The FBI, Department of Homeland Security and Office of the Director of National Intelligence are giving unclassified briefings to presidential campaigns about cybersecurity and espionage issues they may face ahead of the 2020 election, and the “best practices for mitigating risks.” According to CNN, the campaigns for former Housing and Urban Development secretary Julian Castro and businessman Andrew Yang confirmed they received the briefing.
It is likely that the briefing covered “spearphishing,” which involves sending deceptive messages to everyone in an organization and hope that at least one person chooses to follow the emailed instructions. One tech firm argued that the vast majority of the 2020 campaigns are falling short on the use of email authentication and advanced e-mail security. The conclusion is that the campaigns are well prepared for last cycle’s attacks, but not for the new attacks coming down the road.
Today, 83 percent of the top candidates rely solely on the security controls built into their email platforms—almost exclusively Gmail and Microsoft Office 365. The good news is that these controls have advanced to the point where they can weed out the kind of malicious links and malware to which Podesta fell victim. The bad news is that they’re utterly defenseless on their own against today’s most advanced forms of phishing.
One of the lesser-observed aspects of the 2016 hacking of Hillary Clinton’s campaign was how much could have been prevented with just one or two different decisions in response to a spearphishing attack.
According to the Muller report, the Main Intelligence Directorate of the General Staff of the Russian Army — known by the abbreviation GRU — hacked into the emails of John Podesta, the chairman of the Hillary Clinton presidential campaign, and the DNC through “spearphishing.”
On March 19, 2016, Podesta was sent an email that said
Someone just used your password to try ˜to sign in to your Google Account firstname.lastname@example.org.
Google stopped this sign-in attempt. You should change your password immediately.
CHANGE PASSWORD –
It offered a link to a site that looked like a password-reset form . . . where the bad guys could steal his new password, log into his account, and copy all of the emails in there.
Podesta’s chief-of-staff forwarded the email to the operations help desk of Clinton’s campaign in Brooklyn, where a staffer wrote back concluding, “This is a legitimate email. John needs to change his password immediately.” (The staffer contends his response was a typographical error; he intended to write that it was NOT a legitimate email. That seemingly small error had far-reaching consequences.)
In an effort to prevent his email from getting hacked, Podesta opened the door for his email to get hacked. While ignoring the message wouldn’t have prevented the Internet Research Agency from posting all of their divisive messages and memes on social media, it would at least have hindered the GRU hacking of the e-mails and the posting of them on WikiLeaks.
There’s an old saying that a chain is only as strong as its weakest link. Similarly, an institution’s computer network is only as secure as the most gullible people using it, and unfortunately for the Clinton campaign, that turned out to be Podesta and the help-desk staffer.