On March 19, an IT employee at the Hillary Clinton campaign gave John Podesta, the campaign chairman, some computer-security advice. “John needs to change his password immediately,” he wrote in an email, “and ensure that two-factor authentication is turned on his account.”
The helpdesk staffer was responding to a Google alert with a bright red banner that had been sent to Podesta’s personal Gmail account. The alert said that someone in Ukraine had tried signing into Podesta’s email, and prompted him to change his password. An aide to Podesta had forwarded the warning when she saw it in his inbox.
The warning, it turned out, was fake. It was designed to look authentic by Russian hackers, who also created a fake password-reset page that would capture Podesta’s password when he entered it. But the Clinton IT employee, Charles Delavan, made a crucial error when he responded to the aide who forwarded the warning. “This is a legitimate email,” he wrote back. Somebody on the campaign clicked on the fake link, entered Podesta’s password, and the hackers gained access to tens of thousands of his emails.
In a detailed new report from The New York Times, Delavan said he didn’t intend to legitimize the phishing email back in March:
He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
The Times piece was a vivid, blow-by-blow reconstruction of what happened between September 2015, when an FBI special agent first alerted the Democratic National Committee to Russian-directed hacking attempts on its computer networks, and the moment voters elected Donald Trump president. The story details a string of missed opportunities—like the FBI’s lackluster outreach to the DNC back in 2015—and an abundance of political caution, which kept the Obama administration from responding meaningfully to Russian aggression.
But following the story’s publication, headlines and tweets focused on the IT staffer’s typo, claiming it had allowed Russian hackers access to Podesta’s emails—and, by extension, perhaps lost Clinton the election.
This is missing the point. The typo was just one in a series of missteps that ended with two Russian intelligence agencies snooping through Democrats’ opposition research, emails, and chat logs. The problems were as basic as neglecting to require staffers to use two-factor authentication—Delavan recommended Podesta turn this on in his now-famous email—and as perplexing as the lack of urgency in the FBI’s warnings that the Democratic political organization was under state-sponsored attack.
Besides, Delavan’s claim that he made a typo is a little questionable. If he truly believed the email was illegitimate, he would likely go out of his way to make sure nobody clicked on the bad link. (He included a link to Google’s actual security settings page, but didn’t warn against clicking the original, more official-looking link.) He also would probably not use such urgent language—“It is absolutely imperative that this is done ASAP,” he wrote in the same message—if he didn’t think strangers were trying to access Podesta’s account. Finally, changing “an illegitimate” to “a legitimate” requires missing three entire keys, in an email with no other typos. It seems possible that Delavan simply didn’t realize the warning was fake.
There’s no doubt that the moment Podesta clicked on the fake Google link in the phishing email and gave up his password was a pivotal point in the campaign: The resulting email leaks likely harmed Clinton’s chances of winning the presidency. But to focus on a typo—real or not—in an email from the campaign’s helpdesk is to lose sight of the larger picture.
There was a systematic lack of cybersecurity competence across the DNC and the Clinton campaign, and the FBI’s response was slow and inadequate. That’s why Russian hackers vacuumed up enormous amounts of sensitive political material, and—at least according to the CIA—used it to try and influence the results of the election. And that’s what needs to change to prevent this from happening again.