In the last few years bots, trolls and hackers have become a new and unfortunate part of our politics here in the U.S., as new reports prepared for the Senate intelligence committee showed this week.
Those reports looked at the 2016 election, and found that Russia’s Internet Research Agency made extensive use of social media, including Facebook, YouTube and Instagram, to push right-wing conspiracy theories and engender distrust in the electorate among the left, ultimately recruiting people to take concrete political actions in real life.
While these reports address the broader social media campaigns of the Russians, it is important to remember that the Russians also directly hacked both the Democratic National Committee and the Democratic Congressional Campaign Committee (which oversees House campaigns) in 2016. Materials stolen from both committees were then used by Republicans in their campaigns against Democratic candidates.
Determined to never let these kinds of influence campaigns succeed again, DCCC Chairman Rep. Ben Ray Luján, D-N.M., established a program designed to fight the malicious activity — which is poisoning our discourse and weakening our democracy — during the 2018 election cycle.
The two of us led that team over the past two years, and now that the midterms are over, we offer some observations from the front lines of this new political battlefield.
We regularly found accounts on the major social media platforms that were in violation of the rules set by Twitter, Facebook and YouTube; nothing we found was on the scale of the Russian’s extensive efforts in 2016, but the activity wasn’t insignificant either. So, as part of the DCCC’s efforts, we deployed unprecedented defensive tools to help us identify malicious activity on social media, using a customized bot-detection tool to diagnose robotic, inauthentic activity and a commercial off-the-shelf social listening platform that allowed us to better see what was happening in near real-time on the major social media platforms.
When we found malicious activity, our internal team went through a rigorous review process to make sure it was in violation of the social media platform’s terms of service, rather than just something we didn’t like. Offensive accounts and activity were then reported to the platforms both through their public systems and through teams specifically assigned to the U.S. elections. While not everything reported was addressed, a great deal of it was.
We also found, as is common among cybersecurity researchers, that the easiest way to secure against cyber intrusions is to arm every user to recognize the tactics common among hackers. And, as in 2016 (and at every organization in the world), we did see phishing and spear-phishing efforts directed at the party and at individual candidates, from various sources we did not or could not identify.
We don’t believe the DCCC had a large breach like we did in 2016, but can’t be certain. But, when campaigns encountered problems, we worked quickly to mitigate the damage and reported these intrusions to the FBI. And, working with outside partners, we were successful in helping staff internally and at campaigns embrace new behaviors and tools that were effective, affordable and simple — like two factor authentication, encrypted messaging and better data protections. Much of the DCCC’s strategy work was inspired by the highly regarded cybersecurity framework developed by the U.S. government’s National Institutes of Standards and Technology (NIST) — a set of smart protocols which should become far more familiar to those of us in politics.
This big new emphasis on digital is being driven by how Americans’ own media usage is changing; it will be any day now that more Americans get their news from digital sources than television, something which is already true for those under 50 in the U.S. Which is why, as the intelligence committee reports show, the Russians in 2016 leaned so heavily on targeted ads to access voters on various social platforms, where news and ads (or sponsored posts) can feel (and often are) indistinguishable. Learning how to win in this new digital-first landscape will be increasingly important for those in politics here and around the world.
The first step in winning in this new information landscape is be far louder on the internet and on social media. The DCCC had the most ambitious digital advertising and organic communications effort in its history, and encouraged its candidates to not cede this space to either the Republicans or malicious actors. In politics the best defense remains a very good offense.
The DCCC also made an unprecedented public pledge to combat these new malicious tactics by committing to never use hacked materials in the election, as was done against us in 2016. We think future pledges like this one should include promises not to hack, use hacked materials or use fake accounts, bots, troll farms or “deep fakes.” Whether the parties themselves can agree to a common approach remains to be seen — it didn’t work this time — but the DNC and sister committees should lead by example and get every Democratic presidential campaign to sign on to some set of practices similar to the pledge released by the DCCC in 2018.
Everyone in US politics, regardless of party, should follow our lead and commit to not use the tools the Russians used — and continue to use — against us and other democracies in our own work. But we also need to commit ourselves to higher cybersecurity standards in general, and to being more cognizant users of email and the internet.
Based on our time working with cybersecurity at the DCCC, we strongly recommend that Congress also dramatically upgrade the way it handles the cybersecurity of senators, House members and their staff by mandating cybersecurity and counterintelligence training.
Toolsets for identifying inauthentic social media — like what we had at the DCCC — should become commonly used throughout American politics, from campaigns to advocacy organizations to official Senate and House offices. Users of these tools should be disciplined about their submissions to the platforms so as not to overwhelm systems which are not yet fully mature, and they should rely, as we did, on the many incredibly able researchers and think tanks who are making their findings public. We learned a great deal from them throughout this process.
While the social media platforms did make things far harder for malicious actors over the past year, far more must be done — and Congress should pass some of the many smart, already introduced bipartisan bills which address these matters without delay.
It is also our belief that the best way for the government to help support to our nation’s elected officials in their official, political and private roles is for the Department of Homeland Security to partner with the major federal party committees to share information, best practices and emerging threats through a similar arrangement to the ones it has with the financial services and energy industries, among others, though it may require legislation.
But the most important lesson we learned in the last two years is that the U.S. and its politics are not powerless to stop the kind of foreign hacking and disinformation tactics we saw in 2016. Far more can be done to protect our democracy and our discourse — and doing so should be a very high priority for the new Congress in 2019.