Cyber Spring Cleaning for State Parties, Committees and Campaigns

Springtime presents the perfect opportunity to do a quick cyber spring cleaning. We don’t mean get out the cleaning supplies and wipe down your laptop, rather it’s time to check in on your cyber hygiene - Ask yourself, “Do we have email and website protections in place?” The 2024 election cycle saw an unprecedented level of malicious cyber activity targeting political campaigns and related organizations. Malicious actors aggressively targeted campaigns with sophisticated tactics intended to disrupt operations, steal sensitive data, and erode voter confidence. 

VoterGuard’s  2024 Election Threat Report revealed concerning gaps in basic cybersecurity measures across parties and campaigns country-wide. Cyber threats take many forms, ranging from the most basic of cyber criminals to sophisticated nation-state hackers. Phishing remains the predominant threat, with attackers continually adapting techniques, such as "thread hijacking" where they infiltrate legitimate email chains, to evade defenses and compromise campaign-related accounts. Only a third of campaigns have implemented DMARC protection for their email service, exposing most campaigns to email spoofing and phishing vulnerabilities. A great way to address these threats is through DDC partnerships with Valimail and Yubico, which offer campaigns a free and easy way to mitigate the risks of email impersonation and phishing.

In 2024, campaign websites were frequent targets for both hacktivists and state-sponsored entities seeking to spread disinformation or disrupt voter engagement. EI-ISAC reports indicated increased attempts at website defacement and hack-and-leak operations, underscoring the essential role of protective services like Cloudflare for Campaigns, a free tool for eligible campaigns to defend against web denial-of-service and unauthorized access attempts.

Looking ahead into the 2025 election cycle and beyond, another key source of risk is the lack of secure campaign wind-down processes. Unsecured domains and inactive accounts present ongoing risks that adversaries exploit, potentially causing lasting reputational damage or exposure of campaign and donor information.

To counter these evolving threats, we recommend campaigns implement the following cybersecurity best practices. Think of them as your “cyber spring cleaning”, designed to help you cover all the most important risks in a quick, easy, and minimally-disruptive way.

  • Protect core  accounts with a passkey or security key. 

  • Secure websites using tools like Cloudflare and implement DMARC email authentication through platforms like Valimail.

  • Utilize secure communication channels, such as encrypted messaging platforms like Signal, AWS Wickr and avoid public Wi-Fi networks.

  • After campaigns conclude, thoroughly and securely decommission digital assets, retain control of critical domains, and archive sensitive information safely.

  • Regularly conduct cybersecurity training for staff and volunteers to recognize and mitigate phishing and social engineering threats.

At VoterGuard, our mission is to proactively identify, monitor, and analyze these evolving threats, equipping campaigns with essential insights and practical tools to strengthen their cybersecurity defenses.  We remain dedicated to identifying trends and threats within the political cybersecurity landscape, equipping campaigns with actionable intelligence and solutions that protect democratic processes and maintain public trust. We’re proud to continue partnering with Defending Digital Campaigns to  elevate cybersecurity for all political organizations and those who support them

Author: Andrew Schoka, Founder, VoterGuard, https://www.voterguard.net/


.