Silicon Valley insiders will likely play a bigger role than ever in ensuring the security of presidential campaigns in 2020, joining established D.C. consulting firms and other bipartisan groups trying to lock down campaign communications and neutralize misinformation.
Former Facebook chief security officer Alex Stamos has already given some advice to 2020 Democratic presidential campaigns, he told CNBC via email: Lock down your campaign staff's identities and use a professional service to manage data on cloud servers. Build security from the ground up, he suggested, and don't give too many team members access to deeper technology operations.
"I fully expect U.S. adversaries to get involved in the primary, and one way to do so would be via stealing email, internal documents or spying on confidential communications," Stamos said. "I've been trying to be helpful to multiple Democratic campaigns, and right now my focus is on helping them get their campaign technology stacks set up in a secure manner."
Stamos' advice indicates presidential contenders from 2020 are largely trying to address what they knew went wrong in 2016. Inside campaigns, that includes fixing insecure email and curbing staffers who have too much access to the most sensitive information. Outside the campaigns, that means focusing on managing the proliferation of influential trolls on the internet and social media, which in 2016 was largely driven by Russia, according to the Justice Department.
"Democratic campaigns are building teams to monitor and respond to trolling online. This isn't a technical role, more like the next level of social media monitoring they already do," Stamos said. "All of the campaigns are building up their IT systems and staff and I'm hoping they will do so with security in mind."
Democratic campaigns and organizations have also sought help from security firms to prepare for potential new threats.
Companies such as CrowdStrike, which was one of the first respondents to the hacking incidents within Clinton's campaign in 2016, and FireEye have already been tapped by political committees in advance of 2020. They've been holding high-level conversations with campaign leaders, according to people familiar with the campaigns. The companies declined to say whether they were working directly with Democrats.
A FireEye analyst, however, did paint a grave picture of how foreign adversaries, including Russia, have stayed on offense. They have shifted targets and keyed in on European foreign ministries, according to the analyst, Benjamin Read.
"They have their regular pitch, and they have their fastball. If they can get you out with their regular pitch they will. If you are a high-priority target, they will just throw their fastball," he said.
The Democratic National Committee paid CrowdStrike $47,000 for "technology consulting," according to a February Federal Election Commission filing. The National Republican Congressional Committee paid CrowdStrike $120,000 for "computer support" during the 2018 campaign season.
In one effort to help improve the security of its communications, which were a major target in 2016, the DNC created a regularly monitored feedback loop, Bob Lord, the committee's recently appointed chief security officer, told CNBC. This way, state parties and campaigners in the field can more quickly and securely reach out to his central security office and inform it of suspicious activity, he said.
Several 2020 presidential campaigns contacted by CNBC did not respond to requests for comment on their cybersecurity measures. But Sen. Cory Booker's campaign has employed "a number of protocols to ensure our email and technology are secure," according to campaign press secretary Sabrina Singh. "To help maintain security, we don't comment on specific processes," she said.
Campaigns are interested in understanding from where the threats are coming: Russia, of course, but also China and Iran, said Eric Rosenbach, director of the Defending Digital Democracy project at the Harvard Kennedy School, and former chief of staff to Obama Defense Secretary Ash Carter. Rosenbach said he has had conversations with five campaigns about preparing for potential attacks.
From a practical standpoint, though, Lord said campaigns soon find out that attributing them to a specific country has "diminishing returns" in terms of providing immediate security help. "It was better to monitor the changing tactics and warn everybody how to handle them going forward," he said.
On the social media front, in order to proactively prepare for a new wave of online trolls, Rosenbach said he has advised campaigns that they "need to have some kind of monitoring team that is looking at social media feeds."
"When you see [misinformation] then, you take two paths. They need to have an established channel with the social media companies, Twitter and Facebook specifically. Second, they have to have a response team to push back on false or fake information," Rosenbach said.
The bipartisan Defending Digital Democracy project also published a playbook that gives tips to campaigns on how to improve their cybersecurity.
All of these preparations mean campaigns will have significantly more cybersecurity resources than they did in 2016, Lord said.
"We want to super-size to scale for the presidential [election]," he said. "We are going to dive in deeper with the campaigns by helping them set up their security programs and giving them an understanding of what are their major components."