Caught Off Guard Again: How Democrats Keep Misjudging the Information Battlefield

Over the past few days, a string of disturbing allegations has come out against Rep. Eric Swalwell (D-CA), resulting in many party leaders and supporters calling for him to drop out of California’s gubernatorial race and others suggesting that he should resign from his House seat, as well. I don’t know if the accusations are true, but as important as it is to figure that out, the veracity of the allegations isn’t the only issue that matters here. There are also major unanswered questions about how these allegations managed to stay beneath the radar until now, despite apparently being an open secret among D.C. insiders, and why more isn’t being done to proactively uncover this type of information before the final weeks of an election.

I can offer answers to at least some of those questions.

For years now, part of my work has involved conducting assessments of the attack surface of individuals and organizations, focusing on identifying vulnerabilities and exploitable information or associations before someone else does. The term attack surface comes from cybersecurity, where it refers to the technical entry points through which a system can be compromised. I use that term in my own work to refer to the total set of facts, rumors, relationships, and ambiguities about a person or organization that can be discovered, assigned meaning, and weaponized under pressure.

What I’m seeing in Swalwell’s case and others like it is that politicians are still operating under the assumptions and expectations of traditional opposition research, which looks at a person’s past and tries to find things that could be used to attack them. But in our current information environment, that model is outdated. Preparing for something like a run for governor or even simply existing in a highly visible public-facing role today requires a dynamic assessment of one’s attack surface — something that very few people and organizations are actually doing, at least not sufficiently. Let’s talk about what that looks like.

A Familiar Pattern

The emergence of these very serious allegations of sexual assault and misconduct in the final weeks of the Democratic primary election in California is alarming for a number of reasons, not the least of which is that it paints a picture of a political system plagued by vulnerabilities that are all too often left unmitigated and open to exploitation by domestic or foreign actors. We’ve seen this play out repeatedly in recent years, with allegations from the past surfacing against politicians like Joe Biden, Andrew Cuomo, Al Franken, and Katie Hill.

While vulnerabilities stemming from scandals, misbehavior, former relationships, and other personal or criminal matters have always existed, what has changed is how quickly those vulnerabilities can be discovered, publicized, and weaponized. Furthermore, in our current information environment, the truth is not usually what determines the impact of such allegations; rather, it’s how quickly and effectively those allegations are assembled into a narrative, whether that narrative is believable, and whether the target has time to mount a response. Consider the politicians I just named — can you remember which allegations against them were proven to be true or not? Most people don’t even remember what the specific allegations were; they just remember the narrative and ensuing scandal.

Given how many times this has played out on both sides of the aisle in recent years, one would think that both political parties would have established standards and procedures for vetting candidates running for major political offices to ensure that there are no hidden scandals, rumors, or actual wrongdoing lurking in the shadows. And to be clear, some of this certainly does exist, in the form of opposition and self-opposition research, but the infrastructure and processes in place simply haven’t kept up with the pace of change.

From The Campaign Trail To A Case Study

In Swalwell’s case, the revelations about his past interactions with a suspected Chinese intelligence operative should have been treated as an inflection point, not a contained incident. Once a public figure becomes associated, even indirectly, with foreign intelligence activity, the relevant question is no longer limited to what happened in that specific instance. Instead, we have to start asking, what else might exist within the broader attack surface that could be discovered, reframed, or combined with this narrative later?

To answer that question, a comprehensive, forward-looking assessment should have been carried out immediately after the first reports emerged of his interactions with the Chinese intelligence operative. That would have meant doing things like re-mapping his relationships and exposures, auditing his past interaction and travel, stress-testing how benign contacts could be misinterpreted or intentionally misrepresented, and identifying any additional vulnerabilities — personal, professional, or behavioral — that could be assembled into a more damaging storyline.

Had such an assessment been carried out, we likely would have known about these latest accusations much earlier. Even though the sexual assault allegations against Swalwell are different in nature than his reported association with a Chinese spy, they both point to vulnerabilities such as compromised judgment, questionable relationships with women, and blurred boundaries. A proactive attack surface assessment would have also modeled various scenarios and potentialities, looking at how old and new vulnerabilities might be combined into a new and damaging narrative, how different adversaries may differ in their approach(es) to weaponizing the same underlying material, where manipulated or AI-generated content is most likely to appear or have the greatest impact, and how these potential future scenarios may be interpreted by various audiences.

Breaking Down The Attack Surface

To understand how this works, it helps to distinguish between several closely related concepts. A vulnerability is a weakness — a feature that could be used against a target. Exposure refers to how visible or discoverable that weakness is. An exploit pathway is the process through which a vulnerability is identified, interpreted, framed, and brought into the public domain. A trigger event — e.g., an election, a promotion, a crisis, etc — can activate that pathway, while amplification conditions determine whether the issue remains contained or spreads across media ecosystems and public audiences. The attack surface is the full landscape of such features, including those not yet discovered.

What most people miss is that these elements do not operate independently. Rather, they interact, and thus must be analyzed dynamically. A vulnerability that might be harmless in isolation can become a major threat when it aligns with an existing narrative, when it can be easily misunderstood or misrepresented, or when it emerges at a moment of heightened attention or scrutiny. This is why most traditional approaches to risk management, which focus largely on discrete issues, consistently fail to anticipate how reputational crises actually unfold; they treat risk as static and compartmentalized, when in reality it is dynamic, cumulative, and often narrative-driven.

Another key difference between traditional opposition research and attack surface assessment is that, while opposition research looks for problems that could be surfaced, attack surface assessment looks for the potential for problems to be created based on existing or future information, as well as likely trigger events and changes in the audience and in the motives of potential adversaries.

Assessing The Attack Surface

So what does this look like in practice? Let’s walk through the basics of the 6-stage protocol I developed for conducting attack surface assessments.

The first step is to characterize the target in context: who they are, why they matter, and to whom. A mid-level business executive, a venture-backed founder, and a national political figure may all face reputational risk, but the types of exposure they’re likely to face and the motives of their potential adversaries will differ significantly. Understanding the audiences that surround the subject is just as important as understanding the subject itself, because vulnerabilities only become meaningful when they can be interpreted and amplified by those audiences.

From there, the assessment would move into surface mapping. This is where most organizations underestimate the scope of the problem. It is not enough to review public statements or conduct a background check. A proper mapping exercise would examine public communications, personal and professional relationships, historical records, organizational affiliations and dependencies, and personal brand/narrative positioning. It would look for inconsistencies, ambiguities, and areas where different parts of the subject’s identity or behavior contradict each other or fail to align in significant ways. It would also examine proximity to sensitive actors such as foreign entities, controversial figures, or networks that could later be reframed as problematic. This would have been the stage at which red flags went up around Swalwell due to his association with an apparent Chinese intelligence operative.

Next, the assessment would analyze the various adversaries and their motives. Different actors see different opportunities: a political opponent may focus on narrative contradictions, while a foreign intelligence service may prioritize access or long-term leverage, and a media outlet may be drawn to emotionally- or morally-charged angles. The key to an effective assessment is to never assume a single adversary, but to model how multiple actors might independently or collectively assign meaning to the same underlying material. In Swalwell’s case, this assessment would be particularly complicated because in addition to Republican and Democratic operatives, there are also alleged sexual assault survivors who may be acting in parallel or even in coordination with political operatives, but with different motives for their involvement (e.g., justice, accountability, closure, etc).

The most important part of the assessment process is moving from identifying vulnerabilities to analyzing exploit pathways. This is where the assessment stops asking “what exists?” and starts asking “what could happen?” A vulnerability becomes meaningful only when it can be discovered, framed, and amplified in a way that resonates. Exploit pathways typically begin with discovery (identification of a vulnerability), but the decisive stages are interpretation and framing — in other words, how the information is presented, what narrative it is attached to, and whether it aligns with preexisting assumptions. Then, the assessment would look at factors that may influence the speed and scale of amplification, as well as how various response styles may mitigate or deepen the damage.

The next step in the process is to prioritize or rank the risks you’ve uncovered by examining a combination of factors, including how visible the issue is, how sensitive it would be if exposed (is there legal or reputational risk?), how plausible it would appear to an audience (does it feel true?), how easily it could be framed or misrepresented, and how difficult it would be to mitigate once public. Importantly, plausibility and resonance often matter as much as or more than factual accuracy in terms of the actual impact. In cases like Swalwell’s, where there are multiple allegations from multiple women involving varying degrees of inappropriate sexual conduct, the accumulation of allegations —regardless of their veracity — enhances the plausibility of each individual allegation because it establishes an MO.

Finally, a really thorough assessment would extend beyond the present, into the near future. It would consider how emerging technologies, particularly AI, may change what can be discovered, fabricated, or amplified, and how such material could be used to bolster the appearance of legitimacy or corroborate a particular narrative or line of attack. This would include looking at things like what types of inferences can be made using digital traces and artifacts, and how digital archives may lengthen the lifecycle of potential vulnerabilities by resurfacing old material. In Swalwell’s case, screenshots from messaging apps appear to back up some of the claims being made against him. Additionally, there is a short video clip circulating on social media that appears to show Swalwell on a bed with several other people, including a woman who is described as a sex worker. I believe there are reasons to be skeptical of the provenance of this footage, but as I have written about previously, proving the veracity of images and videos in a world of increasingly sophisticated fakes has proven to be nearly impossible. (Perhaps the video is not doctored at all; I really don’t know. I just know that I have a lot of questions, and it is concerning to me that there are so few people inquiring about the source, veracity, and authenticity of the footage).

After completing those six stages of assessment, the next step would be to consider mitigation strategies and response styles, but I consider that to be an entirely separate exercise, so I’m not going to get into that today. (I also don’t think that’s relevant here, because for someone with Swalwell’s attack surface, I would have recommended not running for governor at all).

Costly Blind Spots

Over the past couple of days, I’ve seen a lot of people questioning how Swalwell could have actually believed that these accusations would never rise to the surface during his campaign or at another point in the future. I can tell you why: because most public figures and organizations still conceptualize risk as a static and episodic concept, meaning that they view it as a series of isolated incidents that can be evaluated, managed, and resolved one at a time. When assessing risk, they tend to look at each allegation, controversy, or vulnerability on its own terms, asking whether it’s true, and if so, whether it’s probable, and if so, whether it will generate a news cycle, and so, whether it can be contained. Once the immediate issue is addressed, or at least appears to fade, attention shifts elsewhere, creating the illusion that the risk has been handled.

The problem, of course, is that attack surfaces do not behave this way. They are cumulative and interactive, such that even seemingly minor or unrelated elements — e.g., an old relationship, a past complaint, a vague inconsistency, or a digital artifact — can combine over time into something far more significant than any individual component. Treating risk as discrete events gets in the way of seeing these connections early, which is precisely when intervention is most effective.

Viewing risk in this way also makes it easy to lose sight of its cumulative nature, leading to misperceptions that can vastly underestimate the degree of risk associated with any given vulnerability. If Swalwell did what he’s accused of, then each time he got away with it and moved on without consequences, it would create the impression that the risk window (if there ever was any) had closed. But that’s not how risk operates, especially in a political climate.

Here’s how it actually does operate: With each new incident of sexual impropriety or sexual assault, the coherence of the (future) narrative increased, so it no longer looked isolated, but like a pattern. This, in turn, lowered the burden of proof. A single accusation can be doubted; once multiple women come forward, it gets a lot harder to deny that something happened. Furthermore, once a pattern like this is established, it can create retroactive meaning, such that past events that seemed benign at the time end up being reinterpreted in a different light based on the new accusations. That’s what I mean when I say that risk is dynamic.

It’s likely that Swalwell also felt somewhat invincible, knowing that his reported sexual misconduct was an open secret, and that no one had tried to do anything about it. As a high ranking Democrat with a lot of political power, he likely believed that it was improbable that anyone would successfully challenge him or be able to hold him accountable, and for a long time, that calculation proved to be correct. But risk is dynamic, and when circumstances change, you have to update your risk assessment — something that Swalwell failed to do, leading to a grave miscalculation.

Of course, Swalwell wasn’t the only one who miscalculated things. The Democratic Party, too, seems to have believed that he could get through his campaign to become governor of California without having to face these accusations — an assessment that was only modified after the allegations were published by a major newspaper. Most organizations still approach risk from a reactive orientation rather than a proactive one, which is exactly what we saw here. Instead of trying to anticipate and mitigate things like this, most institutions and organizations wait until something happens to address the underlying vulnerabilities. Had Democrats tried to get ahead of this, they would have had time to consider alternatives for the gubernatorial race and would not be forced to call for the front runner to drop out a month before the primary election.

Finally, and most importantly, it appears that power, influence, and favoritism also played a major role in letting things get to this point. Candidates who are seen as important to party strategy or who are personally trusted and/or ideologically aligned are often subjected to less rigorous scrutiny and are much more likely to be given a pass, even for major transgressions. Simply put, until last week, even though Swalwell’s alleged sexual misconduct was reportedly known among most of his colleagues, it hadn’t yet risen to the level of affecting public opinion, so Democrats didn’t have an incentive to act on it. As long as he was still leading in the polls and tipping the balance of power in favor of the Democrats, they were willing to ignore the allegations, it seems.

Setting aside the moral question, elevating a candidate with that level of vulnerability reveals a fundamental misunderstanding of how risk actually operates in today’s information environment. Until they develop that understanding — or start listening to those who have it — we should expect this pattern to continue, with voters left to deal with the consequences each time.

The patterns described here are not theoretical—they come from hands-on work analyzing how vulnerabilities form, evolve, and are ultimately exploited. I developed the six stage protocol described above to help clients translate that insight into early, structured assessments that reduce risk before it becomes public. Want to know more? Leave a comment or get in touch via email (caorrbueno@proton.me) or Signal (rvawonk.01).