The Trump campaign’s apparent failure to report the alleged hacking of its email system to law enforcement has renewed questions over the campaign’s obligations to alert potential election interference.
The FBI now says it is investigating the matter, but it remains murky how or when the case was referred to the agency.
The episode first came to light on Aug. 9, when Microsoft issued a report noting Iranian efforts to hack an unnamed presidential campaign. The Trump team said Saturday it had been hacked, as news outlets reached out for comment about a leak of vetting documents the campaign had prepared on running mate JD Vance.
According to reporting from The Washington Post, the Trump campaign was aware of the issue earlier in the summer but did not disclose it to law enforcement. Both the Trump campaign and Microsoft declined to answer detailed questions from The Hill about any referrals to law enforcement or whether they reported the issue.
The incident reflects the long-held resistance by companies from disclosing when they’ve been hacked, for fear of embarrassment or even liability.
But it’s a step many cybersecurity experts see as crucial, especially given the ongoing efforts by numerous foreign adversaries to interfere in U.S. elections.
“For an individual, for an organization, for a campaign, there’s always the embarrassment of falling victim to something, especially something like spear phishing, because of the human behavior element,” said Kiersten Todt, a former chief of staff at the Cybersecurity and Infrastructure Security Agency (CISA) under the Biden administration who is now president at Wondros.
“A campaign is a very different animal, because there’s so much more at stake, and the timing of everything can have such tremendous impact on a vote,” she added.
“It’s not about who was attacked from the federal government perspective. It’s how did it happen? How can we share this across sectors? That’s the piece that the federal government does so well.”
According to the information shared by Microsoft, the Trump campaign was first hacked by Mint Sandstorm, a group run by the Islamic Revolutionary Guard Corps, in June, though the leaked contents didn’t reach reporters until July.
Brian Greer, a former CIA attorney, said it’s odd that a victim of a major crime would not seek law enforcement assistance.
“Yes, there are cyber intrusions frequently that go unreported. But if you’re on a political campaign in 2024, and you’re not getting the federal government involved, you really just have to question, why?” he said.
“When you’re on a campaign and a malicious nation-state is likely attacking you, I think it’s a different calculus. You want and need the FBI helping you figure out the breadth of what’s happening, why it’s happening, who’s doing it, and the public education that goes along with that.”
It was Microsoft that publicly blamed Iran in its report last week, saying it made the decision to “share intelligence like this so voters, government institutions, candidates, parties, and others can be aware of influence campaigns and protect themselves from threats.”
But while in-house teams can sort the source of a problem and even the actor behind it, Greer stressed that the FBI would have the “bigger picture,” including whether other campaigns are being targeted.
“After what’s happened the last two elections with foreign interference, I can’t imagine the calculus that says, ‘Let’s not tell the FBI,’” he said.
The Trump campaign called the documents “illegally obtained,” while the Harris campaign in a statement said it was notified by the FBI in July that it was targeted by a foreign actor influence operation.
While former President Trump has long been critical of the FBI, an agency whose investigations have ignited two separate indictments against him, resistance to reporting has been a prevailing attitude for many in the cybersecurity space.
“Industry sees limited upside in reporting to the government because if you report you were hacked, you could be investigated, threatened with regulatory action and even face lawsuits from private parties and the government,” said Jamil Jaffer, founder of the National Security Institute at George Mason University’s Scalia Law School.
Matt Hayden, a former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience Policy under the Trump administration, said in-house teams as well as cybersecurity firms contracted by campaigns can do much of the leg work in determining what went wrong, calling Microsoft’s team among “the best of the best.”
“When you’re working with these guys, you really are seeing a lot of the expertise that the government might bring in the form of people you already paid to take care of the situation that could happen. So I don’t want to begrudge anyone for holding out on reporting until they know exactly what they might be reporting by using the experts they brought to bear,” he said.
However, he said the enforcement arm of the FBI is actually very helpful in responding to ransomware attacks and other issues.
“So I don’t feel that this campaign has any interest or any value in not reporting this,” he said, adding later, “If I’m the IT person for any campaign, if I see nation state actors, my best friend is going to be CISA and the FBI because they are going to help me make sure there are advanced techniques being leveraged against my network to do more damage than I currently can contain.”
Rep. Jason Crow (D-Colo.), a member of the House Intelligence Committee, said that, “historically, it’s always a really big challenge to get government entities and organizations to self-disclose.”
“Corporate law and the current regulatory regime don’t always encourage early reporting because of liability concerns. So that’s why government legislation is really important in a lot of instances, because it provides safe harbors for nongovernment entities that conduct that disclosure,” he added.
Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in 2022 to mandate reporting, giving the option to do so anonymously, but rulemaking is ongoing and its not clear the law will apply to campaigns.
But Todt said with election infrastructure already deemed critical, it could make sense to require reporting from campaigns.
“Our democracy is critical infrastructure, which means that elections as an entity are going to be a target for our adversaries,” she said.
Todt praised instances in which companies have disclosed attacks, calling it “moral courage” that can help raise awareness for other companies.
But she said it has other impacts as well.
“When you put light to something like, when you give it air to actually get out there, you take the power away from the malicious actor. As long as it’s hidden, Iran has power, right? It’s like, okay, we’re doing this. If it’s out there, and we know that Iran is going after the campaign, and by all accounts, has gone after both campaigns, then now you’re going to have the full force of the federal government and the FBI paying attention to it,” Todt said.
With the matter now under investigation by the FBI, Jaffer and Hayden said the government now must fulfill an obligation beyond the reach of the private sector: figuring out how to respond.
“As an entity that’s maintaining a network, you’re not going to impose costs on the bad guys. You need someone else to do that on your behalf,” he said, adding that “once attribution is assured….I have no problem melting every hard drive that was used and putting a little American flag on it.”
But Jaffer said the U.S. government is often “scared of its own shadow” when it comes to retaliating for cyberattacks.
“The problem with deterrence in the cyber domain is that we just don’t practice it. We don’t tell people what our capabilities are, we don’t tell them what our redlines are, when those redlines are crossed. We don’t take action, and if we do act, we don’t do it in public,” he said.
“Protecting elections is absolutely at the core of the government’s responsibility. So the question is are we going to do it publicly and in a painful enough way to be a deterrent? If the answer to that question is no, then what exactly are we doing here?”