Candidates are quizzing prospective campaign managers on anti-hacking plans. Democratic committees like the Democratic Congressional Campaign Committee, which was breached last year, have switched internally from email to encrypted messaging apps. And both parties are feverishly trying to spread advice and best practices to new campaigns before they become targets.

The political world is officially obsessed with cybersecurity in 2017 — especially the Democrats burned by the hacking of their committees and operatives during the 2016 election. Much of the Democratic Party’s permanent apparatus has already changed its day-to-day operations as a result, while beginning the slow process of persuading its decentralized, startup-like campaign ecosystem to follow suit.


House Democrats’ top strategists have urged consultants working on their campaigns to start using Wickr, the end-to-end encrypted messaging app used inside the DCCC — but the consulting community has been slow to give up email and embrace the program, say three Democratic consultants involved in House races. Security measures vary widely from race to race, leaving many still vulnerable to hacking, and members of both parties say they are seeking centralized clearinghouses of anti-hacking information and services.

An average state or congressional campaign will likely never be the prime hacking target that Hillary Clinton and the Democratic National Committee were in 2016. But operatives warned that the only way to secure a political party’s information is to get everyone on the same page — and that the best way to prevent hacking in the 2020 presidential campaign is to have a security-first culture change take root before then.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

“I just don’t think there’s anyone whose job it is, really. There’s no clearinghouse,” said Michael Ambler, campaign manager for the gubernatorial campaign of Democratic Maine Attorney General Janet Mills. “For finance or fundraising or field, there are best practices … passed down from older campaigns. There really isn’t anything comparable for data security.”

Though Democrats were the ones targeted by hacks in 2016, Republicans are also looking to improve cybersecurity — and they are finding that resources are uneven, with no uniform recommendations ready for campaigns at every level.

“There’s no recommendation on our side,” said Republican consultant Brad Todd, a top strategist on Senate and House races around the country.

The Democratic committees that were breached in 2016 have been especially eager to install stronger hacking protections this year. The DNC has brought in a new chief technology officer, Raffi Krikorian, and started running anti-phishing drills. Chairman Tom Perez is among a growing number of political figures using the secure messaging app Signal, BuzzFeed reported. The DNC has also started a cybersecurity advisory board to stop hacking and is expected to roll out a “campaign toolkit” that will be available to candidates across the country.

The DCCC, another 2016 victim, moved its internal communication off email and onto Wickr, as have the DSCC and the Democratic Governors Association. And in a further step, the DCCC urged Democratic House campaigns and consultants to use Wickr in 2018.

The committee ran seminars at which outside Democratic operatives taught them to use Wickr — but many are still using email on their campaigns.

“They’re advocating it in theory but not pushing the practice,” said one Democratic consultant working on House races. “They could say, the DCCC will not be on your calls or emails without Wickr. But they’re not. None of my campaigns are using Wickr at the moment. Change is really tough, and email is the central funnel.”

A DCCC aide called it “irresponsible” for top consultants not to use encrypted messaging. But the committee is not attempting to compel use of Wickr, the official said, though it has offered to pay for 20 incumbent campaigns to use the service.

“Ultimately, they have to choose to adopt the technology,” the aide said.

Party committees have a particularly strong interest in securing their communications that individual campaigns may not share, said another consultant. Later in the 2018 election cycle, the DCCC will ask candidates to share their own highly sensitive “self-research” — opposition research done against themselves to help the campaign and the party prepare for attacks. Hackers stole some of that delicate information from the DCCC’s central file during the 2016 election.

“The committees have to be repositories for this information, and that makes it important for them to show they can handle it,” the second Democratic operative said.

On the campaign level, the operative continued, “the DCCC has shared best practices, but most campaigns haven’t crossed that line yet where they think they need it.”

Some particularly high-profile politicians are taking stronger measures, like retaining CrowdStrike, the cybersecurity firm used by the DNC and DCCC to respond to hacks in 2016.

Illinois Democrat J.B. Pritzker, who is running in what’s expected to be the nation’s most expensive gubernatorial race ever, hired the firm as he launched his campaign in the spring. Virginia Gov. Terry McAuliffe’s PAC, Common Good VA, also paid CrowdStrike at the end of last year.

Cybersecurity is “really one of the most challenging things I’ve dealt with as a manager, because it’s not my expertise and it’s not the expertise of the majority of people who work in this business,” said Pritzker campaign manager Anne Caprara, who previously worked at Priorities USA Action, the Democratic super PAC (and another CrowdStrike client).

Caprara said one of her first decisions in Pritzker’s campaign was to put anti-hacking measures in place.

A spokesman for McAuliffe, a potential 2020 Democratic presidential candidate, declined to comment on whether his PAC retained CrowdStrike as a prophylactic measure or in response to a specific incident.

The National Republican Congressional Committee has paid CrowdStrike nearly $80,000 for services in 2017, according to its campaign finance reports.

“I will say that we have a full-time cybersecurity team on staff,” NRCC communications director Matt Gorman said in an email. “The first rule of effective cybersecurity is not to talk about cybersecurity measures. That said, it is an absolute priority for us. For over a year we’ve taken considerable steps to heighten our posture.”

There is also interest in developing new companies as political cybersecurity resources. Higher Ground Labs, the incubator for Democratic tech firms founded this year, is looking at options to invest in cybersecurity projects, though it hasn’t made any yet, according to a source familiar with the group.

And some candidates who watched what happened in 2016 have made hacking and security a topic when political consultants come in for interviews.

“I’m definitely finding an appetite for candidates to be more secure than they were,” said GOP consultant Kyle Robertson. The problem, Robertson continued, is that there’s no perfect way to prevent attacks across a decentralized world.

“You could never really control what emails people use to communicate,” Robertson said.

At a recent training session for progressive candidates, the Progressive Change Campaign Committee held a breakout session on secure messaging on campaigns. The recommendation there was to use Signal.

“They basically talked about different apps and different platforms that [campaigns] could use,” said Dr. Rob Davidson, a progressive candidate from Michigan who attended the conference. “It was an hour-and-a-half breakout session, [but] it wasn’t in-depth. It was one of the add-on ‘Oh yeah, campaign security’” sessions.”

