Political campaigns in the United States and abroad have been riddled the past several years with successful and unsuccessful cyberattacks. Now, it’s a presidential election year and not enough has changed to stop history from repeating itself. Campaigns still have a bullseye on their backs and bad actors are firing. Not to mention that COVID-19 only makes these security shortfalls more acute, and further strains limited campaign resources.
State and local campaigns are in dire need of help and they need it now. Recent primary elections in several states have highlighted cybersecurity issues in election administration – but that’s a separate topic for a separate day. In lieu of any existing federal guidance or oversight, here are five steps state and local campaigns can take right now to help them through the next election without a catastrophic cybersecurity incident.
Campaign culture and cybersecurity are often in conflict with one another. Campaigns run everything on a shoestring. In many cases, political campaigns don’t invest enough in cybersecurity, or they don’t take it seriously. As the CISO for Pete for America, I was on a campaign that cared about cybersecurity, but Mayor Pete’s campaign was far from the norm.
One of the many campaign culture maxims I learned was “every dollar spent on X, directly relates to a dollar not spent on votes.” This simple idea permeates every aspect of a campaign. Take the concept of “supporter housing,” when dedicated supporters of a candidate open up their homes to campaign staff for the duration of the campaign. Many campaigns don’t have the budget to pay staffers enough to afford rent. The money that they save with supporter housing goes where everything goes on a campaign -- to getting votes.
The way campaign budgets are structured has become the single biggest obstacle to cybersecurity efforts. Campaigns should spend money on cybersecurity the same way any Fortune 500 business operates. The real challenge starts with defining the costs. For business, it’s normal to illustrate a point by saying that investing X amount in security now could save the organization X down the road or in the next quarter. For campaigns, there’s often not a next quarter. There are a different set of calculations at play.
With that established, here are five steps every campaign – and even most businesses – can do right now to run more securely.
1. Know your crown jewels.
First, campaigns should develop a list of their “crown jewels.” In Infosec, those are usually intellectual property, source code and customer data. For campaigns, they are emails, opposition research, voter files, social media and donation information. Campaigns need to ask themselves exactly the same question as executives ask: “what are the most valuable and confidential pieces of information in my campaign?” Figure that out and lock them down with hardware and technical controls.
2. Secure phones and email.
Here’s No. 1 on your crown jewel list: Secure emails and phones from Day 1. It’s not a bad idea to also buy all the domains related to your campaign slogan and name so you don’t have to spend thousands of dollars later on. Don’t believe me? Ask Carly Fiorina how that worked out for her.
3. Mandate security training.
Securing your most important assets will most likely require mandated cybersecurity training for every campaign staffer. As we learned from notable hacking incidents over the last few years, everyone's email and email habits represents a security threat to a campaign. If volunteers have tools that give them access to the Internet, they need training as well.
4. Use free services.
Next, ever since the 2016 election a handful of organizations have realized the tight spot campaigns are in balancing security and votes. There are now programs and groups out there that offer discounted or free services for campaigns. Defending Digital Campaigns, Cloudfare and the Election Cybersecurity Initiative are doing incredible work at all levels. The FEC ruled in 2019 that political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities.
5. Ask for help.
Campaigns are constantly leveraging supporters for their expertise and connections – but I rarely hear of a call to assist with cybersecurity. There are certainly passionate and engaged Infosec and cybersecurity people out there who have done this before, are fans of candidate X and will help. Bring them in to learn what works and what doesn’t.
In today’s digital-first landscape, every Fortune 500 company, bank, government, non-profit and, yes, political campaign has to take cybersecurity into consideration. The philosophy of good cybersecurity stays the same throughout: invest to protect the organization – and stay vigilant.
Political campaigns have to approach cybersecurity as a necessity. Campaigns pinching pennies at the state and local level can ill-afford a breach that exposes an entire roster of registered voters, or worse, personal emails. So it’s incumbent on business leaders, cybersecurity professionals and political campaigners to communicate and articulate the risks to top campaign officials. By now, most everyone understands the future of our democracy depends on secure elections.
Mick Baccio, cybersecurity advisor, Splunk