If you are a candidate, campaign manager, or staff member, you should be concerned about the risks of a cyberattack and the subsequent impacts should an incident occur. Attempts to compromise campaigns come from a variety of potential bad actors, including nation states looking to disrupt our democracy, cybercriminals looking to steal data they can monetize, and people that are opposed to candidates for any number of reasons. Incidents can also occur if campaign staff make mistakes or a device is lost or stolen.

Defending Digital Campaigns (DDC) was created to bring free and low-cost services to House, Senate, and Presidential Campaigns as well National Parties and Committees. To date, more than 120 campaigns have taken advantage of one of the free or reduced price services from one of our partners.

The generosity of the private sector to work to preserve the integrity of our electoral process is tremendous. However, understanding which products your campaign needs is about understanding your risks and applying the right products to your environment.  Campaigns differ from traditional organizations in a number of ways: what technology they use, how they grow, how long they are around, the different ways people interact with the campaign, and the high percentage of staff and volunteers that bring their own devices.  

Where to Start?

Rome wasn’t built in a day and the cyber defenses of a campaign aren’t either. You need to have a lens to evaluate your needs and build your cybersecurity posture over time as the campaign season unfolds and risks change. 

At DDC, we highly recommend applying the National Institute of Standards (NIST) Cybersecurity Framework to creating your approach to cybersecurity. NIST is a part of the US Department of Commerce, and The Cybersecurity Framework was developed in a collaboration between NIST, industry, and civil society. It is a simple non-technical way to think about protecting your campaign. It has five steps to establishing stronger cybersecurity:

Identify: What are the most valuable technology and data assets you have to protect and who is in need of protection? Prioritize your cybersecurity efforts from protecting the campaign’s “crown jewels.” Identify technologies in use including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored.  Don’t forget about your website as a valuable campaign asset. Because campaigns have many people interacting with the effort, lines between who is on the campaign and who is not are often blurry. Think beyond the candidate, staff, and volunteers to the spouse, children, consultants, and close confidantes with access to vital information needing protection. Campaigns often have accounts with shared access by several staffers such as social media or email accounts. Because campaigns fluctuate in size, needs will be different as you move from the primary to the general election.

Protect: Protect are the measures you take to strengthen defenses. You begin around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available;  protecting devices with endpoints; using encrypted communications for sharing sensitive documents or conducting confidential communications; protecting your website; setting up systems using security and privacy settings in the software you use (G Suite, Office); and ensuring software is up to date or patched. Since phishing as well as common mistakes can lead to cyber incidents, cybersecurity training for campaign staff and volunteers adds a layer of protection. Redundancy, in the form of data backups, reduces the impact of an incident or damaged or lost machines and mitigates the paralysis that can occur from a ransomware infection. Maintaining awareness of the threat environment and sharing with staff can increase protection.

Detect: Detection is becoming aware of something is wrong. This could include automatic notifications of things out of the ordinary such as suspicious email, unauthorized attempts to access a protected file or other areas of a network, a potentially dangerous download, and/or a machine being compromised. Your team is also part of your detection efforts. Campaign staff or volunteers may be the first to see a phishing attempt or suspicious information requests like immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported is an early warning system. Unfortunately, detection sometimes occurs when something significant has already happened, like being notified you have ransomware.

Respond: Being ready with a plan should an incident occur is an important part of cybersecurity. Your goal is to reduce downtime and get systems up and running as quickly as possible. Giving thought to alternatives to using technology, such as accepting donations by phone and keeping a paper record while technology is not available can reduce disruption. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Develop a communications plan to proactively inform the public and the media.  Be prepared to access IT support to remediate any damage to technology and consider having a forensic specialist available to investigate the attack or incident. 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection.

How do I get started?

The best way to get started is by asking yourself, an IT or cybersecurity professional, or an outside consultant to answer the following questions:

• What are the important technology and data assets that if compromised would most impact the campaign?

  1. What and where are the devices we use--phones, computers, printers, software?

  2. What are the most critical data assets that if lost, compromised, or access was curtailed would most hamper operations, be fodder for the media or opposition, or could be seen as a violation of trust by the public? 

  3. Who are we identifying as being part of the campaign? Do we need to include family members, other people close to the candidate, and their family members, key consultants*?

  4. What accounts are in need of protecting--financial, social media, third party apps for fundraising, voter lists--and who can access those accounts?

  5. How will risks change over time as the election gets closer or a race becomes more contentious?

• What has the campaign done to provide protection for these critical technology and data assets? What protections are in place for the campaign website? 

• How would we know if something went wrong?

• Are we prepared with a response? 

  1. Who are the people that need to be alerted (i.e., legal, comms, incident response vendor)?

  2. What are our contingency plans for maintaining operations until the technology becomes available?

  3. How will we communicate with anyone directly impacted by the breach as well as the general public and the media?

• How will we take lessons learned from an incident and strengthen the campaign going forward?

If you are a House, Senate, or Presidential Campaign, please reach out to us at info@defendcampaigns.org and set up a short call and we can determine your eligibility for our services and get your cybersecurity efforts up and running.

*You may have key consultants or other third providers critical to the campaign. Understanding what data, they can access or is shared with them and how they implement cybersecurity and to protect your data is critical. Even asking them to use the NIST Cybersecurity Framework or answering these questions is a good exercise to be sure they are protecting the campaign.