RNC, DNC bank on Duo authentication ahead 2020 election
Written by Shannon Vavra
Dec 9, 2019 | CYBERSCOOP
The Republican National Committee is relying on authentication tools and careful social media behavior in order to avoid a devastating data breach like the kind that derailed its Democratic counterparts in 2016.
The RNC, which develops and promotes the party’s platform and currently supports President Donald Trump’s reelection campaign, is banking on Duo Security, which specializes in multi-factor authentication, to keep state-sponsored hackers out of party accounts, according to recent Federal Election Commission filings.
Even if a user’s password credentials are stolen, an extra layer of authentication can ensure that only the legitimate account holder could access his or her communications.
Since March of this year, the RNC has paid just over $1,000 per month to Duo, according to FEC filings. The RNC started using Duo in 2016, just days before the election. And it’s not just email account access the RNC is trying to protect — the RNC uses multiple layers of authentication to protect other user accounts, both personal and professional, too, according to Mike Gilding, the deputy director of information technology at the RNC.
The approach reflects the urgency with which both major political U.S. parties must adopt even basic cybersecurity measures after Russian hackers accessed email accounts belonging to key members of the Democratic National Committee in 2016. Another similar attack against either party could disrupt what is shaping up to be a particularly contentious U.S. election season, as impeachment proceedings against the president move forward. The DNC and RNC have a lot to safeguard, including polling data, candidate research, campaign funding, and election strategies.
The DNC and other political entities such as the National Republican Congressional Committee also are using Duo to protect their infrastructure, FEC records show. The NRCC, which operates as the House GOP’s campaign arm, has paid Duo approximately $300 per month this year. The DNC has paid Duo approximately $500 per month this year.
“If you have not started using 2FA you are severely, severely vulnerable,” Gilding said while speaking on a panel last week hosted by the International Republican Institute in Washington, D.C. “That is the first thing any political organization, any government organization, any person that has any type of communication with finances [should do].”
Republicans are using Duo in conjunction with other security tools, Gilding added, as part of an effort to avoid a single point of failure.
“My job as a security and IT guy is to minimize the damage, to compartmentalize … [to ensure] that if we have a breach it would be limited and controllable,” he said. “You should never put all your eggs in one basket.”
Social media training
The RNC also trains staff on their social media presence to thwart possible foreign influence operations. Gilding, who has been working on network operations at the RNC since 2006, noted that social media training is paramount now more than ever, since targeting of the RNC has changed over the past decade to be more covert.
“We have a seen a very large increase in … social-engineering hacking,” Gilding said. “The security targeting that we’ve seen has been less focused on port scanning, firewalls, bot attacks, and much more … on a personal level.”
Hackers, including Chinese spies, have increasingly been using information gleaned from social media profiles, to enable espionage campaigns.
“We know of somebody who was politically working that had a personal account compromised … what [the hackers] then did is they’re not looking for passwords,” Gilding said. “They downloaded their inbox to get all of their emails that then gave them ins … to target political organizations and operatives by sending them properly worded emails … about specific events, campaign rallies.”
Gilding declined to detail the suspect, but mentioned that these hackers had also sent malicious code in these emails. They did so by embedding the code in PDFs that appeared to be invoices for venues the target was going to be working with, information the hackers had presumably learned by looking at social media. Gilding said the operative was not at the RNC.
The RNC’s challenge is that it can’t force candidates and campaigns to adopt certain security practices. Instead, the RNC sends out training manuals, and offers training classes that campaign staff can attend to learn best practices, according to Gilding. Democrats rely on a similar strategy, as CyberScoop reported in March.
“There is no mandating. It is all about education these days and it is all about letting those people in leadership positions knowing what the environment is, what [are] the threats they have targeting them,” Gilding said. “We’ve seen a lot more openness — because, I think, of headlines in the last couple of years — of people reaching out and saying, ‘I’m uncomfortable where we’re at. What can we do to fix it?’”