WASHINGTON — Perched behind government computers at a site in Northern Virginia, hacking experts are scanning the networks of Democratic presidential campaigns, searching for vulnerabilities and openings to inject malicious code. For weeks at a time, they’re hitting campaign officials with phishing emails not unlike those that Russian hackers used to infiltrate the Democratic National Committee in 2016.
The campaigns not only know about it — they’ve invited it, part of a sweeping effort by U.S. national security agencies to help campaigns of both parties protect themselves against cyberattacks, intelligence operations and physical threats ahead of the 2020 election. Those efforts come even while President Donald Trump, fighting for another term, continues to downplay the risk posed by foreign interference in U.S. elections.
As campaigns work to safeguard their websites, databases and email systems, the federal government has been providing defensive briefings to all the Democratic campaigns that will take them, U.S. and campaign officials tell NBC News.
The effort has involved the FBI, the Homeland Security Department and the Office of the Director of National Intelligence, which oversees all the U.S. spy agencies.
With the presidential candidates’ headquarters scattered across the country, local FBI field offices have made contact with the campaigns and the big political committees, providing counterintelligence briefings to those who want them.
In some cases, campaign officials said, the FBI has informed them of specific attempts already under way by foreign governments to hack their campaigns and advised them about ways to respond. One major new concern raised with campaigns and party officials has been increasingly sophisticated “deep-fake” technologies, including the possibility of voice manipulation.
In cautioning campaigns about the most significant threats, the FBI has focused on Russia, but has also mentioned China and Iran, campaigns officials said. Asked what tops its concern list for presidential campaigns, the FBI said that “the threat from nation-state actors remains a persistent concern” that the bureau is “working aggressively” to uncover and stop.
Homeland Security, through its Cybersecurity and Infrastructure Security Agency, has been notifying campaigns about its cyber incident response teams that can be immediately deployed to help them in a crisis. A few campaigns have even invited the agency’s “protective security advisers” to come to their headquarters and offices to perform physical security assessments, DHS officials said.
All of the services are free. They complement an array of cybersecurity services and advice being offered by the DNC and by DigiDems, a Democratic group formed ahead of the 2018 election that lends experts to campaigns for short periods to help get their systems up and running.
But while the Democratic campaigns have broadly accepted DNC help, the track record of collaborating with the Trump administration has been more mixed.
Some campaigns, such as those for former Vice President Joe Biden and former Rep. John Delaney, confirmed they’d been briefed by the government. Others, like former Rep. Beto O’Rourke's campaign, said they’d had minimal to no contact so far with U.S. cybersecurity officials.
Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.
A few campaigns, including South Bend, Indiana, Mayor Pete Buttigieg’s emphasized that they have a full-time cybersecurity expert on staff. Still other campaigns, like Sen. Cory Booker’s, D-N.J., declined to comment on any interaction with U.S. security agencies.
Homeland Security and the FBI wouldn’t say exactly how many campaigns have accepted briefings or other help. But Matt Masterson, a senior adviser on election security at Homeland Security, said the department has reached out to all the campaigns to establish points of contact ahead of time, so that campaigns aren’t left scrambling to find help if they do suffer a breach.
“We’ve had good engagement from both sides of the aisle, including the Republican National Committee and the Trump campaign,” Masterson said in an interview. “We’ve done outreach to them and had absolutely positive responses.”
But Andrew Binns, the chief technology officer of the 2020 Democratic National Convention and founder of cybersecurity firm Castle Point Technologies, noted that these agencies face an important obstacle — the lack of security clearances by most even senior campaign staff.
“There should be a way for major campaigns and committees to apply and get security clearances so that they can be a part of this conversation,” he said. “Right now, the FBI and cyber security folks on their side have information that might be useful but they can’t necessarily share it. Even if they got to the point where they wanted to."
Concerns about continued help
Democratic campaign officials who have interacted with the government experts universally praised their professionalism. Yet privately, some campaign officials have expressed concerns that Trump — if fully aware of the federal government’s efforts — might withhold cybersecurity assistance to his Democratic rivals for political reasons.
It’s unclear whether the president is aware of the extent of the federal cybersecurity assistance available to campaigns of both parties. A White House spokesman didn’t respond when NBC News asked whether Trump supports the efforts.
“These days, you can imagine quite a lot. Sure, we can imagine that the government might find ways to not step up when they need to,” said Bob Lord, chief security officer for the DNC. “But from my experience, the career people at the government have been really fantastic. These people have the greater democratic process in mind.”
Trump has waffled since taking office on whether he believes Russia meddled in the 2016 election and has continued to refer to the “Russian hoax.” He’s repeatedly downplayed the severity of the threat, even cracking a joke about it during a June meeting with Russian President Vladimir Putin. In June, Trump drew fresh outrage when asked whether he’d accept foreign help in his re-election and replied, “I think I’d take it.”
That concern has been heightened in recent days amid revelations that a U.S. intelligence official lodged a whistleblower complaint a presidential phone call. The Washington Post, citing two people familiar with the matter, reported the communication involved Ukraine and a “promise” Trump made to a foreign leader.
The revelations come as Democrats in the House are already scrutinizing whether Trump’s personal lawyer, Rudy Giuliani, tried to persuade Ukraine to help Trump’s re-election campaign by investigating former Vice President Joe Biden and his son Hunter Biden’s business with a Ukrainian gas company.
In the 2016 election, U.S. intelligence assessments and detailed indictments from former special counsel Robert Mueller found, Russia mounted a multi-faceted campaign to influence the U.S. presidential election, including social media manipulation and cyberattacks on the DNC, aides to Hillary Clinton and others. Thousands of stolen emails were then published.
The federal government’s work to help political campaigns protect themselves is separate from other efforts spanning multiple U.S. agencies to protect elections infrastructure, such as voter registration systems, voting machines, and state and local government networks. National security officials have said they expect foreign adversaries to target those systems in 2020 in addition to attacking individual campaigns.
Many of the campaigns that spoke to NBC News said they were working most closely on cybersecurity with the DNC. The official campaign committee of the Democratic Party, the DNC has a keen interest in preventing the types of attacks that plagued the committee in the last election.
The DNC’s program centers on a two-page checklist it says campaigns should follow to make their systems far less vulnerable to intrusion, such as encrypting hard drives, using lengthy password and regularly installing software updates to patch known security holes.
The checklist also encourages campaign staffers to use password managers that securely store passwords and to enable two-factor authentication on all accounts, including email, file sharing and social media. The DNC says campaign staffers should follow the checklist not only for their work accounts, computers and devices, but also their personal ones.
“Given enough motivation, money, time and resources, a well-trained adversary can accomplish a lot against you. The goal isn’t to be perfect 100 percent of the time,” said Lord, the former head of information security for Yahoo before joining the DNC. “But there are actually things you can do to make it a lot harder and more expensive for adversaries to do their work.”
Binns said the interactions between campaigns and federal law enforcement will continue to evolve.
“This is new for the FBI, too — the FBI has never had to do this,” he said. “The more that a campaign engages, saying, ‘What can we do? Are you seeing anything?” the more that they start to have that process.”