Campaign cybersecurity poses next major challenge for federal election officials

Federal officials say they want to help political campaigns guard against against cyberattacks, but are struggling to figure out how.

Election officials said this week that while much of the attention since 2016 has focused on protecting voting systems, campaigns remain highly susceptible to cyber intrusions. However, those same officials have no means of directly communicating with the hundreds, if not thousands, of candidates about how best to address cyber threats.

{mosads}Robert Kolasky, director of the Department of Homeland Security’s (DHS) National Risk Management Center, said DHS has resorted to contacting the Republican and Democratic national committees to try to reach campaigns. And even then federal officials aren’t able to reach everyone.

Few campaigns reach out to DHS about cybersecurity issues, Kolasky told reporters on Tuesday, adding that candidates are more likely to contact the FBI or their national committees when they notice something has gone wrong.

He said that after the midterms he hopes lawmakers, officials and the political parties can figure out a better way to communicate when it comes to making sure campaigns have stronger protections against cyberattacks.

“Competitors work together on security, they don’t compete on security,” Kolasky said after an event at the Center for Strategic and International Studies (CSIS). “I’d like the department and campaigns to work together on security, work with the government, and not compete on security.”

Groups like the Belfer Center at Harvard University have offered guidance to campaigns on how to beef up their cybersecurity, while private firms have offered free resources to campaigns in recent months.

Microsoft provides free cybersecurity software to campaigns, as well as nonpartisan groups like think tanks, and other companies have offered similar resources at no cost.

John Gilligan, the CEO of the Center for Internet Security, said his group is starting to talk with campaigns about how they can offer support ahead of the 2020 elections.

Gilligan, speaking at the CSIS event, compared campaigns to “pick-up games.” A candidate will decide to run and quickly hire staffers to start the operation, he said, but those workers generally don’t include IT professionals or cybersecurity experts.

He said that after the midterms, his group will be among those “focused on seeing what we can do to help.”

“So we’re really starting an outreach effort now,” Gilligan said.

Still, the lack of institutionalized resources has been underscored in attacks on smaller campaigns, which generally lack the means or the know-how to tackle cyber threats.

Three Democratic candidates in California were victims of cyberattacks shortly before they lost their primaries, and all three attacks could have been prevented with basic security measures.

Jeanette Manfra, the chief cybersecurity official at DHS, said campaigns are more likely to push all of their resources toward getting their candidate elected, rather than focus funds on a relatively new area like cybersecurity.

“So how do you work to make sure that they have what they need from the security side?” she said after an event at the Carnegie Endowment for International Peace in Washington.

DHS and the FBI aren’t the only federal agencies charged with supporting elections. The Election Assistance Commission (EAC), created by the Help America Vote Act of 2002, also plays a role.

But for the time being, EAC’s hands are largely tied when it comes to finding a solution on campaign cybersecurity, according to Executive Direct Brian Newby. The commission has only two commissioners — one short of a quorum — meaning it can’t fully operate until at least one more member is confirmed by the Senate.

President Trump has tapped two nominees for the commission: Donald Palmer in July, and Brandon Halverson earlier this month. Both are awaiting action by the Senate Rules and Administration Committee.

Katie Boyd, a spokesperson for Committee Chairman Roy Blunt (R-Mo.), said the panel has no immediate plans to vote on the nominees.

Newby said that if both nominees are approved by the Senate this year, the EAC will have four commissioners for the first time in roughly eight years.

“I think overall, the idea of what we can do to address campaign issues, other issues, I think will get a big boost when that occurs,” he said at Tuesday’s CSIS event.

But even if one of the nominees is confirmed, it’s unclear what role the agency would play in supporting campaign cybersecurity.

When campaigns fall victim to a cyberattack, they generally report it to their national party committee or organizations who in turn notify the FBI or other federal agencies.

A Republican National Committee (RNC) spokesperson told The Hill that the RNC has offered trainings on best security practices for staff and outside groups, and that it has hosted seminars and briefings to state party officials and campaigns on how to protect their systems from cyber threats.

The party also had DHS experts talk to the committee about cyber issues during the RNC’s annual meeting this summer.

At the DNC, chief security officer Bob Lord told The Hill that the committee has been having “low level” conversations with outside groups about how better to provide cybersecurity support to campaigns.

He said that after next week’s elections the DNC and other groups will figure out which areas they need to improve on and create a playbook for the 2020 elections. From there, he said, private and public groups are going to have to work together to come up with a solution to ensure campaigns are better protected from cyberattacks.

“There’s no one organization that’s going to be able to save the day,” Lord said.