As the newly appointed CISO of Joe Biden's presidential campaign, Chris DeRusha, former chief security officer with the State of Michigan, has fewer than four months to implement his cybersecurity vision before Election Day arrives -- all in the midst of a pandemic that has altered the traditional way that campaigns traditionally operate.
DeRusha will now be tasked with shielding a highly virtualized campaign operated by remotely distributed staffers from both foreign and domestic actors who seek to interfere with the U.S. election -- while simultaneously ensuring that he continues to win the buy-in from campaign management that's necessary to do his job properly.
Even living under more normal global conditions, that's not easy. Until Biden for President announced DeRusha's hiring today, the only other 2020 Democratic presidential campaign to have hired a CISO was that of Pete Buttigieg, former mayor of South Bend, Indiana, who dropped out of the race on March 1. Buttigieg's campaign CISO was Mick Baccio, a former threat intelligence within the Executive Office of the President who resigned in January over what Baccio reportedly had termed "philosophical differences with the campaign management regarding the architecture and scope of the information security program."
Of course, the pandemic changed world significantly since then -- and now certain unprecedented challenges await DeRusha, who served as senior cybersecurity advisor at the White House from June 2015 through May 2017, often working directly with Tony Scott, who was federal CIO during much of that time.
Before that, DeRusha held numerous cyber roles at the Department of Homeland Security for close to six years. And more recently, he managed Ford Motor Company's enterprise vulnerability management and application security program for one year, before helming Michigan's cyber program for the last two-plus years.
Both Scott and Baccio -- the latter now a security advisor for Splunk -- gave SC Media their takes on the important tasks that lie ahead for DeRusha, and the need for him stay engaged with management.
"Campaign security now and when I was the CISO at the Buttigieg campaign -- I think those were two completely different environments," Baccio said. "...You’re virtualized now and that’s a huge challenge" from both an operational and technical security perspective, he said, because you "don't have a centralized infrastructure to monitor."
Campaigns are also now faced with the task of securely holding digital rallies, town halls and similar events to drum up support and publicity. "I think that’ll be the kinds of things that’ll keep you up at night," said Baccio, noting "all the things that could possibly go wrong" with an online event. "So there's a lot more monitoring and security controls that you'll need to look at."
Moreover, the sheer amount of internet content referencing Biden and his opponent, incumbent President Donald Trump, will likely rival that of any previous election, said Scott. And that includes a whole lot of disinformation.
"One of the unique challenges is: How are you going to know what’s... legitimate Biden campaign digital content," said Scott, "whether it’s on an ad or social media, or an email, or whatever? And what's not? What's fake? What’s something that's put out there by somebody who’s not supposed to... and how do you react quickly to those kinds of things and make sure people understand the difference?
DeRusha will also have to determine what cyber projects and policies he wishes to prioritize in time that remains between now and the Nov. 3 election.
"I would want to do all the things I could, but being realistic, how much can you accomplish between now and November?" asked Baccio. "What policies can you implement? What programs could you roll out? What technical solutions could you put in place? You [must] weigh all that with the resources you have and the time you have -- and that’s the challenge that Chris has right now."
"The campaign's been in full swing for quite a while, said Baccio. "As the campaign gets bigger, the security posture needs to get stronger, so he’s going to be in for a wild ride."
"It’s a very unusual role, obviously, because these things are short-lived and they ramp up very quickly, and then they wind down very quickly,” said Scott. "Just the need to move quickly and effectively is kind of the biggest challenge. You don’t have a lot of time to sit around and twiddle your thumbs. Fortunately, Chris has been in a a lot of different situations, so he’s got a tremendous amount of experience from which to draw."
For instance, while at the White House, DeRusha and Scott collaborated on investigating China's alleged breach of the Office of Personnel Management, an infamous hack that occurred prior to both men's employment and affected million of current and former federal employees.
Just last month, the Google Threat Analysis Group warned that reputed Chinese advanced persistent threat group APT 31 targeted Biden's campaign with phishing emails, while suspected Iranian threat actor APT35 (Iran, aka Rocket Kitten and Magic Hound) attempted to phish President Donald Trump reelection campaign. Neither campaign showed signs of compromise, but concerns remain of a potential repeat of Russia's 2016 hack of then presidential candidate Hillary Clinton's campaign and the Democratic National Committee, which resulted in damaging data leaks.
Baccio said he believes the Biden campaign already sports a "great security posture," but there's still time to make significant improvements to help thwart outside threats. "Campaigns operate at a pace that -- it's to hard to describe -- it’s a breakneck speed, and so... I think you can roll [cyber solutions and policies] with that same pace."
One thing that would no doubt help DeRusha in this regard however, is if Biden's campaign managers share in the CISO's vision -- a luxury that Baccio, at the time of his resignation, said he wasn't afforded.
Baccio explained how DeRusha can avoid this same fate: "Make sure that you get a seat at the table" by regularly opening channels of communication with senior management and engage in dialogue regarding which protections must be prioritized and where to allocate budget and time.
"I think those discussions with campaign leadership are gong to determine the direction of the program," said Baccio. "Just establishing the pace and having that conversation initially -- that's where the first step starts. And, after that, things pivot, things change, especially on a campaign, and you revisit things as we go along.
"But I think that initial conversation is super important to have and I guarantee that he’s already had it."
Scott believes DeRusha is up for the challenge.
"I have nothing but the highest regard for Chris and his skills," said Scott. "He’s one of the guys that can take complex technical stuff and make it accessible to people who aren’t techies and aren’t doing this kind of stuff every day."
For its part, Biden's campaign in a statement affirmed its commitment to developing a strong cyber posture under its DeRusha. "Biden for President takes cybersecurity seriously and is proud to have hired high quality personnel with a diverse breadth of experience, knowledge, and expertise to ensure our campaign remains secure," said Biden for President, which also announced the hiring of Jacky Chang, senior technologist at tech-based philanthropy initiative Schmidt Futures, as its newly hired CTO. "Jacky and Chris will be central to strengthening the infrastructure we've built to mitigate cyber threats, bolster our voter protection efforts, and enhance the overall efficiency and security of the entire campaign."