Recently, Microsoft reported that nation-state adversaries were targeting political campaigns and their vendors in an attempt to access systems and data. Adversaries seeking to disrupt our democratic process know that the impact of their attacks will be greater as election day nears and campaigns have a shorter window to respond internally as well as to the public. Therefore, DDC expects that efforts to breach campaigns will increase, and unfortunately some will be successful. Clearly, taking steps to prevent an incident in the first place is a high priority (see our blog on steps to make campaigns more secure).
Despite the best efforts to prevent a malicious cyber incident, it is possible that such an event could occur. A campaign that suffers a cyber incident should be prepared to respond and recover from the potential negative impact on operations and their public image.
Cyber incidents take many forms from infiltrating networks and stealing data to defacing or altering websites to freezing systems and demanding a ransom. And while we think of cyber incidents mostly as nation-states, hacktivists, or cybercriminals trying to disrupt or do harm to our democracy, they can also be accidental. For example, a laptop with sensitive or personal information gets lost or information gets incorrectly forwarded. They can even be as simple as a staffer or volunteer clicking on a link that in retrospect seemed suspicious.
Some incidents may not involve the campaign’s technology or network. Instead, you might be notified by a third party you work with directly that they have had an incident and campaign data or sensitive information is at risk. In some cases, incidents are neither nefarious nor an internal accident. For example, how would you respond if a key vendor went down because of a cyber attack or a natural or manmade disaster restricted or closed off access to the internet or other technologies?
You need to be prepared for all!
It is unrealistic for campaigns to create comprehensive written and practiced incident response plans. However, doing some basic preparation around initial steps the campaign will take is not complicated or time-consuming, and will be time well-spent should an incident occur.
The first step is having a core internal team that will create an approach and be alerted and respond to incidents. Team members should, at minimum, include the campaign manager, finance director, and any person or vendor handling your IT or security. Engaging your candidate in the development of your incident response is not required. However, candidates should be among, if not the first, person notified if an incident occurs.
Ideally, in advance, the core teams would have thought through these questions and issues:
In addition to the core team, who are the people that need to be alerted? For example, legal, PR/comms, compliance, incident response vendor, and other vendors that could be impacted by an incident, such as data and fundraising (you could add any of these to the core team as well).
Have you created a way for campaign staffers and others directly involved in the campaign to report an incident? Do people know who to reach out to and even that they should reach out if they see something concerning? Setting the tone that encourages reporting, even if the user made a mistake is an important part of detecting an incident, and could lead to immediate mitigation if for example someone clicked on a bad link and any malicious behavior can be prevented.
How will you handle PR/communications? Some organizations have been judged more harshly about how they handled an incident including communications with impacted people then they were about the incident happening in the first place.
In the event current technology becomes unusable, what are the contingency plans for maintaining continuity of operations until the technology is online again? Is there a way to revert to alternatives (e.g., another network or paper) if needed for creating records? How would you communicate internally with staff, volunteers, or vendors? Are you prepared to replace technology that may no longer be available or usable?
With legal and compliance, understand your obligations to people directly impacted. Most states have data breach laws. You should know your state’s (and any other states where supporters data has been lost) requirements. You could be mandated to notify people in a specific manner, such as actually mailing them a letter or have other obligations to people whose data is lost or potentially lost. If a vendor loses your data, you are going to want to be sure that they do the right thing by your supporters because whatever they do will reflect on you.
Talk to key vendors about their incident response plans. Most campaigns have many third-party vendors. You should ask them about their cyber incident plans and evaluate your comfort level with how they will respond. At this late date, a campaign is unlikely to jump ship because of a vendor’s response. However, if you think a vendor may have a weak or deficient plan, you can ask them to do better and/or be prepared to enhance your response if that vendor is impacted.
As a campaign, you know that you are under a microscope. Being prepared for an incident and responding in an organized and professional manner, not only lessens the impact it demonstrates leadership and resilience.
Other Resources