The revelation that the Trump campaign failed to report the alleged hacking of its email system to law enforcement has raised new questions about the campaign’s obligations to warn of possible election interference.
The FBI says it is currently investigating the matter, but it remains unclear when and how the case was referred to the FBI.
The incident first came to light on Aug. 9, when Microsoft released a report on Iranian hacking efforts against the presidential campaign. The Trump campaign announced the hack on Saturday. News organizations have sought comment on the leak of a dossier that the campaign was preparing about vice presidential candidate J.D. Vance.
Reports sayThe Washington PostThe Trump campaign was aware of the issue earlier in the summer but did not report it to law enforcement. The Trump campaign and Microsoft did not respond to The Hill’s detailed questions about whether they made any referrals to law enforcement or reported the issues.
The incident reflects a long-standing reluctance by companies to publicly disclose that they have been hacked for fear of embarrassment and liability.
But many cybersecurity experts believe it’s a crucial step, especially given ongoing efforts by a number of foreign adversaries to interfere in U.S. elections.
“It’s always embarrassing for an individual, organization or campaign to be the victim of something, especially something like spear phishing, that has an element of human behavior involved,” said Kirsten Todd, a former chief of staff at the Cybersecurity and Infrastructure Security Agency (CISA) under Biden and now president of Wondross.
“An election campaign is very different because there’s so much more at stake and the timing of everything can have a huge impact on the vote,” she added.
“From a federal perspective, it’s not a question of who was attacked. It’s a question of how it happened and how we can share this across departments. That’s something the federal government does very well.”
According to information released by Microsoft, the Trump campaign was first hacked in June by a group called Mint Sandstorm, which is run by the Islamic Revolutionary Guard Corps, but the leaked information was not received by reporters until July.
Former CIA lawyer Brian Greer said it was odd that victims of serious crimes would not seek police assistance.
“Certainly, unreported cyber intrusions happen all the time, but if you’re running a campaign in 2024 and you’re not going to involve the federal government, you have to wonder why?” he said.
“When you have the possibility of a malicious nation state attack during an election campaign, I think the calculus is different. We want and need the FBI’s assistance in understanding what’s happening, why it’s happening, who’s doing it, and the public education that comes with that.”
It was Microsoft that publicly criticized Iran in a report last week, saying it decided to share this information “to help voters, government agencies, candidates, political parties and others be aware of influence campaigns and protect themselves from threats.”
But Greer stressed that while the internal team can identify the source of the problem and who is behind it, the FBI has the “big picture,” including whether other campaigns are being targeted.
“Given the foreign interference that has occurred in the last two elections, I can’t imagine the calculation being, ‘Let’s not tell the FBI,'” he said.
The Trump campaign has said the documents were “illegally obtained,” while the Harris campaign said in a statement that it was informed of this by the FBI in July. It has become a target for foreign influence operations.
Former President Trump has long criticized the FBI, whose investigation led to two indictments against him, but there has been a reluctance to report among many in the cybersecurity field.
“Because reporting a hack could expose them to investigations, threats of regulatory action and potential private and government lawsuits, the industry sees little benefit in reporting it to the government,” said Jamil Jaffer, founder of the National Security Institute at George Mason University’s Scalia School of Law.
Matt Hayden, who served as undersecretary of Homeland Security for cyber, infrastructure, risk and resilience policy under the Trump administration, said in-house teams and cybersecurity companies contracted by the campaign could do much of the practical work of figuring out what went wrong, and called Microsoft’s team “the best of the best.”
“When you work with these people, you really see a lot of the expertise that government might put in in the form of people who are already paying their salaries to deal with what might happen, so I wouldn’t blame anyone for using the expertise that’s been put in and holding off on reporting until they know exactly what to report,” he said.
But he said the FBI’s enforcement division has actually been extremely helpful in responding to ransomware attacks and other issues.
“So I don’t see any benefit or value in the campaign not reporting this,” he said, later adding, “If I were an IT person for a campaign and I saw a nation-state actor, my best allies would be CISA and the FBI, because they would prevent advanced techniques from being used against my network to do more damage than I can currently contain.”
“Historically, it’s always been a huge challenge to get government agencies and organizations to self-disclose,” said Rep. Jason Crow, D-Colo., a member of the House Intelligence Committee.
“Corporate law and the current regulatory regime don’t necessarily encourage early reporting because of liability issues, so in many cases government legislation is really important because it provides a safe harbour for non-government organisations making disclosures,” he added.
Congress passed the Critical Infrastructure Cyber Incident Reporting Act in 2022, making reports mandatory and giving the option to do so anonymously, but rulemaking is ongoing and it is not clear whether the law would apply to political campaigns.
But Todd said it might make sense to require campaigns to report election infrastructure because it is already considered critical.
“Our democracy is a critical infrastructure, and the very institution of elections will be targeted by our adversaries,” she said.
Todd praised the cases in which companies have publicized the attacks, calling it “moral courage” that can help raise awareness for other companies.
But she said it has other effects too.
“When you shine a light on something and give it a shot at actually getting out there, you take away power from bad actors. As long as it’s hidden, Iran has power, right? It’s like, OK, we’re going to do this. If it’s out there and we know Iran is targeting the election campaign, and all reports say they are targeting both election campaigns, now you’re going to have the full force of the federal government and the FBI paying attention to it,” Todd said.
While the matter remains under investigation by the FBI, Jaffer and Hayden said the government must come up with a response that is beyond the reach of the private sector.
“As an organization that maintains the network, you’re not going to impose the costs on the bad guys. You need someone to do it for you,” he said, adding, “Once attribution is certain, I have no problem melting down every hard drive that was used and putting a little American flag on it.”
But Jaffer said the U.S. government often “fears its own shadow” when it comes to retaliating against cyber attacks.
“The problem with deterrence in the cyber domain is that we don’t practice it. We don’t tell people what our capabilities are, what our red lines are and when those red lines will be crossed. We don’t act, and if we do act, we don’t do it publicly,” he said.
“Securing elections is certainly a core government responsibility. So the question is, do we do that publicly and in a way that’s painful enough to be a deterrent? If the answer to that question is no, then what exactly are we doing?”
