I cannot think of a reason not to share this with the public,” Brianna Wu tweeted.
“Two of my non-campaign Google accounts were compromised by someone in Russia,” she said.
Wu isn’t just any other target. As a Democratic candidate for the U.S. House of Representatives in Massachusetts’ 8th District, she has a larger target on her back for hackers than the average constituent. And as a former software engineer, she knows all too well the cybersecurity risks that come along with running for political office.
But the breach of two of her non-campaign Google accounts was still a wake-up call.
Wu said she recently discovered that the two accounts had been breached. One of the accounts was connected to her Nest camera system at home, and the other was her Gmail account she used during the Gamergate controversy, during which Wu was a frequent target of vitriol and death threats. TechCrunch agreed to keep the details of the breach off the record as to not give any potential attackers an advantage. Attribution in cyberattacks, however, can be notoriously difficult because hackers can mask their tracks using proxies and other anonymity tools.
“I don’t believe anyone in Russia is targeting me specifically. I think it’s more likely they target everyone running for office,” she tweeted.
Wu said that both of her accounts had “solid protection measures” in place, including “unique, randomly generated passwords for both accounts.” She said that she reported the intrusions to the FBI.
“The worry is obviously that it could hurt the campaign,” she told TechCrunch. But she remains concerned that it could be an “active measure,” a term often used to describe Russian-led political interference in U.S. politics.
Politicians and political candidates are frequently targeted by hackers both in the U.S. and overseas. During the 2016 presidential election, Democratic candidate Hillary Clinton’s campaign manager John Podesta had his personal email account hacked and thousands of emails published by WikiLeaks. The recently released report by Special Counsel Robert Mueller blamed hackers working for Russian intelligence for the intrusion as part of a wider effort to discredit then-candidate Clinton and get President Trump elected.
Yet to this day, political campaigns remain largely responsible for their own cybersecurity.
“There is only so much the feds can do here, given the sheer size of the candidate pool for federal office,” said Joseph Lorenzo Hall, an election security expert and senior vice president at the Internet Society.
Hall said much of the federal government’s efforts have been on raising awareness and on “low-hanging fruit,” like enabling two-factor authentication. Homeland Security continues to brief both parties to the major cybersecurity threats ahead of voting later in November, and the FBI has online resources for political campaigns.
It’s only been in the past few months that tech companies have been allowed to step in to help.
Fearing a repeat of 2016, the Federal Elections Commission last year relaxed the rules to allow federal political campaigns to receive discounted cybersecurity help. That has also allowed companies like Cloudflare to enter the political campaign space, offering cybersecurity services to campaigns — which was previously considered a campaign finance violation.
It’s not a catch-all fix. A patchwork of laws and rules across the U.S. make it difficult for campaigns to prioritize internal cybersecurity efforts. It’s illegal in Maryland, for example, to use campaign finances for securing the personal accounts of candidates and their staff — the same kind of accounts that hackers used to break into Podesta’s email account in 2016. It’s an attack that remains in hackers’ arsenals. Just last year, Microsoft found Iranian-backed hackers were targeting personal email accounts “associated” with a 2020 presidential candidate — which later transpired to be President Trump’s campaign.
Both of the major U.S. political parties have made efforts to bolster cybersecurity at the campaign level. The Democrats recently updated their security checklist for campaigns and published recommendations for countering disinformation, and the Republicans have put on training sessions to better educate campaign officials.
But Wu said that the Democrats could do more to support campaign cybersecurity, and that she was speaking out to implore others who are running for Congress to do more to bolster their campaign’s cybersecurity.
“There is absolutely no culture of information security within the Democratic Party that I have seen,” said Wu. Fundraising lists are “freely swapped in unencrypted states,” she said, giving an example.
“There is generally not a culture of updating software or performing security audits,” she said. “The fact that this is not taken seriously is really underscored by Iowa and the Shadow debacle,” she said, referring to the Iowa caucus last week, in which a result-reporting app failed to work. It was later reported that the app, built by Shadow Inc., had several security flaws that made it vulnerable to hacking.
Spokespeople for the FBI and the Democratic Congressional Campaign Committee did not respond to a request for comment prior to publication.
“Infosec is expensive, and I know for many campaigns it may seem like a low priority,” Wu told TechCrunch.
“But how can we lead the country on cybersecurity issues if we don’t hold ourselves to the same standards we’re asking the American people to follow?” she said.
By Zack Whittaker