National Security

Candidates hit snooze button on hacker threat, saying defending cyberattacks is hard

Supporters of Sen. Bernie Sanders protest outside the Democratic National Convention a day after emails presumably stolen from the DNC were posted to the website Wikileaks.
Supporters of Sen. Bernie Sanders protest outside the Democratic National Convention a day after emails presumably stolen from the DNC were posted to the website Wikileaks. AP

With some 40 days remaining to the crucial midterm elections, signs of digital meddling in campaigns are mounting. But most candidates have spent little or nothing on cybersecurity, and say it’s too hard and expensive to focus on hacking threats with all the other demands of running for office.

Only six candidates for U.S. House and Senate spent more than $1,000 on cybersecurity through the most recent Federal Election Commission filing period.

Yet those who monitor intrusions and digital mayhem say hackers are active. And various reports cite at least three candidates still in races or ousted in primaries were suffering attempted breaches of their campaigns.

“We get things literally every day to my team … to investigate everything from phishing attacks to ‘We think our data was breached’ to ‘We think there was a denial of service attack’ to ‘Someone’s listening on our cell phones.’ So we get, like, the whole range of things every single day,” said Raffi Krikorian, chief technology officer for the Democratic National Committee, the party’s governing body.

Krikorian wouldn’t provide further details of the meddling or say where the hacking originated. But the subject matter is a sensitive one, given that the DNC and the losing campaign of Democratic nominee Hillary Clinton were the victims of cyberattacks by Russian hackers who were trying to help Donald Trump win the presidency.

Even candidates deeply schooled in cybersecurity said the intense 24/7 nature of campaigning leaves them little time to raise money and buy technology to secure their cell phones, email networks and computers.

Jay Hulings , who ran for a U.S. House seat in West Texas’s 23rd Congressoinal District, knew that cybersecurity was important. Hulings had been a federal prosecutor and general counsel to the House intelligence committee, privy to classified secrets.

When Hulings mounted his campaign, he told his bare-bones staff to communicate through Signal, an encrypted messaging app, and avoid using email. Then reality sunk in. The staff expanded and the pace quickened.

“Raising money is hard, and you have to spend it on signs and staff and TV ads and radio and all the typical campaign things. So I don’t think we spent anything on cybersecurity,” he said, explaining how his staff eventually started using Gmail.

“You’re taking 22- and 23-year olds who are just doing something fun before they go to grad school. You don’t have time to train,” Hulings recalled.

In some cases, candidates downplay the likelihood that they could be targeted by Chinese, Russian or other foreign hackers.

“Most campaigns are not going to have a highly sophisticated foreign entity trying to hack into your campaign network unless you are a U.S. senator. On the House side, there’s too many to deal with unless it’s very high profile,” said Rep. Barry Loudermilk, a Georgia Republican who has an information technology background.

But Russian trolls did get involved in local Florida protests about a natural gas pipeline from Alabama to Florida., encouraging people through fake accounts on social media to get involved.

Rep. Jim Langevin, a Rhode Island Democrat who co-founded the congressional cybersecurity caucus, said the threat from hackers is everpresent and growing: “There are only those people who have been hacked and those people who don’t realize they’ve been hacked.”

Director of National Intelligence Dan Coats cautioned in mid-July that “the warning lights are blinking red again” over possible foreign intrusions and that Russian hackers are undertaking “aggressive attempts to manipulate social media” around midterm campaigns.

Around the same time, Microsoft said it had detected and helped the U.S. government thwart hacking attempts against three congressional candidates without identifying them.

Since then, Sen. Claire McCaskill, a Missouri Democrat in a tough re-election battle, reported that Russians attempted unsuccessfully to hack her Senate computer network.

The FBI is investigating possible hacks of at least two California House races, including sustained cyberattacks against Hans Keirstead, a Democrat seeking to unseat Rep. Dana Rohrabacher, a 15-term Republican and an ardent supporter of Russia, news reports say.. Keirstead came in third in a “top two” June 5 primary, trailing the No. 2 candidate by 125 votes.

Another Democratic congressional candidate in Southern California, David Min, was hacked prior to his defeat in an early June primary, Reuters reported Aug. 17, citing three unnamed sources. Min’s spokeswoman, Paige Hutchinson, declined comment.

Candidates are loath to acknowledge a breach publicly.

“Everybody is very passionate about staying out of the news,” said Patrick Sullivan, global director of security strategy at Akamai Technologies, a Massachusetts cloud service provider that is one of a handful of high-tech companies offering free services to candidates. “That’s kind of the phrase we hear a lot. … They don’t want there to be reporting on something going wrong.”

Another high-tech executive said many candidates simply ignore the peril of hackers even as the two major parties spend heavily.

“Everyone’s hit the snooze button,” said Theresa Payton, chief executive of Fortalice, a Charlotte, North Carolina cybersecurity firm, and a former White House information technology official.

The Republican and Democratic parties have spent sizable sums on cybersecurity, according to Federal Election Commission data through the quarter that ended June 30, the most recent period for which data is available. Those funds are largely for services to protect national databases rather than to protect individual candidates.

Crowdstrike, a cybersecurity company that traced the 2016 hack of the DNC to two Russian government hacking groups, helping to set off the sprawling federal probe into Russian meddling in U.S. politics, is by far the largest recipient of campaign spending. According to the most recent filings, Crowdstrike had earned $500,000 from the Democratic Congressional Campaign Committee and won a more than $146,000 in contracts with the Democratic National Committee. The Sunnyvale, California, firm also won nearly $120,00 in contracts with the National Republican Congressional Committee.

Another firm with business with the committees is Guidepoint Security LLC, of Herndon, Virginia, which won more than $280,000 of business from the NRCC and more than $135,000 with the DNC.

A small Pittsburgh, Pennsylvania, cybersecurity firm, Wombat Security Technologies, did more than $13,000 in business with the DNC.

None of those firms immediately responded to queries about their services.

Fortalice, the Charlotte firm, won nearly $100,000 worth of business from the RNC.

“You need to set aside about $15,000 to do just the basics,” Payton said. “If you want to do some pretty decent stuff, not cutting edge, not leading edge, not having cyber ninjas 24 by 7, the next tier of spending needs to be sort of the $25,000 to $50,000 range.”

That amount will buy a candidate some cybersecurity monitoring tools, techies to set them up, warning systems for email coming from outside the campaign and some basic training of staff to avoid routinely clicking on links or email that might contain malware, she said.

According to McClatchy review of FEC data, the two candidates who have spent the most on cybersecurity are Mitt Romney in Utah and John Kingston in Massachusetts, both Republicans running for Senate seats. Kingston spent about $38,000 with a small Lexington firm, Techtonic, while Romney splashed out more than $34,00 with Braintrace, a larger firm in Salt Lake City.

Only four other politicians registered cybersecurity spending with the FEC. Sen. Kirsten Gillibrand, the junior Democratic senator from New York, spent more than $31,000 with Guidepoint Security. A Democrat seeking a House seat in North Carolina, Dan McCready, spent $2,000 with Fortalice and another nearly $20,000 for “legal services and cybersecurity” with Robinson Bradshaw, a North Carolina law firm.

Phil Bredesen, a former Democratic governor of Tennessee now running for the Senate, spent more than $15,000 with Crowdstrike. Hawaii’s senior senator, Democrat Brian Schatz, spent more than $2,000 with Fortalice.

A handful of other politicians reported cybersecurity spending of under $1,000.

Whether candidates receive cybersecurity assistance in other ways unaccounted for by FEC rules is not clear. Their campaigns are by law separate from their offices, if they are incumbents. Nor is it clear which candidates may have received free assistance from a growing list of companies offering some services free. Those companies include Google, Cylance, Synack and Cloudflare.

Even if election day arrives without another major incident, one cyber researcher said hackers could have embedded surveillance tools in U.S. political campaigns without getting detected.

The lack of serious U.S. reprisals against Russia for its 2016 election hacking will “embolden” hackers from other nations to follow the Russian playbook to try to “influence outcomes in a similar fashion,” said Mounir Hahad, a seasoned expert and head of threat labs at Juniper Networks in Sunnyvale, California.

He said foreign hackers may “just ratchet it down one level, potentially go after Congress,” focus on districts that may have “a lot of sway in international affairs,“ and remain buried in the networks of U.S. politicians for the long term.

“They can stay there for years and go potentially unnoticed,” Hahad said.

Ben Wieder,202-383-6125, @benbwieder
TimJohnson, 202-383-6028, @timjohnson4