The 2020 election cycle is moving toward the final phase. Yes, there are still a few primaries to go but for the most part, ballots are set and campaigns are gearing up to get their candidates elected.
Now is an opportune moment for campaigns to shore up their cyber defenses to protect their staff and volunteers from potential threats. Here are five cybersecurity steps every campaign should take before Election Day:
Turn on the strongest form of MFA or 2FA to protect accounts
Secure your website
Use and or enforce the use of encrypted communications
Encourage staff and others to secure accounts
Be prepared if an incident occurs
Learn more about each of these and how Defending Digital Campaigns can help.
1. Turn on the strongest form of MFA or 2FA to protect accounts:
IF YOU ONLY DO ONE THING FOR THE REMAINDER OF THIS CYCLE, IMPLEMENT ACCOUNT PROTECTIONS!
Two simple truths: if you work on a campaign you are a target, and phishing and attempts to steal account logon information and credentials are the most likely ways a campaign will be hacked.
Protecting accounts from being compromised is the most important cybersecurity priority for a campaign. A bad actor that gains access to email, share drives, social media, finance, or website editing accounts can do extraordinary damage to a candidate and a campaign.
To achieve the best forms of protection, turn on multi-factor authentication sometimes referred to as MFA (multi-factor), or 2FA (two-factor authentication) on every account that allows it. If your campaign is using G Suite, you will want to use their Advanced Protection Program often referred to as APP (https://landing.google.com/advancedprotection/). If your campaign is using Office 365, you will want to use Account Guard (https://www.microsoftaccountguard.com/en-us/). Both require the use of a security key—a small piece of hardware that plugs into a USB port.
DDC has FREE keys for campaigns from Google and Yubico and can even help your team implement them with the assistance of our Onboarding Specialist that can hold a quick training for your team. The same keys can also be used to secure social media accounts on Facebook and Twitter as well as many other services across the internet. If MFA is not available on important accounts, implement a password manager such as LastPass (available for free through DDC) or at minimum enforce password creation policies that result in long, strong, and unique passwords.
2. Secure your website:
Your public facing presence is your candidate’s brand and connection to the community. Campaigns use their websites as a portal to introduce their candidate and his or her positions as well as for fundraising and in many cases to provide valuable information to voters about how to register and vote.
Websites can be vulnerable to various kinds of attacks including being defaced with objectionable messages, brought to standstill via an attack that overwhelms a web service (known as a DDOS attack), and/or having content altered resulting in false information about a candidate or other critical information. DDC can provide access to a FREE account from Cloudflare (https://www.cloudflare.com/campaigns/usa/) that will protect your site from potential threats.
3. Use and or enforce the use of encrypted communications:
Campaigns generate and share vast amounts of sensitive data and information. How and who that data can be shared with should be codified for campaign staff in a written or oral policy.
Many campaigns we speak of report informal use of services like Wickr or Signal, which is a great start. However, most don’t have a specific policy about what is ok to be shared via email or what should only be shared in an encrypted channel. Communicate with your staff about how sensitive campaign data should be shared. DDC’s Onboarding Specialist can help campaigns set up Wickr, which is free for campaigns with less than 30 people, and reduced rates are available for larger campaigns through DDC.
4. Encourage staff and others to secure personal accounts:
Bad actors trying to access your campaign will use many methods. One that is tried and true in the campaign space is attempting to compromise the personal emails and accounts of campaign staff, the candidate, the candidate’s family or close confidants, or third-party vendors because the assumption is they are not as strongly secured as campaign email.
If you have implemented security keys at the campaign, in most cases those keys can also be used to secure personal email accounts. At minimum, even though campaigns cannot likely enforce security on personal accounts or third-party accounts, they should be educating and encouraging anyone closely associated with the campaign to secure email and other sensitive accounts. Contact us for a discussion about how to secure personal accounts and expand the perimeter of protection for your campaign.
5. Be prepared if an incident occurs:
The common cybersecurity wisdom is that as the election approaches activity by bad actors will increase. Therefore, some incident response planning should be done even if it’s just the campaign manager and/or the finance director taking a few minutes to put together a short list of steps to take if something goes wrong. Questions to answer include:
Who are the people that need to be alerted (i.e., legal, comms, IT vendor, incident response vendor, law enforcement)?
In the event of an attack that renders technology unusable (for example ransomware), what are the contingency plans for maintaining operations (for example, maintaining paper records) until the technology becomes available?
How will the campaign communicate with anyone directly impacted by the breach as well as the general public and the media?
If you are a campaign of over 25 people, contact DDC about potentially getting a free incident response retainer from Atlantic Data Forensics and discounted rates for response.
Of course, there are other steps you can take as well including building a culture of cybersecurity through training and educating staff. DDC has several training partners including Foresight2020, Elevate Security, and Cybrary all of which are free to eligible campaigns. Protecting mobile devices with our partners, partners Lookout and Zimperium, and protecting against phishing with Agari and Area1.
DDC is here to help and It’s quick and easy to get started! The best way to start is to schedule a quick call so we can guide you through some ideas about the best ways to secure your campaign. Email us at info@defendcampaigns.org and we will get the ball rolling!