When Russian hackers targeted the staff of Sen. Claire McCaskill, D-Mo., they took aim at maybe the most vulnerable sector of U.S. elections: campaigns.
McCaskill's Senate staff received fake emails, as first reported by The Daily Beast, in an apparent attempt by Russia's GRU intelligence agency to gain access to passwords. McCaskill released a statement confirming the attack but said there is no indication the attack was successful.
"Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."
The Missouri Democrat is running for re-election in November, in a state President Trump won by almost 20 percentage points; she is widely considered among the most vulnerable Democrats running for re-election in the Senate this year.
Although the attack on her staff is the first known instance of a Russian attempt at the kind of cyber-intrusion used on the Clinton campaign with great success in 2016, there is reason to believe it won't be the last.
Tom Burt, Microsoft's vice president of consumer security and trust, said last week that three candidates standing for election in the 2018 midterms were the target of phishing attempts that Microsoft detected. The Daily Beast concluded based on other evidence that McCaskill was among those three. It remains unclear who the others were.
"They were all people who because of their positions, might have been interesting people from an espionage standpoint, as well as an election disruption standpoint," Burt said.
Eric Rosenbach, who served as the chief of staff for the Department of Defense from 2015 to 2017 and also previously oversaw the Pentagon's cyberactivities, said based on his experience in national security, there's no reason to believe those will be or have been the only campaign hack attempts.
"The fact that you find one part of a Russian cyber-intrusion or attack, usually means that you've only found a very small part of it," Rosenbach said. "It probably means that [attacks] like this are much more widespread, that they may be, in fact, in the campaigns of many close Senate races ... You just always have to operate as if you've only found the beginning of what is probably a much more complex problem and situation."
Rosenbach now leads the Defending Digital Democracy project at Harvard University's Kennedy School of Government, a project aimed at helping state and local election officials, as well as campaigns, grapple with the new reality: Much of their work is now digital, and they have a target on their backs.
Campaigns are "the most vulnerable" aspect of U.S. elections, Rosenbach said, because they often don't have the time or money to develop long-term cybersecurity plans and because they're bringing on new staff and volunteers all the time — often without adequate training.
Rosenbach worked with Republican Mitt Romney's 2012 campaign manager, Matt Rhodes, and Democrat Hillary Clinton's 2016 campaign manager, Robby Mook, on creating a cybersecurity playbook for campaign managers.
"People have this perception of campaigns that comes from movies and TV shows, like House of Cards, where they're very sophisticated operations," said Rhodes, when he spoke to NPR in the spring. "The only thing that is actually consistent with the movies when it comes to campaigns is people eat a lot of pizza. They're not that sophisticated."
Mook added, "The irony of campaigns is they are the grittiest and least valuable startups out there, but they're incredibly valuable targets."
Much of the risk of the sort of phishing attack that was successfully executed in 2016 on John Podesta, chairman of the Clinton campaign, and the Democratic National Committee and attempted this year on McCaskill's staff could be mitigated with two-factor authentication, said Mark Nunnikhoven, a vice president of the cybersecurity firm Trend Micro.
Two-factor authentication makes it so anyone wishing to access an email account must not only have a username and password, but also another form of verification, like a code that can be texted to a cellphone number. It's a cybersecurity measure offered by all major email providers at no cost, but, Nunnikhoven said, "the challenge is getting people to use it."
The added step is inconvenient, but it renders most phishing attempts useless.
"This is a constant challenge of cybersecurity, getting people to understand tradeoffs," Nunnikhoven said. "It's a minor bump in the user experience, but it's a huge security win."
But campaigns need to begin taking steps like that, Rosenbach said, because until the United States can implement a foreign policy that effectively deters foreign nations from interfering digitally in elections, they will continue. If it's not Russia, he also said, it will be someone else.
"It's hard for me to believe," said Rosenbach, "that campaign infrastructure won't be under attack for decades, maybe centuries to come."