Alex leads Foresight Partners, a nonprofit that provides cybersecurity training and services to campaigns. DDC partners with Foresight to bring free awareness training to DDC eligible campaigns.
DDC: Tell us a bit about why you started Foresight Partners?
Foresight Partners was started because people asked for it. After 2016, everyone knew the importance of cybersecurity for campaigns. Precisely because it was so salient, I assumed that people were already reaching out to campaigns to help them set things up securely. However, a friend of mine was running for Congress, and kept asking for advice on how to secure his devices and communications. After a few back and forths, he said, “You know, if you made a training course on this stuff, I would take it.”
That planted the idea for a workshop. What we found, much to our surprise, was that campaigns were not getting this interactive engagement on cybersecurity, and they had a real hunger for it. The raw information was out there in venues like the Belfer Cybersecurity Campaign Playbook, the DNC Checklist, or the FBI Protected Voices Project. But if campaigns had questions, or if suggestions from the established sources seemed burdensome, they didn’t know who to ask.
The niche we filled is making training accessible and fun so that it actually motivates staffers to take the actions that make themselves, their colleagues, and their candidates safer. And our work snowballed from there.
DDC: Does training make a difference? I know many people downplay the role that user awareness can play.
Training is so important! As much as we in the cyber community like to talk about 0-days and Advanced Persistent Threats, IBM has found that 95% of breaches involve human error. Which, said another way, means campaigns can reduce their risk 95% simply by changing their behavior.
The issue, of course, is that most cybersecurity training makes people’s eyes roll to the back of their heads. There are some exceptions - Mike Sager at Emily’s List does an awesome job, and the Maine Democrats security team has a home grown training that is very engaging. But many of the standard trainings that campaigns have had to sit through feel like checking-the-box exercises.
We give hour-long trainings to campaigns, but my favorite part is always the last ten minutes. If you have done it right and established a level of trust, campaign staffers open up with all sorts of idiosyncratic cybersecurity questions that show that they have been thinking about security, but never had a person they thought they could ask about it or a venue to easily get answers.
What started as a focus on training grew to much more, largely from questions we got in those last ten minutes. Campaigns asked for further examples of phishing emails, so we started running phishing campaign assessments. One campaign mailed us a malicious flash drive they had been sent for forensic analysis! A state party worked with us to do a comprehensive security assessment. We ended up working with campaigns to securely set-up email, set up password managers and security keys, secure their communications platforms, etc. But it’s important to also let campaign staff know why every step is important, or they’ll stop using them.
DDC: What were you able to accomplish in the recent election cycle?
In 2020 we worked with over 140 campaigns at and with 14 state parties, which makes us the largest provider of live, personalized cybersecurity training for campaigns in the country. We conducted training for candidates and staff on campaigns running for state house all the way through Congressional and Presidential campaigns.
However, our goal was not the numbers, but the effectiveness of the training. A big question in cybersecurity broadly, and in securing campaigns specifically, is whether people actually implement “best practices.” For example, based on our pre-training survey of participating campaigns, only 53% of congressional staffers used two-factor authentication on their campaign email account, and only 28% use password managers, despite both steps being highly recommended by every guide and being free for campaigns through programs that DDC runs.
We focus on delivering information and follow-up so people take action. Within one week of taking our training, over 60% of trainees added 2FA to a new account, the number using password managers had nearly doubled, and 98% made at least one concrete improvement to their cybersecurity practices.
DDC: A lot of people think that campaigns do not know anything about cybersecurity. DDC found that many of the campaign managers we spoke with had some awareness about what they were supposed to do but not always the tools or knowledge. What was your experience?
Absolutely agree. Campaign managers are juggling a million things. They know cybersecurity is important, but presenting them with a checklist that is not customized for their specific situation breaks down the second the advice conflicts with something they think will help them win.
Campaign managers are smart and hard working. If you present them with good information about risks, they can make good choices.
DDC: What have you been up to since 2020?
A couple of different initiatives. We got a lot of questions about disinformation in 2020, and so earlier this year we put together a new training course and table top exercise on that topic. We gave that training to a few campaigns, and then FDA and HHS got wind of it, and asked if we could adapt it to disinformation around vaccines or other health topics. So we ran a couple of sessions with their security teams, and we continue to offer it broadly.
The second initiative is about partnering more deeply with campaigns. 2020 was a whirlwind. 2021 has fewer active campaigns, which is allowing us to spend more time with each. For example, we are working with gubernatorial campaigns on setting up their GSuite securely, transitioning staffers (and the candidates) onto password managers, rolling out DMARC, defining their onboarding processes, and more. The multiyear timeframes allow for a more thoughtful approach to security, and we’re enjoying these deep partnerships.
DDC: I understand that you are creating some new resource guides for campaigns. Tell us about what you are creating, where they can be found, and what you are planning going forward.
Whenever we can, we like to document our guides and share them broadly. We’ve published guides on password managers, 2FA, and securing your home wifi router. We have a template onboarding checklist campaigns can copy, and a two-pager of top tips with links to further instructions. All of this information is available at https://foresightpartners.us/resources.
DDC: If you get every campaign to institute just one cybersecurity measure, what would it be?
I know DDC recommends security keys as the first thing that campaigns do, and that is great advice. Password managers are also a top suggestion. I’ll highlight another one, which is updating software.
I can’t convey the number of times we have come across staffers that are very aware of cybersecurity and practice good digital hygiene, but are still running an operating system that reached end of life a couple of years ago.
Everyone knows that they are supposed to update software, but many are not sure why, and it presents an inconvenience that they feel impedes on their day-to-day work.
People just need to hear that all software has bugs and that bugs are routinely publicly disclosed, leaving you completely defenseless unless you update software regularly. And also that major attacks (e.g. Equifax, WannaCry) happened because of unpatched software.
So please, update your software! This applies to laptops, phones, browsers, campaign websites - everything!