Security to the Core

Often the headlines are chockablock full of news about cybersecurity: a campaign is hacked, consumers have money stolen, a pipeline is shut down. If you are concerned or have been tasked with cybersecurity at a campaign, state party, or political organization it can be a bit overwhelming. Where do you even start? What are the most important things to protect? Where do I even get guidance and help?

Cybersecurity is risk management. Therefore, you build cybersecurity protections to address what's most likely to happen, not every possible thing that could happen.  You start by putting in place the common sense measures that provide the highest level of protections against the most common and likely threats.

At DDC, we call these the core protections. The minimum cybersecurity measures every campaign MUST take so you don’t have compromises or disruptions that prevent you from doing what you do best - campaigning.

The three core cybersecurity protections cover protecting accounts, websites, and email.

Here’s the why, what and how to implement core cybersecurity protections in the political sector. Note the products mentioned here are free for DDC eligible campaigns, committees and state parties  (see eligibility list here). However, there are numerous free for all services that can help mitigate these risks as well. These free tools can be found here.


Core Protection #1 : Protect Accounts

The Why:
Unauthorized access to accounts is the primary online threat for campaigns, organizations, and people. A highly effective way to compromise a campaign or political organizations is by stealing account credentials through phishing or other hacking techniques. Once access has been gained information can be stolen to be leaked or for espionage, or used to steal money. 

The What:
People and organizations in the political sector must avail themselves of the strongest multifactor authentication available.  Protect all primary accounts–email, cloud, social, financial– with the strongest multifactor authentication possible. This means protecting logins with more than a password or a code sent to a phone or via email.

The How:
It’s actually quite easy to harden accounts with strong multifactor authentication. Passkeys, a digital credential, now widely available, are the strongest account security available. Passkeys reside on a device and grant account access, without a password, once you have access to a device using a biometric or PIN. Passkeys can’t be stolen or copied. Passkeys are available on most major platforms, including Google and Microsoft. Security keys are also highly recommended. They are physical devices that plug into a PC or phone that act in a similar fashion to a Passkey.  One physical security key can be used on multiple services.

Supersize your security: Google and Microsoft both provide heightened security for high risk users in the political space. Google offers an Advanced Protection Program. Microsoft offers Account Guard. Both are FREE and offer enhanced protections from phishing. 

What DDC offers for FREE for eligible campaigns: DDC can provide security keys from Yubico and Google and onboarding training to help you team implement keys, turn on Google’s APP with a passkey, and direct you how to apply for Account Guard. 


Core Protection #2: Protect Websites

The Why:
Because of their importance to campaigns and organizations and the ease with which bad actors can launch attacks, websites are in the crosshairs. If a site can be taken down, defaced, or content changed it will be a public event that could result in donations not being processed, reputational harm to a candidate or organization, or the proliferation of disinformation. The most common website cyber incident is a Distributed Denial of Service attack or DDoS that uses bots (armies of infected machines) that overwhelm sites and make them inaccessible. In other attacks, bad actors gain access through weak or stolen credentials to change the website content.

The What:
Websites need to be protected from DDoS attacks and strong multifactor authentication must be used on all accounts that have access to content management systems and website administration.

The How:
Cloudflare offers free DDoS Protections for any website and Google’s Project Shield provides free DDoS protections to websites of high risk organizations including campaigns. Check out DDC’s Knowledge Base for information on how to apply for Project Shield or set up the free Cloudflare.

What DDC Offers for FREE for Eligible Campaigns: Campaigns can get a Cloudflare for Campaigns, a business version of the product with increased protections, customer support, and other services, and assistance from DDC getting their Cloudflare account set up. 



Core Protection #3: Protect Inbound and Outbound email

The Why:  
Email has always been a primary target for attacking organizations via phishing. Additionally, bad actors seek and exploit the reputation and relationships with supporters by spoofing and impersonating campaigns and organizations to steal money and gain account access.

The What:
Campaigns, committees and political organizations need to protect the inboxes of their staff and authenticate the emails they send in order to prevent phishing and bad actors from impersonating your campaign or organization.

The How: 
Protecting from phishing starts with strong account security (see above) that makes it difficult if near impossible to steal credentials. Protecting campaign domains from being spoofed or impersonated is achieved through implementing DMARC, an email authentication standard, and ensuring the services you use to send email are properly configured. You can easily check your DMARC status via Valimail’s free DMARC checker tool: https://www.valimail.com/domain-checker/.


What DDC Offers for FREE for Eligible Campaigns: Valimail for Campaigns helps you get your DMARC and sending services properly configured to protect your domain and improve deliverability. DDC’s  onboarding assistance can help you get the services you use to send properly configured.

Cloudflare’s Email Security or Sublime Security  helps campaigns and committees protect from phishing attempts. 

These are the core and minimum protections every campaign and committee should adopt. Some campaigns face or may experience higher risks in other areas, such as on social media or mobile devices. DDC has products to help address those risks too. Feel free to book a consultation with our onboarding team to discuss your concerns and needs. Reach out anytime info@defendcampaigns.org.

Check your eligibility for free DDC services here.