It appears that this year’s presidential election campaigns avoided the sorts of cyberattacks that played out in 2016. No emails leaked this time — not yet, anyway.
One thing that changed in the past four years: Politicians, campaign workers and their friends and family members started counting on little USB sticks to securely log in to email accounts and other online services. Google sells these widgets, known as physical security keys, as do smaller companies such as GoTrust, TrustKey and Yubico.
Google worked with a nonprofit called Defending Digital Campaigns to give out more than 10,500 kits containing physical security keys, the company said in a blog post on Dec. 9. The Federal Election Commission authorized the nonprofit to distribute cybersecurity products to campaigns for free or discounted prices, meaning campaigns wouldn’t have to worry about money if they wanted to boost security. Microsoft also works with the nonprofit.
Joe Biden’s campaign rolled out security keys to its people, a person familiar with the matter told CNBC. A campaign spokesperson did not respond to a request for comment.
“There wasn’t a Podesta-like story because this stuff works,” said Jeremy Grant, a managing director at law firm Venable who previously worked on cybersecurity at the National Institute of Standards and Technology. “Not that there weren’t attempts to phish these accounts, but they knew this was coming, and there were tools to block them.”
‘A lot of house cleaning’ after 2016
In 2016, a hacking group thought to be connected to Russia attacked the personal Google Gmail account of John Podesta, chairman of Hillary Clinton’s presidential campaign, and email messages turned up on WikiLeaks. The Democratic National Committee was also attacked.
The incidents became a turning point.
After the 2016 election, the DNC “did a lot of house cleaning,” said Mick Baccio, who worked on threat intelligence at the White House during the Obama and Trump administrations and later worked as chief information security officer for Pete Buttigieg’s presidential campaign. In the days when the DNC was hacked, Baccio said, government cybersecurity workers thought it was sufficient to get a text message with a one-time code to punch in to confirm it was really you attempting to log in.
That method of multifactor authentication is not acceptable anymore, said Baccio, who is now a security advisor at Splunk. He said physical security keys can help people stop hackers from taking over their accounts.
Last year, Defending Digital Campaigns got the FEC ruling that enabled it to disseminate security products without breaking election-finance rules. This year, Google and Microsoft, which offer cloud-based productivity suites with additional security enhancements for campaigns, announced they would collaborate with the nonprofit.
“In the 2020 cycle, at almost every campaign we spoke to, there was some awareness that, ”Yeah, we need to be doing multifactor authentication,'” said Michael Kaiser, president and CEO of the nonprofit.
People from both parties took products from the nonpartisan organization, which also works with companies such as Cloudflare and LogMeIn.
“What we most wanted to do was protect credentials,” Kaiser said. Sure enough, he said, many federal campaigns — although not all of them — wound up having each of their workers accept two physical security keys, with one for normal use and the other for storage in a safe place.
Google’s kits include two keys for that purpose. Candidates and campaign staffers who wish to use Google’s Advanced Protection Program must use the keys, said Mark Risher, who leads Google’s security and identity teams. Once people are enrolled, Google will help them avoid potentially harmful email attachments and websites.
Microsoft trained 1,500 people at campaigns and the Democratic and Republican national committees on its comparable AccountGuard program, said Tom Burt, a corporate vice president at the company. The top piece of advice was to enable multifactor authentication, rather than just entering an email address and password, he said. Microsoft encourages AccountGuard participants to set up a second factor for authenticating, such as a security key, but it’s not required.
One drawback with physical security keys is that people can lose them, unlike fingerprints or their faces, which can be used to complete log-in attempts, Burt said. He pointed to Microsoft’s Authenticator mobile app as a viable alternative.
Bob Lord, the DNC’s chief information security officer, personally relies on a physical security key. He said the DNC issued physical keys to the vast majority of the 3,400 people who joined together to help get out the vote this year, and the committee had a way to check that people were actually using the keys.
That’s sometimes the hard part. Baccio is already thinking about how adoption could be even more widespread in the future.
“Maybe in 2024 from the outset we’ll have tokens for everyone,” he said. “We might even have some legislation that requires it.”