“Never again,” says Aaron Trujillo, chief of staff for the Democratic Congressional Campaign Committee. “That’s the message.”
Roughly one year ago, the DCCC — the campaign arm for Democrats in the House of Representatives — revealed that its systems were breached by hackers. The cyberattacks, as it was later reported, were connected to a broader operation that included multiple computer intrusions into the Democratic National Committee, the party’s national organization. Closer to Election Day, it was revealed that there were links between the DCCC breach incident and the GRU, Russia’s premier military intelligence agency. Russian government officials quickly denied that the Kremlin was involved in either incident.
The breach marked the beginning of a larger issue. In August 2016, less than one month after the DCCC hack had been publicly disclosed, a blog written under the moniker of “Guccifer 2.0” began publishing thousands of sensitive, internal DCCC documents. They included internal campaign communications, voter outreach strategy and other information related to multiple, active democratic campaign races for seats in the House.
The leaks had an immediate impact as some Republican campaign strategists took material provided by Guccifer 2.0 and began using it to attack rival campaigns.
“It was like I was standing out there naked,” Annette Taddeo, a Democratic candidate who lost her primary race in South Florida shortly after the documents were leaked, told the New York Times in December. “I just can’t describe it any other way.”
“Our entire internal strategy plan was made public, and suddenly all this material was out there and could be used against me,” Taddeo said.
Meanwhile, back at DCCC headquarters in Washington, D.C., staffers were left demanding answers. They wondered how it had all happened. Anger, confusion, distress and anxiety filled a room of experienced professionals. Just a few floors away in the same building, the same scene played out in the DNC’s own headquarters.
A new identity
“As you can imagine, we learned a lot,” Trujillo said when talking about the breach’s aftermath. “The way we’re approaching things now, how we’ve prioritized this, it’s completely different from even just 10 months ago.”
Those lessons learned have been funneled into a recently-launched program known as “Shield,” a plan to implement tighter security controls on campaigns; educate staff about security risks and threats; promote the adoption of new cybersecurity technologies; better integrate secure communications between headquarters and campaigns; and create common protocols which campaigns of varying sizes can follow.
In an interview with CyberScoop, Trujillo spoke about Shield, which has already been in use, including in the closely watched special election for Georgia’s 6th Congressional District.
“We can’t do things like we did before,” said Trujillo. “That’s clear to pretty much everyone … 2016 showed how there were vulnerabilities in the way campaigns generate, store and exchange information.”
Trujillo said the genesis for the plan came after the committee completed a full autopsy of the 2016 election. The examination revealed vulnerabilities and security deficiencies internally, at headquarters, and externally, throughout disentangled teams and systems that support various different campaigns from across the country. These findings caused the leadership in Washington to rethink how campaigns should function in the future.
In short, the plan has so far involved reorganizing staff at headquarters, making new hires, allocating budget resources, forming relationships with private technology firms and taking some applicable best practices from the private sector. As part of this model, the DCCC is consistently communicating with campaign staff on the ground, beyond the District.
“A big thing for us was to bring some of the recommendations from the NIST Cybersecurity Framework to the campaign world,” said Trujillo.
NIST, or the National Institute of Standards and Technology, is a Maryland-based federal agency that establishes standards, common practices and codes for scientific fields of study, including information technology. NIST’s cybersecurity framework is a voluntarily guidance for how organizations should approach cybersecurity. The framework offers suggestions for how an organization can, for example, securely manage user login credentials.
“That alone should help a lot,” Trujillo said.
Systems behind the Shield
In addition to offering educational resources and basic guidelines to campaign staff, Trujillo’s team has made inroads with several important technology vendors, including social media giant Facebook, software creator Microsoft, encrypted messaging app Wickr and cybersecurity firm CrowdStrike. Several of them have played a part in improving the DCCC’s own internal security since January’s autopsy, said Trujillo.
Trujillo told CyberScoop that the organization was able to strike deals with Wickr and CrowdStrike in order to offer Democratic campaigns their products at a discount through the DCCC. As a result, many of the party’s most prominent campaign races in 2018 may rely on CrowdStrike products for protection and Wickr to communicate internally and with DCCC headquarters.
CrowdStrike declined to comment for this story. Wickr did not respond to a request for comment.
The partnership with Facebook is especially important because it will allow upcoming democratic campaigns through the DCCC to report if and when they believe they have become the target of foreign propaganda online. The loosely defined arrangement — a result of the Guccifer 2.0 episode — will focus on providing information to Facebook’s internal security team, which is led by Facebook Chief Security Officer Alex Stamos.
Facebook did not respond to a request for comment.
The greater goal
While the DNC focuses on the party as a whole — including Senate and presidential races — the “D-Trip” as it’s commonly referred to, is the primary fundraising and organizing body for the majority of Democratic congressional campaigns. DCCC supports candidates with a wide range of experience, from veteran politicians with national profiles down to first-time House candidates. While the two nongovernmental organizations work in partnership, they are entirely separate entities with different employees, interests, stakeholders and structures.
And although it’s not at the top of the party, the DCCC has wide institutional influence and collects millions of dollars in funding, giving it the political and financial capital to spur change within the party. Put plainly, the DCCC’s ability to spur candidates to victory could decide the balance of power in the federal government.
“When you think about it, winning the House might come down to just a few races and so a breach, a bad leak — even if it’s just one campaign — could affect a lot people,” Trujillo said. “There’s no excuse for it.”
“We live in a new reality.”
Party leaders believe that being able to defend against cyberattacks will be an important factor in the 2018 campaign cycle for the Democrats. And the DCCC is far from the only political organization to be prioritizing and building up its cybersecurity capabilities following the 2016 election cycle.
Over the last year, the DCCC’s republican counterpart, the National Republican Congressional Committee, has also invested resources in improving. A spokesperson, however, declined to offer specific details.
“We believe the first rule of effective cybersecurity is not to talk about your cybersecurity measures,” a NRCC spokesperson told CyberScoop. “We have a full-time cybersecurity team on staff and it’s an absolute priority for us. For over a year, we’ve taken considerable steps to heighten our posture.”
In a recent interview with the DNC’s newly hired chief technology officer Raffi Krikorian said he was testing DNC staff by sending them fake phishing emails. The goal of the exercise was to educate staff about computer viruses sent by email in what appear to be typically benign messages.
The importance of education and proper training is something Trujillo echoed.
“Education I think is probably one of the biggest things right now still,” Trujillo said. “We deal with campaigns of all sizes, with different budgets, so training is important and something nearly everyone can do.”
A significant portion of the DCCC’s immediate cybersecurity push will also be educational in nature. It will include private briefings with experts, consultation with headquarters on applying specific software products, and the dissemination of security best practices. For example, the DCCC now recommends that campaign staff avoid personal email accounts and instead use a Google Business email system or a custom Microsoft Outlook email client — two products that headquarters has reviewed and tested — to conduct campaign business online.
The DCCC has been providing information about Shield to campaign staff involved in what the fundraising giant considers to be the top 20 most important races of the 2018 cycle since January. All 20 will adopt elements of Shield in the coming year, said Trujillo, while smaller campaigns will be “strongly encouraged” to also adopt some of the DCCC’s cybersecurity guidelines.
“We live in a new reality,” Trujillo describes without pause. “What we saw last election cycle, what we are seeing today … welcome to the new reality for political campaigns.”