Inside the Democratic war against hacks

Democratic Sen. Jeanne Shaheen's team has sent out three fake spearphishing email campaigns to staffers over the last 18 months to test whether they’d fall for real hacking, her chief of staff, Maura Keefe, tells Axios. The result? Several fell for it.

Why it matters: Every political operation in the country is grappling with the reality that hackers may target them — that is, if they haven’t been infiltrated already.

• The offices of Shaheen and Democratic Sen. Claire McCaskill have both been targeted by phishing emails.
• Russian hackers successfully spearphished the DNC and DCCC in 2016.

The context: Keefe's effort is just one indicator of the cybersecurity culture shift starting to happen on the Hill:

• They sent one email campaign prompting staff to open an attachment from an address imitating Keefe’s Senate email with a slight typo.
• Another mimicked the legitimate attack last year that hit McCaskill’s team.
• Another asked staff to change their Facebook passwords.
• Those who got caught had to retake a cyber training course.

The impact: Fewer staffers clicked the phishing links with each new campaign, from five or six on the first, to just one. "It works," Keefe said. "It’s become a little bit of a point of pride for the staff to be on top of it."

The big picture: This is about playing catch-up on cybersecurity. "I was not hyper-aware and I don't think many people were" before the 2016 elections about cybersecurity, said Keefe. She added she didn't think Sen. Shaheen's previous campaign even had a line item in the budget for it. "It's definitely been an awakening," she said.

• What’s next: Keefe, who chairs the Democratic chiefs of staff group, intends to discuss cybersecurity budgeting for the campaign cycle with other chiefs of staff.
• Campaigns generally are nowhere near where Sen. Shaheen's office is — and she's not up for reelection until 2020. One-third of House candidates have vulnerable websites right now, according to a study released this month, and campaigns are often too strapped for cash to afford cybersecurity expertise.
• The DNC has been sending spearphishing training emails to staffers as well, a Democratic source tells Axios.

The bottom line: The nature of political operations — from Iowa presidential strivers to the halls of the Senate — is changing. It's no longer just about policy and messaging, but also running cybertraining bootcamps to outsmart adversaries. And politicians can train their teams all they want, but each office is only as secure as its weakest, most distracted, careless clicker.

Go deeper:

• The attacks launched on Sens. McCaskill and Shaheen.
• How elections are vulnerable ... Listen on the pod.
• How the Russians infiltrated the DNC and DCCC.