken to secure voting systems.

Many campaigns are reluctant to publicly discuss their cybersecurity efforts. The Wall Street Journal surveyed President Trump’s re-election campaign and the 23 major Democratic presidential campaigns.

More than half of the Democratic campaigns declined to substantively answer questions about their cybersecurity staff, engagement with federal agencies or use of best-security practices. Several cited concerns about disclosing specific information that could help malicious actors target them.

Of the 18 Democratic campaigns that did respond to the survey, seven, including those of some top-tier candidates, wouldn’t confirm whether they required multifactor authentication for their staff—the security feature Mr. Podesta lacked. It is viewed as a must-have for cybersecurity because it relies on more than a password, and typically involves a code sent to a user’s cellphone. Eleven said they did require the feature.

A spokesman for the Democratic National Committee said all campaigns it had “onboarded” with security training reported enabling two-factor authentication for email, but declined to say how many campaigns that included or whether the practice extended to other online uses, such as social-media accounts.

Mr. Trump’s campaign also declined to answer that question and others but said it took cybersecurity “very seriously.”

The campaign of Democrat Andrew Yang was one of the more forthcoming. A spokesman said it hired a cybersecurity advisory firm and has four employees working part time on cybersecurity. The campaign relies on multifactor authentication to log into accounts, deploys a password manager for software systems and requires new staff and volunteers undergo cybersecurity training before gaining access to campaign systems, among other measures.

All of the Democratic presidential campaigns that responded committed to not use hacked material. The Republican National Committee said any breach of political organizations, regardless of party, was an affront that should be prevented but it didn’t commit to refrain from using or promoting hacked information about an opponent. Mr. Trump’s campaign also declined to make the same commitment.

Publication of hacked or stolen material by media outlets is common and usually lawful, but it generally is a crime to solicit, encourage or participate in computer hacking.

Some security experts said campaigns had little reason not to be more open about their efforts. “Your best defense is the one you can tell your attackers about and still be secure,” Mr. Hall said. “To campaigns that are being very cagey: Everyone should be able to answer the question, ‘Are you using two-factor authentication?’”

Part of the challenge is the transitory nature of campaigns.

“The reason campaigns are so bad at cybersecurity is they are here one day and gone the next,” said Aaron Trujillo, former chief of staff of the Democratic Congressional Campaign Committee, who worked on security issues during the 2018 midterms. “There needs to be a person who has to wake up every single day with part of their mission being how they are going to address threats and mitigate damage if there is a breach.”

Campaigns also approach cybersecurity differently than companies, said Bob Lord, chief information security officer at the Democratic National Committee since 2018. When he was cybersecurity chief at

Yahoo

the company discovered two alleged Russian hacks of 500 million and three billion user accounts, respectively.

Unlike at a company, Mr. Lord said, his new role doesn’t give him the authority to mandate security protocols at campaigns. “They’re not remote offices, and I’m not headquarters,” he said. “I have to really work to influence and persuade and inspire.”

Another challenge is that campaigns are wary of running afoul of Federal Election Commission campaign-finance restrictions on accepting free or reduced cybersecurity services from businesses and some nonprofits. That has meant campaigns need to redirect dollars generally reserved for day-to-day operations to invest in security.

In a bid to stimulate information-sharing, Mr. Trujillo recommended that the federal government create a center through which campaigns and committees of both parties can send and receive online-threat data, akin to similar hubs used by the telecommunications and financial industries. “Right now, they don’t talk to each other,” he said.

Write to Dustin Volz at dustin.volz@wsj.com

Comments are closed.