One of the Democratic presidential campaigns that made its cybersecurity commitment a public priority has lost its in-house chief information security officer as hacking threats to campaigns and groups are increasing.
On Wednesday, news broke that the chief information security officer for Pete Buttigieg’s presidential campaign had resigned last month “due to differences with campaign leadership over how to manage information security,” according to a report.
Mick Baccio, who was President Obama’s chief of White House Threat Intelligence, had been hired last summer, generating publicity for the Buttigieg camp as being the first 2020 presidential candidate to hire an in-house CISO.
The shakeup comes as experts are once again sounding the alarm for political practitioners after news of a successful phishing attack against Burisma Holdings and renewed conflict with Iran.
Iran has been identified by experts as a foreign adversary that is “fully invested” in hacking 2020 campaigns.
In the wake of the U.S. killing of Iranian Maj. Gen. Qassem Soleimani, Iran could increase it’s hacking attempts, according to Joseph Drissel, co-founder of US CyberDome, a 501(c)(4) organization launched after the FEC gave Defending Digital Campaigns the green light last year to provide free or reduced cost cybersecurity to federal candidates and national party committees.
Under that advisory opinion, US CyberDome said it wants to provide “cybersecurity at no cost to political parties, elected officials and candidates across party lines.” The group also plans to work with think tanks.
“Do we think they’ll be an increase in activity, yes,” Drissel told C&E. “The whole [political] community needs to understand that they have been brought into a new phase in their existence. They are now on the frontlines. They are now publicly known to be a target of value.”
The target list stretches beyond just campaigns to any organization with politically sensitive information. To wit, last November hackers from the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) used a successful phishing attack to obtain the “email credentials of employees” at subsidiaries of Burisma, the Ukrainian natural gas company where Joe Biden's son, Hunter, served as a board member.
That incident was reported Monday by Area 1, which offers its anti-phishing services to campaigns and groups at a discounted rate. “The timing of the GRU’s campaign in relation to the 2020 U.S. elections raises the spectre [sic] that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 U.S. elections,” Area 1 wrote in its report, which was based on an analysis of the Burisma Holdings email server by the company.
Still, industry awareness needs to increase, but that can only come if victims of cyber attacks are willing to come forward publicly and detail what happened.
“People should come out and say they have a problem,” said Drissel, who noted that was unlikely given the damage to professional reputations that can occur after that kind of publicity. “We have not created an environment where people feel comfortable.”
He said that part of the problem is that the campaign industry operates a sprawling online infrastructure that contains valuable data but without enough properly trained staff to secure it.
Drissel, an expert on network security who has long worked with the federal government, described it as “a guy with a four-year degree from Kansas [who] has to hold off a sophisticated, well-trained military operative from another country who has been trained for 20 years to infiltrate them.”
“The biggest vulnerability is our lack of preparedness and lack of awareness,” he said.
Preparing against cyber-attacks requires a long-term strategy, which can be difficult to implement on a campaign with a short life cycle.
That’s because network intruders can wait for months or even longer to make a move.
“It’s like a cancer, it slowly grows,” said Drissel. “They create footholds, they create an attack surface, and they identify where the things of value to the current conversation are, and when they need them they mine them out.”
Even if practitioners rush to adopt new protocols, they may already have a vulnerability.
“In most cases, the footholds are already in there,” he said, noting that in cases of an attack campaigns may not have something as simple as a phone tree that dictates who a staffer or consultant calls when something suspicious has been identified.
“We are seriously underestimating the threat.”