NOEL KING, HOST:
During the 2016 campaign, Hillary Clinton's campaign emails were hacked. So in 2020, campaigns are on the defense to prevent that kind of thing from happening again. Here's NPR technology correspondent Shannon Bond.
SHANNON BOND, BYLINE: During Senator Angus King's reelection campaign in 2018, the suspicious emails were coming from inside the building.
LISA KAPLAN: We would send out these fake phishing emails and see who would click on them.
BOND: Lisa Kaplan was digital director for the Maine senator. The emails she sent looked real, but they were not.
KAPLAN: We would leave all of these little clues so that people should have picked up that it was not a real email. And we would try to get them to do things, like change their password for their email or change their password for the database we were using.
BOND: It was a strategy to keep staff on their toes so they wouldn't fall for emails from real hackers intent on damaging the campaign. That's the kind of paranoia that election campaigns need these days. Many of them are already in full swing, from the Democratic presidential primaries to congressional races to local contests for mayor and city council. Security experts and political veterans say they are vulnerable. Communication, which is the lifeblood of any political campaign, can also be the thing that sinks it if messages get hacked or manipulated. Email and social media accounts can be taken over, sensitive or embarrassing documents leaked. The campaign trail in particular presents unique challenges to digital security. Mark Risher works on account security at Google.
MARK RISHER: Campaigns are effectively startups, but their risk profile is more like established large businesses.
BOND: Campaigns are created from the ground up. People move in and out of jobs quickly and bring in new phones and laptops. Mary Dickinson is co-founder of US CyberDome, a nonprofit offering campaigns free cybersecurity services. She says this rapid, often chaotic growth creates openings for hackers.
MARY DICKINSON: You have almost every worst-case scenario. You can't really do effective training because you've got people coming on board all the time. You've got bring your own device as the norm. You've got used devices that are not scrubbed being brought into the food chain here.
BOND: The most infamous hack of a campaign happened in 2016. Russians broke into the Gmail account of Hillary Clinton's campaign chair, John Podesta. Some of the emails that came out were embarrassing, like Clinton's speeches to Wall Street banks. The Russians got into Podesta's email through a phishing attack. That's when hackers send emails disguised to look like they're from someone you know or your bank. They try to trick you into handing over your passwords. Google's Risher explains.
RISHER: The reality is that phishing, which is effectively just deceiving the target, the victim, into passing over information, is very, very cheap to perpetrate. And the target only has to make a mistake once.
BOND: Nearly four years after the Clinton email hack, Risher says phishing attacks haven't changed much.
RISHER: They haven't evolved because they haven't needed to.
BOND: So what should campaigns do to get serious about security? First on the list is taking basic precautions.
MICHAEL KAISER: Turning on multifactor authentication.
BOND: Michael Kaiser is president of Defending Digital Campaigns, another nonprofit that connects campaigns with free and discounted cybersecurity services and training.
KAISER: It's making sure that you're using, you know, better password practices like a password manager. It's using some form of encrypted communications.
BOND: And Kaiser says it's not just candidates and staff who should be tightening up their online security.
KAISER: So you have a spouse that could be vulnerable. You have children. You have the candidate's, you know, best friend who's also the finance chair.
BOND: Those people have access to private information. And if they get hacked, their accounts can be used to target the candidate. Experts say the focus in 2020 is not just on reducing risk but on planning how to respond if a cyberattack happens. Otherwise candidates will be battling adversaries not only at the ballot box but in their inboxes, too. Shannon Bond, NPR News, San Francisco.
(SOUNDBITE OF ATTUNE'S "THRILL")
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.