Less than a month after he joined the Obama campaign in August of 2011, Ben Hagen faced a challenge he wasn’t expecting — foreign nation-states were trying to gain access to the campaign’s databases and social media accounts with extraordinarily sophisticated means, Hagen tells TIME. The sole applications security engineer inside the campaign, it was Hagen’s job to keep them out.
Obama campaign chief technology officer Harper Reed brought Hagen on so “he could sleep better at night,” the life-long security engineer recalled, “and after a few weeks I was sleeping very little.”
The same was true across the aisle, where the Romney campaign was “under constant attack,” according to digital director Zac Moffatt, “four or five times a week.” Neither campaign official would confirm which nation states were responsible, but one Obama campaign staffer said she was warned about the threat from China in particular.
The 2012 campaign’s phishing attempts, which targeted everyone from senior staff on the campaign planes to field organizers in swing states, were designed to get those thought to have access to the campaign’s data or social media accounts to click on malicious code, and thereby give the attackers a way in.
The Obama staffer said phishing emails often appeared to be press releases or news reports close to her area of responsibility — and usually related to breaking political news. “They looked a lot like my real email,” she said. “They identified the people they thought would most likely click on a link,” Hagen said. “They invested a lot of time figuring out who they were talking to.”
Other attacks sought access to deeply guarded files with information on donors or strategy, consistent with foreign hacking attempts on corporations. More still were politically motivated attempts at “hacktivism.” “They were going after our public identity as well as our data,” Hagen said.
There have been a spate of recent hacking attacks on widely viewed sites, including widely documented attempts by Chinese hackers on media outlets like The New York Times and The Washington Post . Two Twitter accounts belonging to the Associated Press were compromised last month, with the main @AP falsely tweeting about explosions outside the White House causing the stock market to lose over $300 billion in value before recovering. The Twitter account for the satirical website The Onion was similarly struck on Monday, resulting in confusion, rather than panic. On Sunday the NRCC’s website hit by an attack that redirected visitors from nrcc.org to a page hosting erectile dysfunction search terms. Daniel Abernathy, a web developer for the committee, tweeted that the hackers gained access via another site on their server and edited a cached file for the home page. Visitors reached the regular NRCC site if they typed “www.” in the URL.
Attacks, and allegations of attacks, on political websites and campaigns are nothing new, beginning with the most infamous hack — Watergate. In 2006, then-Connecticut Sen. Joe Lieberman accused his Democratic primary rival Ned Lamont of attacking his website and knocking it offline days prior to his primary defeat. He successfully won reelection as an independent, and months later the Federal Bureau of Investigation revealed that Lieberman’s campaign team missed signs that the website was overloaded by regular visitors, not the victim of an attack.
In 2008 both the Obama and McCain campaigns were the victims of a sophisticated hack, believed by law enforcement to be tied to foreign governments, targeting memos on national security and economic policy, apparently with the hope of getting a leg up on the new administration’s thinking. The revelation in the days following Obama’s historic victory was largely overlooked, and it was just a taste of what was to follow.
Following high profile attempts on government websites during the 2012 campaign, Secret Service officials warned both campaigns of cyber-threats, at times providing specific chatter related to attempts from foreign governments. These prompted intense security controls — both for individual email accounts and especially campaign Twitter and Facebook pages. Both campaigns believe their efforts were successful at keeping their systems secure.
“We required passwords at least 16 characters long, with special characters,” Hagen explained. “Campaigns are places where information is shouted or passed around on papers — you can’t do that with passwords. To share it with someone you couldn’t do it on a clean channel — you needed to encrypt it, send it, and call the other person to give them the passcode.” Hagen gained acclaim in the technology world late last year after he revealed his strategy of embarrassing Obama coders with an image of a dancing otter after he caught security flaws in their work.
The Romney campaign worked with content delivery experts at Boston-based firm Akamai to develop a system to keep the website up and running under all circumstances, especially in the final months of the campaign when the cost of going down would have been $150,000 to $200,000 an hour in lost donations.
While a handful of Democratic digital operatives poked fun at the NRCC’s misfortune on Twitter, most were just happy it wasn’t them. “This is only a growing problem,” said Hagen. “As more people with strong political beliefs become capable of doing these things, we’ll probably see more of it.”