The AP reported yesterday that the campaign of former Tennessee governor and Democrat Phil Bredesen, now running to replace Bob Corker in the Senate, may have been hit by a cyber-attack:
In a letter obtained by The Associated Press, campaign lawyer Robert E. Cooper Jr. wrote that Bredesen’s aides became suspicious when someone pretending to be the campaign’s media buyer asked for money to be wired to an international account.
The letter says the person used an email address nearly identical to the actual media buyer’s and knew about an upcoming TV campaign and its proposed dates. Cooper says the campaign hired a cyber-security firm that found the impostor emails were registered through an Arizona-based registrar.
“Thanks to alert action by campaign management, no funds were diverted,” the letter states. “However, due to the fact that the impostors knew the media buy was imminent, we are concerned that there has been an unauthorized intrusion into the extended campaign organization.”
Of course, spammers fake sending accounts all the time, so that in itself isn’t necessarily a sign of a successful hack. Also, I’m sure the AP reporter meant that the email’s originating domain was registered through that company in Arizona, but we get the gist.
The key point is that the scammers knew that the media buy was coming and to whom to send their email hoping to divert the money, which suggests that they were reading someone’s inbox. This tactic is just one example of the ways hackers and digital scammers can screw up a political operation, and in John Podesta’s case, it may have affected the result of the 2016 election.
For other campaigns, the lesson is simple: you are a target. Many of us look to the Russians as a systemic threat, and we should definitely be concerned that the Trump Administration has yet to do anything substantive to slow them down this year. But simple scammers — and your own opponents or their allies — may be more likely to strike your campaign for state legislature or city council.
What should campaigns do? Last summer, I wrote in C&E that:
For a start, cyber security cannot be an afterthought. I’ve heard from digital folks on the Democratic side that “spear-phishing” and other hacks are definitely rising this year, and even local campaigns should pay close attention. Change those passwords early and often, and enable two-factor authentication for machines and accounts.
From a later C&E column, this time covering the wide array of tactics the Russians used to disrupt the 2016 elections:
Campaigns must implement basic security measures. For instance, get rid of those general passwords shared by many volunteers immediately, and stop spending time on some coffeeshop’s wifi without running the traffic through a Virtual Private Network (robust systems can cost a few dollars per month for individual users). Digital consulting shops should consider teaming up with security firms to protect their clients in bulk.
These measures are just a start, but they’re likely to be new for the vast majority of campaigns. Also on the watch list: fake news and rumors, perhaps amplified by botnets but likely spread by credulous people willing to believe the worst of you. For more on fighting those, see that article on Russian hacking tactics. Your own supporters may be your most effective weapon against disinformation.
You may be fine in 2018…but don’t count on it. Luck favors the prepared mind — and the prepared campaign.