Why Did So Few Campaigns Sign Up for the FBI’s Cybersecurity Briefing?
WASHINGTON — As part of its efforts to combat forms of foreign election interference like that seen in 2016, the FBI in August launched a project called Protected Voices to help political candidates and consultants defend against the next wave of cyberattacks on U.S. soil. Now, just three weeks before the 2018 midterm elections, the program has taken a strange turn.
This past Tuesday, two FBI special agents who work on Protected Voices had planned an online briefing with political operatives based in Washington and northern Virginia to share “cyber hygiene” tips on how to not get hacked by foreign nations, e-criminals and other malicious actors. Director of National Intelligence Dan Coats said in July that the warning lights for future cyberattacks and election interference were “blinking red.” Those threats have only increased, cybersecurity experts say, as the midterm elections get closer.
But just one day before the campaign briefing, the FBI announced that the hearing was off and postponed until 2019 “due to factors beyond our control.”
In an interview with Rolling Stone, Andrew Ames, an FBI spokesman, said that sign-ups for the briefing were “so low” that the bureau had to delay it until after the midterms.
Several prominent consultants tell Rolling Stone they’re unaware of the FBI’s Protected Voices program or weren’t invited to the briefing, suggesting that the lack of interest was in part of failure on the part of the bureau to get the word out.
Shauna Daly, the director of Progressive Security Corps, an outfit working to improve cybersecurity practices in Democratic politics, says she hasn’t heard of the FBI’s initiative and was skeptical of the bureau’s outreach if so few people signed up. She adds that campaigns might be too busy three weeks from Election Day to attend, but also says the lack of interest may reflect “a fair amount of apathy or just lack of interest” in campaign cybersecurity.
Zac Moffatt, the founder and CEO of the Republican consulting firm Targeted Victory, says he, too, was not contacted by the FBI about it. “I have never heard of this group and I was never aware of it,” he says.
Mark Jablonowski, the chief technology officer at DSPolitical, a digital microtargeting firm used by hundreds of campaigns, says he wasn’t aware of the briefing either. “There’s an appetite for campaigns and consultants to hear directly from the FBI about these important security matters and we welcome their participation,” he says. “We’d love to help them reach the correct people.”
The FBI did not respond to follow-up questions about the extent of its outreach as part of the program.
Rolling Stone first revealed two separate hacking attempts in competitive congressional primaries this year in Southern California, where Democrats need a strong showing to win back the House of Representatives. The Daily Beast this summer reported that Sen. Claire McCaskill (D-MO), one of the most vulnerable Democrats up for reelection in 2018, was targeted by hackers affiliated with the Russian government. (McCaskill said the attacks were unsuccessful.)
FBI Director Christopher Wray announced last year that the bureau had created a foreign influence task force staffed with experts in counterintelligence, cybersecurity and criminal investigations to protect U.S. elections from overseas meddling. “We can learn from what Russians and others are trying to do with other elections, in terms of tradecraft, etc.,” Wray told Congress. “We’re trying to get in front of it and be on the lookout for efforts to interfere.”
Protected Voices — which includes help from the Department of Homeland Security and the Office of the Director of National Intelligence — put a public face on the federal government’s efforts to counter foreign meddling and other cybercrime. The effort is specifically aimed at U.S. political campaigns, and it gives candidates and political operatives a set of how-to videos on protecting themselves as well as reporting possible cyberattacks to the bureau.
By most indications, political campaigns remain ill-prepared for future hacking attempts and hesitant to commit already-limited resources to cybersecurity advice and protections. A March story by BuzzFeed News found confusion between the Democratic Congressional Campaign Committee and the candidates it was helping to elect when it came to basic safeguards like the use of encrypted messaging services. McClatchy reported in late September that just six candidates for the House or Senate in 2018 had spent more than $1,000 on cybersecurity by the end of the summer, according to the Federal Election Commission filings. “Everyone’s hit the snooze button,” Theresa Payton, CEO of the cybersecurity firm Fortalice, told McClatchy.
Moffatt, the Republican consultant, says that cybersecurity efforts focusing on politics often overlook one of the most vulnerable pieces of any campaign: outside vendors and consultants. “The real challenge is probably not the campaigns but it’s the consultants and vendors that dip in and out,” he says. These outfits have access to a campaign’s most sensitive data and strategy documents but don’t get much scrutiny when it comes to protecting that information. “The vendors are the weak link,” he says. “They’re the most dangerous part of this whole thing.”
Daly, the Democratic cybersecurity expert, says that candidates and campaigns on her side of the aisle have made progress since 2016, but not nearly as much as they need to. “People understand that it’s scary but they still think that it’s hard, that it’s probably expensive and that they don’t have the luxury of doing anything about it,” Daly says. “Which I find really frustrating because there’s a whole bunch of stuff you can do for free. But that message hasn’t really gotten through.”