The hacking scandal that hit the DNC last month is more widespread than initially reported and should have operatives scrambling to beef up their personal cybersecurity, several consultants warned.
The cyber attack, reportedly carried out by hackers linked to Russian intelligence, extended possibly to individual campaign operatives. The New York Times reported this week that as many as 100 party officials and groups had their private email accounts breached. The ultimate target, though, was Clinton campaign staffers and party operatives.
Now, many experienced campaign operatives keep the same email addresses for years, even decades. Some industry veterans can even be dated by their AOL email addresses. And with old email addresses come old passwords, warns Beth Becker, a Democratic digital strategist.
In light of what House Minority Leader Nancy Pelosi called a “Watergate-like electronic break in,” switching to a two-step verification for their email login should be the first thing campaign professionals do to protect themselves.
“It’s a pain in the ass, but there have been times when I’ve gotten notices saying ‘someone is trying to access your account,’” Becker said. “It saved me from a larger headache.”
Consultants say there’s almost certainly more to the story that started off with the DNC admitting it was hacked and has now snowballed to include possibly the DGA (something the committee denied). In July, the DCCC said it was also the victim of a “cybersecurity incident,” while the Clinton campaign said hackers accessed some of its analytics programs.
Still, it’s no longer enough for campaign professionals to just warn each other about not emailing something they don’t want to see on the front page of a major newspaper.
“As digital has progressively taken over, that basic password security has fallen by the wayside,” Becker said. “It’s time to fix that.”
Josh Koster, a managing partner at digital ad agency Chong and Koster, agreed that if this isn’t a wakeup call, then nothing will be.
“If they aren't upping their security game now that they know they are a target, they are running a real risk,” Koster said. “Another part of the problem is the server that holds the information.
“I remember early campaigns I was on having a physical server — making them entirely responsible for their own security. As the world becomes more cloud-based, more of the responsibilities of securely hosting information can be passed on to trusted players like big tech companies.”
Laura Packard, a Democratic digital strategist, agreed. “Don't run your own email servers unless you have the experience to make sure they are secure and protected,” she said. “Voter files must be kept electronically and made available to multiple people in order to receive the maximum benefit from those resources — make sure your vendor has good security measures in place, and thorough backup procedures.”
Beyond outsourcing to trusted third parties, and using a randomized unique password and two-step verification, there are other steps campaign professionals can take to help deter hackers.
Packard added: “Make sure all your electronic equipment from desktops to laptops to smartphones is passworded, has antivirus software as appropriate, and is backed up regularly.”