At least two presidential campaigns are not using two-factor authentication, according to Maine Sen. Angus King, because the campaigns consider the technology too unwieldy.
“I’ve heard in the last 24 hours that two presidential campaigns were approached and they said ‘two-factor authentication is just too cumbersome and so we’re not going to do it,’” King said at a Cyberspace Solarium Commission event at the Centers for Strategic and International Studies March 3.
King did not name the campaigns.
Multi-factor authentication has become part of basic cyber hygiene. Organizations without that technology can be left vulnerable, a point was made especially clear after 2016 when John Podesta, the campaign chair for Democratic nominee Hillary Clinton’s campaign, had his email hacked in part because didn’t have two-factor authentication activated.
In May 2019, the Federal Election Commission issued an opinion allowing companies to provide free or discounted cybersecurity services for presidential campaigns, so long as its nonpartisan. Suzanne Spaulding, a member of the commission and senior adviser for Homeland Security at CSIS, said the organization will recommend "institutionalizing” that opinion as part of 75 cyber policy recommendation the group will issue March 11.
One of the challenges for many campaigns is that officials don’t want to spend their money on cybersecurity.
Thus far, Spaulding said, use of the pro-bono cyber services has been "ad hoc.” No presidential campaigns responded to Fifth Domain’s questions about their implementation of two-factor authentication.
While activity during the 2016 presidential election generally originated from Russia, experts warn that this year’s election will attract malicious behavior from other nation-states. For example, this campaign cycle already has documented email intrusion attempts by Iranian actors, according to an October 2019 blog post from Microsoft.
Other election measures
The commission’s upcoming report will recommend that the Election Assistance Commission add a fifth commissioner who will only participate on cyber issues, King said.
That body, which providers information for voters and election officials, has a board of four commissioners, two Republicans and two Democrats. King said the Cyberspace Solarium Commission wants to solve the gridlock within that group which has rendered it “not really functional.”
A fifth member would be technical expert who understands cyber. “We think it’s a lost cause to re-balance the commission totally, but for this case we’re recommending that you have a special member who can react on these kind of cyber-related issues to try to break the deadlock,” King said. “Otherwise, we’re stuck.”
Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said at the same event that the Election Assistance Commission is a critical partner in election security that provides several services such as voluntary voting guidelines, voting system certification and audits of federal election funds.
Krebs said CISA, which assists state and local officials with election security, provides the group with cybersecurity expertise and services, information sharing mechanisms and cybersecurity trainings.
“It continues to be something where we look at what their resources and capabilities and their ability to engage [are],” Krebs said. “The stronger we both are, the stronger elections are ultimately going to be across the country.”