The release of hacked emails helped derail Hillary Clinton’s 2016 presidential bid. But most 2020 Democratic presidential primary candidates have not taken a basic step in securing their email systems, according to a new analysis by the security advocacy group Global Cyber Alliance conducted in mid-March.
Only four of the then-14 Democratic candidates’ websites were using any form of a security protocol that helps ensure emails sent from campaign addresses are genuinely from the campaign when Global Cyber Alliance first ran the analysis last week.
The protocol – Domain-based Message Authentication, Reporting and Conformance (DMARC) – verifies that emails are from the websites they claim to be from. Records of whether a website owner is using the protocol are publicly available.
According to the analysis, only the campaigns of Sen. Elizabeth Warren of Massachusetts, Sen. Kirsten Gillibrand of New York, former Colorado Gov. John Hickenlooper and spiritual author Marianne Williamson had any form of the security feature implemented.
The campaigns of Sen. Cory Booker of New Jersey, Rep. John Delaney of Maryland and Rep. Tulsi Gabbard of Hawaii implemented some form of the security feature soon after CNN asked them about it.
The Democratic National Committee is set to hold an online seminar for campaigns on Wednesday showing staffers how to implement DMARC, a Democratic Party official told CNN after this story published. The seminar on DMARC is part of a series of workshops the DNC is offering to all campaigns. The official said that the DMARC workshop had been scheduled for a later date but was moved forward to Wednesday.
The remaining campaigns that had not implemented the protocol did not provide CNN comment on the record. The campaigns are those of former Housing and Urban Development Secretary Julian Castro, Sen. Kamala Harris of California, Washington Gov. Jay Inslee, Sen. Amy Klobuchar of Minnesota, Sen. Bernie Sanders of Vermont and businessman Andrew Yang. South Bend Mayor Pete Buttigieg, who has announced an exploratory committee, also did not have the security feature implemented and did not return a request for comment.
In 2017, the Department of Homeland Security directed all federal agencies to implement the protocol.
“There’s lots of things you can do to help protect email,” Phil Reitinger, president and CEO of Global Cyber Alliance, told CNN. “Use of DMARC is really table stakes for whether you’re serious about email security.”
In July 2017, Democratic Sen. Ron Wyden of Oregon asked DHS to make DMARC a priority and outlined why it is important.
“Industry-standard technologies exist, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies,” he wrote.
Hackers often use a technique called “spoofing,” a form of impersonation in which they make it look like emails have come from a trusted website domain in order to get victims to click on malicious links. By spoofing a campaign’s domain, hackers could target candidates’ supporters or campaign staff.
CNN reached out to all the campaigns whose websites were surveyed.
“Cory 2020 employs a number of protocols to ensure our email and technology are secure. To help maintain security, we don’t comment on specific processes,” Sabrina Singh, national press secretary for Booker’s campaign, said in a statement.
“Our campaign takes cybersecurity seriously. We’re working with an outside firm to implement DMARC anti-phishing and anti-spoofing procedures,” Will McDonald, Delaney’s communications director, told CNN.
Beto O’Rourke entered the race after Global Cyber Alliance’s March 11 analysis, but when his campaign launched last Thursday, it was not using the protocol.
The O’Rourke campaign’s Rob Friedlander told CNN that “we don’t discuss our security policies.”
The Democratic National Committee hired former Silicon Valley executives to improve the party’s cybersecurity after it was hacked along with the Clinton campaign and the Democratic Congressional Campaign Committee in 2016. Bob Lord, the DNC’s chief security officer, who previously worked at Yahoo and Twitter, warned in an interview with CNN last month that campaigns needed to take cybersecurity seriously.
“Each campaign has to prioritize their efforts based on their individual situation, covering issues from laptop and phone security to email security, file security and more,” Lord told CNN this week. “The DNC will continue to serve as a resource to help campaigns create a security program that works to manage risk and fits their needs.”