Are 2024 US Political Campaigns Prepared for the Coming Cyber Threats?

After a long lull, cyber threats to the 2024 US elections spiked in recent days. Are parties, campaigns, and officials prepared for the moment?

In just the last week, news broke of a Telegram bot collecting compromised credentials relating to the Democratic party and its National Convention (DNC). A candidate for president falsely accused his opponent of using artificial intelligence (AI) to make herself appear more popular. The Iran-backed Charming Kitten/APT42 group, related to the Islamic Revolutionary Guard Corps (IRGC) used the hacked email account of a former senior advisor to send malicious phishing emails to a high-ranking official in a presidential campaign — one among dozens of individuals from both competing campaigns who have been targeted.

"You will see that this risk will definitely rise as we get closer to Election Day," warns Michael Kaiser, president and CEO of Defending Digital Campaigns (DDC), adding that not only do experts expect more cyber threats to surface as November nears, but those threats will likely carry more potency to them.

"If your goal is to interfere, you're going to be more successful if you're later in the cycle," he says. "This Trump incident this week — it's hard to see if that has a discernible impact on anything. But if this was 48 hours before Election Day, [or] if this were to happen as people are casting votes, it could have had an impact."

Why Protecting a Political Campaign Is so Difficult

The story is well-worn: hackers compromise a specific individual in a targeted organization not by attacking them directly, but by first compromising a colleague, then puppeting the colleague's business email in a phishing attack. In last week's case, the colleague just happened to be Roger Stone, and the target Donald Trump.

Political campaigns—especially those at the highest level—know that they're going to be targeted by the highest-level threat actors in the world. So why do these attacks still work?

In one sense, it's because campaigns struggle with the same risks that any other organizations do. They face all the same threat actors, be it nation-state APTs — like the IRGC; cybercriminals — perhaps via a Telegram bot; or hacktivist operations that fall into both buckets. The smaller, more local ones face tight budget constraints, and campaign leaders at any level might lack the motive to prioritize cybersecurity over connecting with voters.

"A lot of the resources that are coming into a campaign are no doubt being spent on the actual operations of the campaign, or things like advertising, and security is just going to be one piece of that budget," says Luke McNamara, deputy chief analyst for Google Cloud's Mandiant Intelligence, which works with a number of 2024 campaigns.

"The big challenge that campaigns have — especially if you were to compare it to any sort of other enterprise — is they're set up for a short period of time: months, or maybe a year or so," he adds. This turns out to have serious consequences.

"Volunteer centers are set up very quickly. They rent a particular storefront, put in some information technology infrastructure, and boom: they're making banners," explains James Turgal, vice president of global cyber risk and board relations at Optiv, who worked at the FBI at the time of the headline 2016 election hacks. Aside from the sheer difficulty of securing an IT environment in such a fast-paced setting, "volunteers are going to bring their own devices. They're going to be out on social media, talking about how they're working for this particular candidate at this particular facility. And all of those social media platforms are scraped by the Chinese, the Russians, the North Koreans, and Iran."

Then, he adds, "They're going to be [sending] emails back and forth. They're setting up meetings. They'll be logging in to a centralized RNC or DNC site, to be able to coordinate that event. And so every one of those devices, all of those volunteers, they're part of the attack surface."

Campaign Finance Changes: A Positive Development

Four years ago, in the wake of a 2016 election colored by major cybersecurity scandals and a string of Russian-sponsored hacks on Democrat campaigns and events, and in anticipation of a 2020 election which they thought could well experience the same, two high-profile former campaign managers came together to hash out a solution.

Each had painful, firsthand experience with the issue. Matt Rhoades weathered a barrage of Chinese attacks while serving as Mitt Romney's campaign manager in 2012. Robby Mook was the high-profile campaign manager to Hillary Clinton in 2016.

In 2019 they submitted a request for guidance to the Federal Election Commission (FEC). Their idea: supplying cybersecurity services to campaigns should not be considered a donation, and subject to all of the federal regulations therein. The FEC gave them a green light, citing in its ruling "the unusual and exigent circumstances presented by your request and because of the demonstrated, currently enhanced threat of foreign cyberattacks against party and candidate committees."

"That was a big deal because campaign finance law is complicated, but also because there are limits to how much an organization could give to a campaign," explains DDC's Kaiser, who today runs the organization founded by Rhoades and Mook. Since 2019, DDC has been authorized to provide cybersecurity services outside of the typical campaign finance structure across all 50 states federally, and in the swing states of Georgia, Michigan, and Virginia down-ballot.

DDC is, however, the only organization with such a right for the foreseeable future, and it's unlikely to solve every campaign's problems on its own.

How to Secure a Political Campaign

For campaigns avoiding or struggling with security, Kaiser highlights the fact that "The platform or workspace they're using [likely] has a lot of security built in that they can turn on. There are also a lot of free tools — there's CloudFlare, or Project Shield from Google, which they can get for free to protect their website. There's a lot of stuff around them that they could implement very quickly for no cost."

There's also commonsense cyber hygiene that campaigns can employ to reduce their risk, also without much cost or hassle. For example, when it comes to all those volunteers coming in and out every month, McNamara advises that campaigns focus on limiting the sheer volume of accounts and credentials bouncing around, and regularly shedding those that belonged to former members. A hardware token, meanwhile, can go a long way in stopping a pesky little Telegram bot, or an adversary with an eye for business email compromise (BEC).

So are campaigns more cyber savvy and prepared than they once were? The short answer is, compared to the wake up call that was 2016, they have more accessible security tools available, and more awareness and motive to take advantage of them.

"We've now got better examples of who these threat actors are from some of those adversary nations like China, Russia, and Iran; and also what tactics, techniques, and procedures they employ," Mandiant's McNamara says. In turn, "There are more resources available not just from us, but other organizations that are putting those resources out there to help campaigns. We need to make some of these security resources easier to deploy and implement, and more available in general."

From Kaiser's perspective, the general trend has been positive in terms of security preparedness and putting defenses in place, noting that his organization alone serves more and more campaigns each cycle.

"There is [security] adoption," he says. "Obviously, not all security needs to be adopted by through us. People also do security on their own, especially if they're working with digital firms who might be helping provision those campaigns. We talk to those folks, and they tell us what they're doing for their campaign, so we're aware that the universe of what's happening has been growing around security."