The Defending Digital Democracy Project (D3P) on Monday released its first edition of "The Cybersecurity Campaign Playbook," a guide to help election campaign operatives – even those without technical backgrounds – protect their candidates from hacker interference.
“Campaign workers may not realize it, but they're on the front lines of a 21st century battle,” said Eric Rosenbach, co-director of the Harvard Kennedy School Belfer Center for Science and International Affairs, which launched the bipartisan D3P last summer.
"Foreign and other malicious actors are working overtime to penetrate campaigns' sensitive data and, ultimately, undermine our democracy. We all have to raise our game to ensure that American voters – and no one else – decide our elections," continued Rosenbach, a former Pentagon “cyber czar,” in a press release.
The guide divides cyber hygiene into six categories: Human Element, Communication, Account Access and Management, Incident Response Planning, Devices, and Networks. For each category, the playbook recommends basic measures that every campaign must institute to have a minimum level of network and data security, as well as enhanced steps that can significantly reduce risk of a damaging attack. In most cases, the basic measures cost little to nothing – an important point, because resources are often at a premium, especially in smaller, local campaigns.
For example, to better protect communications, the D3P recommends that campaigns use a cloud-based office suite for secure email and other correspondence, use encrypted messaging, set emails to auto-delete after a predetermined time frame, and refrain from using personal email accounts for business.
To secure devices, the organization suggests that campaigns use the most updated operating system, rely on an automatic cloud-based backup service, institute strong Bring Your Own Device policies, and consider using Mobile Device Management software.
In order to help campaign operators prioritize, the playbook's authors created a top-five cyber checklist that even the smallest of campaigns should address from the very beginning. First and foremost, campaign operatives must strive to minimize human error and mismanagement by taking responsibility for reducing risk, and emphasizing and practicing responsible behavior. Rounding out the checklist, the D3P also urges campaigns to leverage a secure commercial cloud service, use two-factor authentication, employ lengthy passwords (as opposed to shorter passwords that substitute symbols for letters), and plan and prepare for breach and attack scenarios.
Debora Plunkett, former director of information assurance at the National Security Agency, spearheaded the creation of the playbook, overseeing a team of contributors that included researchers, campaign operatives, business leaders, attorneys and cyber professionals. Among them was Dmitri Alperovitch, co-founder and CTO of CrowdStrike.
“Given the complex threat environment that political campaigns operate in, managing cyber risk should be a critical part of their priorities. The playbook reveals actionable best practices and management advice to help the campaigns understand the threat landscape and adequately prepare to withstand it," said Alperovitch, in emailed comments. "In order to prevent potentially devastating intrusions, it's important to combine actionable intelligence, advanced threat detection technology and good hygiene practices.”
“Foreign hackers tried to negatively impact the 2012 Romney campaign, and my worry is that this could happen again to a future rising political star,” said Belfer Center senior fellow and former Mitt Romney presidential campaign manager Matt Rhoades, who co-leads the D3P along with Rosenbach and former Hillary Clinton presidential campaign manager and senior fellow Robby Mook. “Today, everyone's a target up and down the ballot – not just the presidential contenders. We all need to take this threat seriously so we can get back to debating public policies, and this playbook is an important first step.”