When Russian hackers targeted the staff of Sen. Claire McCaskill, D-Mo., they took aim at maybe the most vulnerable sector of U.S. elections: campaigns.
McCaskill's Senate staff received fake emails, as first reported by The Daily Beast, in an apparent attempt by Russia's GRU intelligence agency to gain access to passwords. McCaskill released a statement confirming the attack but said there is no indication the attack was successful.
"Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."
The Missouri Democrat is running for re-election in November, in a state President Trump won by almost 20 percentage points; she is widely considered among the most vulnerable Democrats running for re-election in the Senate this year.
Although the attack on her staff is the first known instance of a Russian attempt at the kind of cyber-intrusion used on the Clinton campaign with great success in 2016, there is reason to believe it won't be the last.
Tom Burt, Microsoft's vice president of customer security and trust, said last week that three candidates standing for election in the 2018 midterms were the target of phishing attempts that Microsoft detected. The Daily Beast concluded based on other evidence that McCaskill was among those three. It remains unclear who the others were.
"They were all people who because of their positions, might have been interesting people from an espionage standpoint, as well as an election disruption standpoint," Burt said.
Eric Rosenbach, who served as the chief of staff for the Department of Defense from 2015 to 2017 and also previously oversaw the Pentagon's cyberactivities, said based on his experience in national security, there's no reason to believe those will be or have been the only campaign hack attempts.
"The fact that you find one part of a Russian cyber-intrusion or attack, usually means that you've only found a very small part of it," Rosenbach said. "It probably means that [attacks] like this are much more widespread, that they may be, in fact, in the campaigns of many close Senate races ... You just always have to operate as if you've only found the beginning of what is probably a much more complex problem and situation."
Rosenbach now leads the Defending Digital Democracy project at Harvard University's Kennedy School of Government, a project aimed at helping state and local election officials, as well as campaigns, grapple with the new reality: Much of their work is now digital, and they have a target on their backs.
Campaigns are "the most vulnerable" aspect of U.S. elections, Rosenbach said, because they often don't have the time or money to develop long-term cybersecurity plans and because they're bringing on new staff and volunteers all the time — often without adequate training.
Rosenbach worked with Republican Mitt Romney's 2012 campaign manager, Matt Rhodes, and Democrat Hillary Clinton's 2016 campaign manager, Robby Mook, on creating a cybersecurity playbook for campaign managers.
"People have this perception of campaigns that comes from movies and TV shows, like House of Cards, where they're very sophisticated operations," said Rhodes, when he spoke to NPR in the spring. "The only thing that is actually consistent with the movies when it comes to campaigns is people eat a lot of pizza. They're not that sophisticated."
Mook added, "The irony of campaigns is they are the grittiest and least valuable startups out there, but they're incredibly valuable targets."
Much of the risk of the sort of phishing attack that was successfully executed in 2016 on John Podesta, chairman of the Clinton campaign, and the Democratic National Committee and attempted this year on McCaskill's staff could be mitigated with two-factor authentication, said Mark Nunnikhoven, a vice president of the cybersecurity firm Trend Micro.
Two-factor authentication makes it so anyone wishing to access an email account must not only have a username and password, but also another form of verification, like a code that can be texted to a cellphone number. It's a cybersecurity measure offered by all major email providers at no cost, but, Nunnikhoven said, "the challenge is getting people to use it."
The added step is inconvenient, but it renders most phishing attempts useless.
"This is a constant challenge of cybersecurity, getting people to understand tradeoffs," Nunnikhoven said. "It's a minor bump in the user experience, but it's a huge security win."
But campaigns need to begin taking steps like that, Rosenbach said, because until the United States can implement a foreign policy that effectively deters foreign nations from interfering digitally in elections, they will continue. If it's not Russia, he also said, it will be someone else.
"It's hard for me to believe," said Rosenbach, "that campaign infrastructure won't be under attack for decades, maybe centuries to come."
An earlier online version of this story incorrectly called Tom Burt Microsoft's vice president of consumer security and trust. He leads the company's customer security and trust efforts.
SCOTT SIMON, HOST:
Russian hackers are going after U.S. elections again. Democratic Senator Claire McCaskill said this week her campaign was targeted by a phishing attack from Russia after that had been reported in The Daily Beast. The senator is up for re-election in November, in Missouri, a state that voted overwhelmingly for Donald Trump in 2016. And there's reason to believe other campaigns could be under attack as well. NPR's Miles Parks has more.
MILES PARKS, BYLINE: Matt Rhoades ran Mitt Romney's 2012 presidential campaign. He says, campaigns are an easy target for Russia because despite what popular culture may say, they often aren't that organized.
MATT RHOADES: The only thing that is actually consistent with the movies when it comes to campaigns is people eat a lot of pizza. And they're not that sophisticated. That's what makes our campaigns so thrilling and exciting, but it also makes them soft targets.
PARKS: Rhoades helps lead a project at Harvard University that aims to help election officials and campaigns grapple with the new reality - that they now have a target on their backs. I sat down with him and Robby Mook, Hillary Clinton's 2016 campaign manager, at a conference Harvard hosted in the spring. Clinton was the target of a successful attack similar to the one McCaskill faced. Her campaign chairman, John Podesta, had his email account accessed by Russian operatives, who proceeded to publish reams of emails. Here's Mook.
ROBBY MOOK: The irony of campaigns is they are the grittiest and least resourced startups that are out there, but they're incredibly valuable targets.
PARKS: Campaigns often don't have the time or money to develop long-term security plans. And they're bringing in new staff all the time without training. Those staffers and sometimes volunteers may also be using their own equipment.
In the case of the McCaskill attack, Russian operatives sent fake emails that were made to look like official notices to change a password. There's no indication the attack was successful.
Eric Rosenbach leads the project at Harvard. He serves as the chief of staff for the Department of Defense and used to lead all aspects of the department's cyber activity. He says there's also no reason to believe McCaskill staff is alone, even if they're the first this election cycle to publicly state they've been targeted.
ERIC ROSENBACH: The fact that you find one part of a Russian cyber intrusion or attack usually means that you've only found a very small part of it. They're just very sophisticated. So you always have to operate as if you've only found the beginning of what is probably a much more complex problem and situation.
PARKS: Until the U.S. institutes an effective foreign policy to deter these sorts of attacks, Rosenbach says they'll continue. Miles Parks, NPR News, Washington. Transcript provided by NPR, Copyright NPR.