Robby Mook: Election hacking bills wouldn't have stopped 2016 debacle

Hillary Clinton's former campaign manager says the current focus on improving voting machine cybersecurity would not have prevented the last election's mess. Instead, he said, the major culprit was hacking campaign personnel and political parties.

Why it matters: Robby Mook saw first-hand the damage caused by the election hacking during Clinton's presidential campaign, and he is now part of Harvard's new Defending Digital Democracy Project on election security. He believes that securing voting machines is important, but cannot be the end of the election security conversation.

There is some irony that the actions we are now taking would not have changed 2016. Sometimes we dwell on voting machines to our detriment.

The details: In 2016, most of the damage caused by a believed-Russian effort to muddy the election came from hacks of Democratic groups and Clinton campaign Chairman John Podesta and the subsequent leaks of emails and other files.

• While Russia is thought to have attempted to hack as many as 21 states' election infrastructure (including voter databases), there is no evidence that Russia breached any voting machine or directly altered any votes.
• Nevertheless, the hallmark issue of election security appears to still be preventing an adversary from directly changing votes. In a letter Tuesday to House Science Chair Lamar Smith (R-Texas), Democrats on the committee wrote about the need "to ensure that their votes are appropriately counted and that foreign, domestic, or other actors do not surreptitiously interfere with, manipulate or otherwise unlawfully influence our election infrastructure, voting polls and election results."

What would have worked in 2016: "There are two things that would have protected information in 2016. The first is using two-factor identification. The second is using encrypted and ephemeral communication," said Mook. Ephemeral communications self-destruct after a limited viewing window.

• The Clinton campaign used two-factor authentication — one reason, notes Mook, that while the Democratic National Convention, Democratic Congressional Campaign Committee and John Podesta's personal emails were hacked, the campaign wasn't.
• The campaign switched to encrypted, ephemeral communications to discuss Russian hacking, worried that hackers might still have access to its communications.

Legislation focuses on both machines and other campaign infrastructure: There are several bills for election security currently under consideration, many of which include funding for both voting machine improvements and other aspects of the infrastructure, like voter databases.

Bottom line: Election security is national security, even when it concerns political party and campaign cybersecurity. "Obviously if someone steals internal policy deliberations, that's a risk to security if that candidate is elected," said Mook.