Writing the cyber security playbook for democracy

How an unlikely pair of former presidential campaign managers are working together to protect our elections.

Harvard Kennedy School
Harvard Kennedy School PolicyCast
20 min readMay 23, 2018

--

While worries over cyber attacks on American elections go almost as far back as the internet itself, it wasn’t until 2016 that it became clear just how much power determined hackers could wield by gaining access to just a single email account.

But now that the value of cyber security has been proven, have political campaigns and election officials taken the necessary steps to protect themselves?

In this episode we’re joined by former Clinton 2016 campaign manager Robby Mook, who has been co-directing the Defending Digital Democracy Project with Romney 2012 campaign manager Matt Rhodes, and Belfer Center Co-Director Eric Rosenbach. Mook describes the differing challenges campaigns and election officials face, and how they can all take advantage of the “playbooks” D3P has published and continues to update on an ongoing basis.

Each week on PolicyCast, Host Matt Cadwallader (@mattcad) explores the ways individuals make democracy work by speaking with the world’s leading experts in public policy, media, and international affairs about their experiences confronting our most pressing public problems.

Transcript

Note: This transcript was automatically generated and only lightly edited.

Matt: After the Clinton campaign, you came here to the Kennedy School and partnered with your 2012 counterpart from Mitt Romney’s campaign, Matt Rhoades to create the Defending Digital Democracy project. Can you tell us how you came to this project?

Robby Mook: Yeah. In addition to Matt, there was actually one other person now at the Kennedy School, Eric Rosenbach who is really essential to getting us organized.

So I was really concerned after the election about this issue of cyber security in campaigns, because, first of all, it was a problem for us on our campaign clearly, and there was nothing out there resource wise for campaigns to do a better job trying to secure themselves in the future.

And for election officials as I started talking to people I knew more, I was realizing there wasn’t really anything for them either. They read about the intrusions into their systems in the media, they didn’t get a call from the feds or anything like that.

Matt: You’re talking about people on the ground in the states-

Robby Mook: Yeah these are actual Secretaries of State election and election administrators, they didn’t know. We were warned … it was the DNC that was hacked, not our campaign, but I know that the DNC had been warned in a pretty weak manner I guess I’d call it.

So I wanted to figure out what can we do to create resources and hopefully get some pressure on policymakers to do more to fortify the system. And at the same time that I was kind of stewing over this, it was starting to heat up in the news, and it became very, very partisan. And so your approach on this issue whether you even thought it was an issue to begin with was often formed by one party or a member of which I thought was really unfortunate as well, and very counterproductive.

At the same time, I serendipitously met up with Matt Rhoades who ran as you said Mitt Romney’s campaign, we’re part of a very exclusive club of people who didn’t win [crosstalk 00:03:27] and he’s a really nice guy, and we were just talking one day and I mentioned to him how concerned I was about this issue, and he, I had no idea about this, he said, “well you know, we got hacked too by the Chinese.” I had no idea it had created enormous frustration and expense for them. I said “well if I can figure out a way for us to do something on this, would you be willing to be part of it?” And he said “absolutely.”

And at the same time I got linked up with Eric Rosenbach who is now the co-director of the Belfer Center with Ash Carter, they were on their way to taking over from Graham. He said “let’s do something.”

It was absolutely [inaudible 00:04:06] to make it bipartisan, let’s figure out a way to provide some practical tools and that’s how it started. It really just came together very randomly.

Matt: So you obviously as you said, the DNC was hacked. When you look back at the Hillary campaign itself, do you feel like you could have done better in keeping things secure?

Robby Mook: Yeah, 100%. I mean, first and foremost, we could have done more to lean on the DNC on their security. We didn’t run it, we weren’t in charge of it, and sometimes to our frustration, they wouldn’t take our advice but, yeah, we probably could have been a better partner in suggesting that they take steps.

We were lucky because I did hire a security person at the very beginning of the campaign, he did a really good job of setting up all the campaign infrastructure really well. And again, to our knowledge, nobody ever preached it.

People’s personal emails were breached, about 10 people. We had suggested early on in the campaign that people set up that second factor authentication to better protect their emails, it was all there on paper. But the one thing I’ve learned in this project is, culture is the most important thing in cybersecurity, just getting people’s heads in the game and thinking about it just the way we think about the physical security office and other things.

So we could have done a better job I think infusing the culture of protecting your personal assets not just stating it in a policy, but really talking about it more regularly. We certainly got to the point once we had been told that something had happened at the DNC of repeating that, I think people really took steps after that ’cause they were scared.

Matt: Do you think because of the elevation of this issue in 2016 and up till today, do you think people are more conscious of it on campaigns? I mean, you’ve been now working with campaigns and talking to people on campaigns, do you think that people … It’s getting better?

Robby Mook: It’s definitely getting better and I do believe people are much more conscious than they used to be. I think where our project is trying to make a difference is at the point that you’re conscious and you know you need to do something, what do you do?

And the fact of the matter is, campaign people are not good at cybersecurity by nature. And so, what we tried to do was to boil down really simple, very inexpensive steps that people can take that can literally make a world of difference.

For example, if all the steps we recommend, even the sort of top five steps that we recommend had been in place in 2016, the breaches there wouldn’t have happened. Now maybe the adversary would have found a more sophisticated way and we’re obviously dealing with nation states, but as you started out, more could have been done.

I’ve been advocating that, if you look at the late ’60s, there was a point we reached in the country where we realized campaigns were not in a good position to provide physical security for candidates. We saw the assassination of Robert Kennedy, obviously the assassination of Martin Luther king had taking place, he wasn’t running for office but, we knew that we needed to do more.

I would argue we’ve reached that point with cyber in campaigns. I believe that we should eventually get to a place where trained experts from the federal government are providing cyber security for these presidential campaigns, even I would argue some Senate and House campaigns. The way for example, there’s a certain threshold you get Secret Service protection physically.

Matt: We know what happened in 2016, but you mention Matt Rhoades experience in 2012 getting hacked by the Chinese. Can you tell us a little bit about what happened there?

Robby Mook: Yeah and it actually goes farther back. So both the McCain and Obama campaigns were breached by the Chinese in 2098. Romney’s campaign was breached by the Chinese, I’ve never gotten a detailed briefing on what happened with the Obama campaign, my understanding was the Chinese certainly tried whether they got in or not, I’m not certain, and obviously this is the same time we’re learning about OPM and everything else.

What we knew going into our campaign was that all this had taken place, we were anticipating espionage, which is what the Chinese were doing on those campaigns. We were not anticipating that the information would be stolen for the purpose of intervening in the campaign, changing the messaging, distracting the media and all those things that ended up happening.

In fact, I remember a discussion we had had early on about … Every time you make different security choices, you’re burdening the organization, you’re potentially dampening efficiency and so on, and I remember a discussion we had about, well we could do X and we could do Y, but, boy, that’s really going to make things complicated.

At the end of the day, if a bunch of spies get information for our campaign, I guess they’ll have more insight on what the administration might do, but that’s kind of our problem. And again, we apparently had enough in place so that didn’t happen to our knowledge. But, if I’d walked in here three years ago and said the Russians are going to break into the campaigns through hacking into people’s emails and release that, people would have said wow, that’s probably not something a campaign really needs to spend a lot of time on.

The threat changes, and it’s an important lesson for us because the threat will change again. So we’re trying to respond to what happened and ’16, the question is what’s going to happen next. I actually think the challenge will get even more complicated as it’s less about breaking in and stealing things although that’s … We’re already seeing that’s still happening in 2018. I think is to be more about manipulating the information environment, creating fake information and disseminating it through social media and YouTube and so on.

The past is an important lesson in that, the past didn’t help us predict what happened in ’16, I don’t think it’s going to help us predict what happens in ‘20.

Matt: It kind of reminds me about how before 9/11, we assumed that hijackings were always just to get some kind of concession from the owner of the plane or the country or whatever. Nobody anticipated weaponizing the plane itself [crosstalk 00:10:16].

So let’s talk a little bit about the actual recommendations. You put together a report, you’ve actually put together a couple of reports now.

The first one was a cyber security campaign playbook. Can you tell us a little bit about that?

Robby Mook: Yeah, our goal was, if you’re a candidate or probably more realistically, a campaign manager or operations director on a campaign, we wanted a resource where you could download it from our website and implement it. You don’t have to know anything about cybersecurity, maybe you need to know what the word kind of means, but nothing in there is so technical that you need to go get some sort of accreditation to implement it.

We wanted it available to everybody, both parties, and so it’s there online. There’s a top five recommendations that we’ve been really pushing, and we’re actually about to re-release it and we’ve tweaked those top five recommendations and included new content based on threats we’re seeing now. So our hope is that this is a resource that can keep getting updated over time.

Matt: When you have talked to campaigns about the playbook, what kind of feedback have [crosstalk 00:11:22] you been getting?

Robby Mook: Well it’s hard. We’re doing two things this month to try to get people looking at the resource more basically. We’re doing a conference call actually with Paul Begala and Karl Rove and then the former director-

Matt: What a pairing-

Robby Mook: Yeah exactly. So they’re going to be introducing the former director of information assurance of security at the NSA actually. She’s going to be walking people through some the steps.

We’re also physically mailing this to everybody who registered their campaign with the Federal Election Commission. We’re just trying to get it right in front of people.

I am incredibly sympathetic to the campaign manager who says, I got so much going on, I don’t have time for this. However, we forget, it wasn’t just Hillary Clinton’s campaign, it wasn’t just the DNC rather, it was the Democratic Congressional Campaign Committee that face challenges.

And I would argue that some House campaigns paid the steepest price. We saw that the research books the candidates did about themselves to vet themselves, those were stolen and handed to local reporters. These were US House races, so any US House race today that’s saying, oh this is not a problem for me, they’re wrong.

But I’m sympathetic that it’s really overwhelming, and so we’re hoping that if they can just get to the first few pages of the playbook that have those top five steps, if they do those five things, they’re in pretty good shape. There’s a ton more in there.

But to answer your question specifically, we have so much work to do, there’s just not enough awareness, there’s not enough concern, there’s not enough happening. But I don’t blame people for that, that’s what our project is here to help to do, is to try to get in front of people, make it as easy as possible.

Matt: Do you think that there’s any campaign that’s too small for this? I mean, you mentioned House races, does a local state candidate need to worry about it?

Robby Mook: You know, I think everybody needs to worry a little bit, and I would actually pull this out bigger and just say every American needs to worry about this a little bit. If you can take simple steps to better secure your email, your social media, your bank account, you should just do those things.

Here’s the other way of looking at it, particularly here at the Kennedy School, a lot of these folks are going to run for office some day. So the security of their information today matters too. Someone can still today and then use it against them in 10, 15 years or two years.

Matt: [crosstalk 00:13:48] our IT people are very cognizant [crosstalk 00:13:50] attacks.

Robby Mook: Yeah, yeah. Well there’s been a lot of problems here, ’cause you’ve got a lot of very prominent professors and thought leaders and so on. I would just argue everybody needs to take the simple steps.

One of our top five recommendations for example is that second factor which is now required here at Harvard [crosstalk 00:14:05] can we do. So you enter a password which hopefully is really long and strong, and then you use that second factor. If someone steals your password, they still don’t have that second factor, they can’t get in.

All of the intrusions in 2016 could have been prevented, if that had existed, in the databases, in the servers … Credentials to get into the servers of the DNC and the national committees, and then also to the private accounts in our campaign.

So, I would just say every American should do that. And then yeah, if you’re running for city council or state rep, you should do it too.

Matt Rhoades, my Republican colleague has a really good little riff he does on this where, he could always see Barack Obama coming. He worked for George W. Bush in the ’90s, he could see him coming. Someone could see you coming as a rising star in the party, and they could go get you when you’re a member of Congress or a state rep, right? There’s no reason you should leave yourself vulnerable.

Matt: We’ve talked a lot about campaigns now, but the second big report that you put together, or I guess, the second playbook as it were, was about state and local election cyber security. This is for the folks you mentioned earlier, the people who are actually running elections. Is it a very different challenge from the ones that campaigns face?

Robby Mook: It’s completely different. First of all, I should say, this half of the project was really driven by students. It was an incredible amount of work because every state runs its … Elections are locally controlled. In some states, they’re centrally controlled by the state, in some states they’re controlled by localities.

You literally have … I think the count is around 7,000 different jurisdictions around elections, so it’s a lot. And each one of them buys different machinery, they have different laws, different systems, different protocols. So we had to design a product that spoke to all of those different systems.

It was really hard, and the students had to go out into the states and sit with the officials and really learn. And so the credit really goes to them. It’s incredible what they did. Caitlyn Connelly was the executive director of this project. She just graduated, will be graduating very shortly.

Then it’s really important to understand, most people don’t know this, the election system isn’t just machines. A lot of the talk and rhetoric around election security goes right to machines or ballots. It’s an entire spectrum of data and machinery.

So there’s voter registration, sometimes that happens online, that’s a big vulnerability. There’s the database that stores the voter registration or keeps it updated. Sometimes that syncs with other data Sources within the state government. Okay now, that’s another vulnerability.

Then you have the poll books. So when you walk into vote, the list that they check to make sure you’re registered as a voter that’s a separate product. In most states, that’s an electronic poll book, that’s an electronic machine. So there’s another vector of attack.

Then, yes, you have the machines. By the way, the majority I believe at this point have a paper backup, and in fact, it might even be closer to two thirds. Sometimes people think that nobody has that, it’s actually most at this point.

But then once the data … Once the votes are cast so to speak, that data has to move into another system that then reports it out to voters. Sometimes that’s one step, sometimes that’s two steps. Sometimes that step’s completed by a human being polling physically a device out of a machine and sticking that into another device that uploads it to a reporting system.

And when I get asked about what I think is most vulnerable, sure any part of this is vulnerable, the machines are. I worry most about that voter registration and that election day reporting. That’s the easiest way to just mess with us right, you could just screw up some of the results. Not to elect one candidate and defeat another, but just to create doubt in that result right.

You could for example, if you can break into the voter registration database, you could deregister every woman in a precinct, or every … The Voting Rights Act requires some states to track racial data right. You could deregister every white person or every African-American in a district.

Think about the havoc that that would create, and rightfully so. So we really tried to look at the entire spectrum of the system, and give people best practices across all channels to better fortify it.

Matt: It seems like in the campaign playbook you were all about trying to simplify to the [crosstalk 00:18:51] to the five top steps. What you’re describing now, is an incredibly complicated thing. Have you been able to simplify that end of things in a way that it’s approachable for somebody in each of the 7000 precincts or?

Robby Mook: Yeah well precincts, counties, states, whatever. Yeah, it’s a great question. So this is where the state project is different. Most states, in fact all I would say, have a Chief Information Officer or a Chief Information Security Officer, so they have trained professionals working on this.

Sometimes I think the value that our product served, was to give them a tool to advocate for more resources. So it’s not that they don’t know these things, they’re trained. They know more about it than I do, or any of the students who worked on this. But sometimes they’re not getting the funding and attention they need from the state legislature or the executive office.

And then, for the secretaries of state, I think that … They’re not technical most of the time, or the Election Administrator kind of the Chief Election Official. They’re not a cyber expert, they’re an election expert. This tool gives them a checklist to hold their staff accountable, to pull them in and say, hey they’re telling us to do these 10 things, can you tell me whether we’re doing those and explain why not or explain … Tell me how this is working here.

So hopefully we’ve just really empowered people who already know a lot more than we do. And look, that’s where the Kennedy School and Harvard brand can just sometimes help, right. It just gives something some haft.

The other thing we did though, getting to your question, is a third product which was a Incident Response Communications playbook. So this was a product where if there is a cyber incident, and there just will be, it’s just going to happen, how do you talk to the public, right. How do you engage with the media on what happened, what you’re doing about it, and there’s really good best practices actually coming out of the financial sector and the health care sector, they’re dealing with this all the time.

And, there’s a right way to do this, and a not so good way to do this. And we wanted to help election officials kind of speed up and really get some of those best practices right away.

So to your question about simplifying, we were pretty technical in the playbook, but the communications guide is there to help them talk to the public about it, and help the public wrap their head around some pretty complicated information.

So I hope between those two products, they’ll both be empowered to lead on this issue, but then also deal with it when something does go wrong.

Matt: So, just recently, you hosted kind of a dual conference. First you had officials from 38 states to kind of talk about the various ways that they could potentially be hacked, and try and find ways to respond, and then you had a hackathon to find new technology solutions to some of these problems that we’re facing. Can you talk a little bit about that?

Robby Mook: Yeah. So, as we’ve touched on earlier, there’s two distinct issues but we often blend them together in our head. So there’s cyber security, which is how do you keep people from breaking into your stuff. And then there’s a separate issue of information operations, and that’s where people are pushing information out there for nefarious purposes right. And we saw both in the presidential election. When you’re buying an ad on Facebook or posting content on Facebook that’s misleading or for the purpose of getting people to fight with each other, that’s not actually cyber security. That’s just information operations.

And particularly for the Russians, this is part of what they do. The same way you have diplomacy and military and your intelligence service, they do information operations and they try to create headwinds for their adversaries by creating internal discord and they obviously were successful in the last election, and they’re continuing to do it today.

So we wanted … So on the latter part of this conference, we wanted to … We challenged students to come with ideas. What do we do about this? Because I cannot tell you, I’ve been in so many discussions, I was actually just in another one this morning. We don’t have good answers on this right now. It’s really hard because, in a free society it’s hard to regulate information. It’s designed that way.

So we had some really fascinating ideas coming from the students, technological solutions and policy solutions. This was something that was really important to me because, I think it’s both … Our government both needs to think about what policies do we put in place, but then we also need to develop technologies that help us manage it better.

The first part of it as you mentioned, was, we invited all 50 states, and actually some territories as well. We said everybody can come and we’re going to train you on how to run a tabletop exercise in your state to simulate a cyber incident. Because, one of the best practices we learned is, it’s not just having information, you have to practice with your team.

And certainly my experience on the campaign was, if I’d had to spend a few hours in a morning with an expert and my senior team running us through, okay guys you’ve been attacked, what do you do? If we’d just gone through that thought exercise, we would have been a lot better, right.

So we wanted to not just put the states through an exercise, so we did that with them, they had to go through it, but then we taught them how to set up an exercise like this for their own teams in their state. We wanted to build capacity because we can’t as a project, we can’t go to all 50 states or all 56, 57 territories you know.

We could do this. And now most … A lot of the states that came are doing their own tipple topic sizes, which is really [crosstalk 00:24:39]

Matt: Dungeons and Dragons for Secretary of State.

Robby Mook: Wow, that is a great analogy and you know what, you are totally right, because it’s like very geeky like, yeah. It’s its own special kind of nerdy community, and I love them.

And people should know by the way, I think these election officials get kicked around in the media, they’re really good people. I mean they really care and they … I think sometimes we think it’s like a bunch of partisan hacks, these are career people who are running these elections.

And I will say as a Democrat, some of the best Secretaries of State we’ve worked with have been Republicans. We’ve worked with some amazing Democrats too but, I think on the Democratic side, we tend to stereotype Republicans as kind of undermining elections, and some of them do. But most of them are really fantastic, and I think for both parties this is why it’s so important our project is bipartisan. I think the more we lift up and celebrate where both parties are doing things right, the better we’re going to be.

Because if we’re in our partisan camps when one of these incidences happens, it’s going to make a lot worse. And the system and the integrity of the elections has to come first before our party, it just has to.

Matt: The hackathon… can you tell us about that?

Robby Mook: You know, the most interesting idea that came out of this honestly? They didn’t directly relate to … Well didn’t really [inaudible 00:26:02] as we may have wanted information operations was this idea around essentially creating a worldwide scheme where everybody is paying into … It’s kind like a bond system where everybody’s paying in and if there’s an incident, you’re kind of insured against the damage on it. But if an incident is promulgated by someone within your borders, you’re financially punished for it. It’s really interesting. I don’t know if it can happen, but it made me really-

Matt: Specifically regarding some kind of cyber intrusion?

Robby Mook: Cyber, exactly. And so, it kind of … This is too extreme an example but it’s almost like nuclear deterrence, where it’s kind of like well, if you do it, you’re going to pay a big price. And if I do it, I know I’m going to pay-

Matt: It’s kind of like the WTO for cyber…

Robby Mook: Kind of, that’s right. And I’d never heard that before. I mean, I’m the least savvy person in that room, we had judges from the military, Homeland Security. I think we had people from Google and Facebook and I’m leaving some people out but, really leading technical experts, and even they said I’ve never heard this before.

I don’t know that that can solve our political problems or information operations problems, but we’re here at the Kennedy School, that’s exactly the kind of stuff that should be coming out of this place. These really new ideas that can be taken and kind of worked with and so, I was really proud of that, I was really impressed. And I probably completely butchered the idea too, because it was really complicated, but it [inaudible 00:27:41] it was a business school student actually.

--

--