Most Americans aren’t yet paying a lot of attention to the 2020 presidential campaign. The same can’t be said for Russian spies.
Aides and advisers to the vast field of Democratic hopefuls are ringing alarm bells, telling their bosses they should assume that Moscow is laying the groundwork to disrupt, if not derail, their campaigns, just as Russian intelligence did to Hillary Clinton’s in 2016.
But interviews with the campaigns show cyber security is a secondary concern, with most of the campaigns contacted by TIME say they have not “finalized” their tech plan or hired a security chief.
The biggest problem is money. Every campaign focuses vast amounts of effort raising money to compete on ground troops, ads and campaign offices in key locations. Spending precious cash on cyber tools, whose successful deployment results in a non-event, is hard to defend.
“There’s nothing sexy about it,” says Mike Sager, the chief technology officer at EMILY’s List, a group that works to elect women who support abortion rights. But, he says, “the folks who have been through it, who know what happens when you don’t do this, get it.”
Nobody disputes the threat. Russia’s larger goals remain the same as they were in 2016: making American democracy look bad. “It is about the legitimacy of democracy and about the trust people have in their democracy,” said Eric Rosenbach, a former Pentagon chief of staff who now heads Harvard’s Defending Digital Democracy program. “Unfortunately, there are a lot of different ways in the information age that bad actors and nefarious nation-states can undermine that.”
Cyber security officials say other countries, like China, Iran and North Korea, have shown the capability to meddle in U.S. elections as well.
Defending a campaign properly requires starting right at the launch. “You’re starting a business and you have to have all those little things: they need email addresses, phones, computers, payroll, video conferencing tools,” says Sager. “How that is started when you give out computers to everyone, there’s a lot of those decisions in the very, very beginning that have a very significant impact the further you go,” he says.
Harvard University’s Belfer Center in 2017 released what many campaigns consider the gold standard — if still aspirational — playbook for campaign cyber security that includes planning “in case your security is compromised,” almost resigning itself to that as an inevitability. The Democratic National Committee in February rolled out a one-page checklist for nascent campaigns to consider, from making sure software is updated every 30 days to having a cell phone password at least six characters long. In March, the DNC moved up a briefing for campaign staffs about email security after an analysis from security advocacy group Global Cyber Alliance reported just four of the 14 declared major candidates had secured email systems.
Many would like to hand the problem off to the government. But the feds have their hands full defending the physical vote; keeping tabs on the security of 20 early campaigns is a low priority. The Department of Homeland Security has turned aggressively toward protecting the integrity of state and local election infrastructure. Matthew Masterson, a senior adviser for the Department of Homeland Security‘s cybersecurity unit, has been in touch with states to build relationships that simply weren’t in place in 2016. Forty-six states are using DHS’ intrusion detection system, and it appears all of the states are heeding experts’ recommendations to use paper ballots.
But it’s the P.R. value of even one hack of a campaign that can outweigh the success of security measures elsewhere. “What I fear the most, and what I think is most likely to happen, is that there will be a hack in which one of these [foreign] intel agencies plants some information, pulls out enough information to make a bogus claim of fraud and then goes public with that in a way that is intended to undermine trust in the outcome of the election — even if there really wasn’t enough of an intrusion to change the outcome,” said Harvard’s Rosenbach.
Even as campaigns struggle to address the dangers of 2016, the threats are becoming more sophisticated.
The 2020 presidential race is likely to be known as the first deepfake race, in which highly realistic falsified videos can portray candidates as saying anything. Leaders have been warning of this reality for years. Sen. Mark Warner, the top Democrat on the Senate spy panel, last year used a turn keynoting a journalism award dinner to warn about the threats facing elections. Lawmakers have asked Director of National Intelligence Dan Coats to make this a priority. The Pentagon is funding research into the medium. And former NATO Secretary General Anders Fogh Rasmussen, who is leading a transatlantic coalition to defend Western elections, has been showing one real and two faked Trump videos to audiences to hammer home the potential danger of such deepfake videos.
“Foreign meddlers can amplify divisions in the country by raising divisive issues. Time and again we have seen that,” Rasmussen tells TIME. “It’s a never-ending struggle, and, I think, we should also be aware of the fact this is not a new thing. You saw exactly the same during the Cold War. But the technology has been developed so that now you have new communication tools.”
This deepfake threat, in part, explains why aides inside presidential campaigns have taken to recording every utterance of the candidates — if not themselves — during public appearances and interviews.
The same is true for emails. Whereas previous cycles’ inboxes were sometimes archived and sometimes not, the hacking of 2016 laid bare the importance of an internal archive. There was no easy way to verify which of the thousands of stolen emails posted on Wikileaks’ site were real and which may have been fabricated or altered. Outside advisers are urging candidates to establish firm document-retention policies and punish staffers who don’t comply.
And it’s not just work email accounts, either. Half of the spearphishing emails cited in the Special Counsel’s indictment of Russian hackers targeted campaign officials’ private accounts. So using a Gmail account will not spare high-profile campaign aides the trolls’ and bots’ persistence.
Not every campaign is defenseless, and many insist they’re preparing. Sen. Kamala Harris’ campaign team requires two-factor authentication for its staffers, who are also deploying encrypted messaging systems to add another layer of security.
But with everything moving so quickly inside campaigns, it is tempting to forego protocol and leave laptops open during that quick run to the kitchen.
“The problem is, because of campaign culture, security tends not to be top of mind,” says Dave Leichtman, who is both Microsoft’s Defending Democracy program director and the Democratic Party of Virginia’s vice chairman for tech. “They may actually be more vulnerable to these kinds of attacks because they’re not paying attention.”
The Russians, however, almost certainly are.