If you are a candidate, campaign manager, or staff member, you should be concerned about the risks of a cyberattack and the subsequent impacts should an incident occur. Attempts to compromise campaigns come from a variety of potential bad actors, including nation states looking to disrupt our democracy, cybercriminals looking to steal data they can monetize, and people that are opposed to candidates for any number of reasons. Incidents can also occur if campaign staff make mistakes or a device is lost or stolen.

Defending Digital Campaigns (DDC) was created to bring free and low-cost services to House, Senate, and Presidential Campaigns as well National Parties and Committees. To date, more than 120 campaigns have taken advantage of one of the free or reduced price services from one of our partners.

The generosity of the private sector to work to preserve the integrity of our electoral process is tremendous. However, understanding which products your campaign needs is about understanding your risks and applying the right products to your environment.  Campaigns differ from traditional organizations in a number of ways: what technology they use, how they grow, how long they are around, the different ways people interact with the campaign, and the high percentage of staff and volunteers that bring their own devices.  

Where to Start?

Rome wasn’t built in a day and the cyber defenses of a campaign aren’t either. You need to have a lens to evaluate your needs and build your cybersecurity posture over time as the campaign season unfolds and risks change. 

At DDC, we highly recommend applying the National Institute of Standards (NIST) Cybersecurity Framework to creating your approach to cybersecurity. NIST is a part of the US Department of Commerce, and The Cybersecurity Framework was developed in a collaboration between NIST, industry, and civil society. It is a simple non-technical way to think about protecting your campaign. It has five steps to establishing stronger cybersecurity:

Identify: What are the most valuable technology and data assets you have to protect and who is in need of protection? Prioritize your cybersecurity efforts from protecting the campaign’s “crown jewels.” Identify technologies in use including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored.  Don’t forget about your website as a valuable campaign asset. Because campaigns have many people interacting with the effort, lines between who is on the campaign and who is not are often blurry. Think beyond the candidate, staff, and volunteers to the spouse, children, consultants, and close confidantes with access to vital information needing protection. Campaigns often have accounts with shared access by several staffers such as social media or email accounts. Because campaigns fluctuate in size, needs will be different as you move from the primary to the general election.

Protect: Protect are the measures you take to strengthen defenses. You begin around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available;  protecting devices with endpoints; using encrypted communications for sharing sensitive documents or conducting confidential communications; protecting your website; setting up systems using security and privacy settings in the software you use (G Suite, Office); and ensuring software is up to date or patched. Since phishing as well as common mistakes can lead to cyber incidents, cybersecurity training for campaign staff and volunteers adds a layer of protection. Redundancy, in the form of data backups, reduces the impact of an incident or damaged or lost machines and mitigates the paralysis that can occur from a ransomware infection. Maintaining awareness of the threat environment and sharing with staff can increase protection.

Detect: Detection is becoming aware of something is wrong. This could include automatic notifications of things out of the ordinary such as suspicious email, unauthorized attempts to access a protected file or other areas of a network, a potentially dangerous download, and/or a machine being compromised. Your team is also part of your detection efforts. Campaign staff or volunteers may be the first to see a phishing attempt or suspicious information requests like immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported is an early warning system. Unfortunately, detection sometimes occurs when something significant has already happened, like being notified you have ransomware.

Respond: Being ready with a plan should an incident occur is an important part of cybersecurity. Your goal is to reduce downtime and get systems up and running as quickly as possible. Giving thought to alternatives to using technology, such as accepting donations by phone and keeping a paper record while technology is not available can reduce disruption. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Develop a communications plan to proactively inform the public and the media.  Be prepared to access IT support to remediate any damage to technology and consider having a forensic specialist available to investigate the attack or incident. 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection.

How do I get started?

The best way to get started is by asking yourself, an IT or cybersecurity professional, or an outside consultant to answer the following questions:

• What are the important technology and data assets that if compromised would most impact the campaign?

  1. What and where are the devices we use--phones, computers, printers, software?

  2. What are the most critical data assets that if lost, compromised, or access was curtailed would most hamper operations, be fodder for the media or opposition, or could be seen as a violation of trust by the public? 

  3. Who are we identifying as being part of the campaign? Do we need to include family members, other people close to the candidate, and their family members, key consultants*?

  4. What accounts are in need of protecting--financial, social media, third party apps for fundraising, voter lists--and who can access those accounts?

  5. How will risks change over time as the election gets closer or a race becomes more contentious?

• What has the campaign done to provide protection for these critical technology and data assets? What protections are in place for the campaign website? 

• How would we know if something went wrong?

• Are we prepared with a response? 

  1. Who are the people that need to be alerted (i.e., legal, comms, incident response vendor)?

  2. What are our contingency plans for maintaining operations until the technology becomes available?

  3. How will we communicate with anyone directly impacted by the breach as well as the general public and the media?

• How will we take lessons learned from an incident and strengthen the campaign going forward?

If you are a House, Senate, or Presidential Campaign, please reach out to us at info@defendcampaigns.org and set up a short call and we can determine your eligibility for our services and get your cybersecurity efforts up and running.

*You may have key consultants or other third providers critical to the campaign. Understanding what data, they can access or is shared with them and how they implement cybersecurity and to protect your data is critical. Even asking them to use the NIST Cybersecurity Framework or answering these questions is a good exercise to be sure they are protecting the campaign. 

We had an opportunity to pose some questions to our founding Board Member and a prominent political consultant in the Republican party, Matt Rhoades.

Mr. Rhoades currently serves as Co-CEO of CGCN Group, an integrated advocacy and strategic communications firm that specializes in helping corporations, nonprofits and trade associations navigate complex legislative and regulatory issues.

Mr. Rhoades gained prominence working at the highest levels of political organizations and campaigns. As campaign manager for Governor Mitt Romney’s 2012 presidential campaign, he successfully guided Governor Romney’s campaign to victory through a crowded field of candidates in the Republican presidential primary.

DDC: When did you first become aware of the importance of cybersecurity for campaigns?

Matt: In 2011, when I was managing Mitt Romney’s presidential campaign. We discovered that our campaign had been hacked by the Chinese government during the primaries, and cybersecurity became a very real issue, very quickly. Unfortunately, this forced us to use precious campaign dollars on higher levels of network security rather than on winning votes.

DDC: Defending Digital Campaigns was created after an initiative you participated in at the Belfer Center at Harvard creating cybersecurity playbooks for campaigns and election officials. What are some key takeaways from that effort?

Matt: The political climate was hyper-partisan after the 2016 election, and my experience at the Belfer Center helped elevate a serious issue in a non-partisan way. Cyber-attacks are a threat that does not discriminate between parties – Democrats and Republicans need to work together to solve this problem and defend America’s campaigns.

DDC: What led to the creation of DDC?

Matt: Robby Mook, Debbie Plunkett and my experience at Harvard played a big role in catalyzing the creation of DDC. We realized that our work could continue, and really make a difference if we created an independent, bipartisan organization that both Democrats and Republicans could get behind. 

DDC: The campaign world is adversarial. Yet, there is strong agreement that providing cybersecurity needs to be done in a bipartisan, nonaligned manner. Why is that so important? 

Matt: After the 2016 elections, the focus was exclusively on Russia. This attention was warranted, but it left us blind to possibly even more serious threats in China, Iran, North Korea, and even here domestically. We’ve learned that cybersecurity threats can come from anywhere, and anyone can be a target. Nation states and domestic hackers don’t care if you’re a liberal or conservative – they care about creating chaos and discord in our country. That’s the type of problem Americans can only solve if it’s united. 

DDC: Why is it important to offer cybersecurity services to campaigns for free or at a low-cost?

Matt: Good campaigns are cheap – they can’t afford to be worried about paying for cybersecurity software. I ran a presidential campaign and even we couldn’t afford that additional expense. How can local campaigns be expected to? All that campaigns should be focused on is winning votes, and offering these services for free or at a low cost allows that. 

DDC: It's undeniable that campaigns will look different this year due to COVID-19. Any advice about how campaigns should operate in this new environment?

Matt: Campaigns are always forced to make changes, and good campaigns always adapt to the environment they exist in. Be smart, make changes quickly, and don’t be scared.

If you are part of a US House, Senate or Presidential Campaign your campaign might be eligible for Defending Digital Campaigns free or reduced-priced cybersecurity products or services. Email: info@defendcampaigns.org

As our country is searching for a light at the end of the tunnel in the wake of a global pandemic, most campaigns are now working remotely to help flatten the coronavirus curve. Candidates are hosting virtual town halls, Twitter chats, and Facebook and Instagram lives in lieu of in-person events.

To highlight our cybersecurity partners, DDC launched an interview series on our new blog and we are excited to introduce Joel Wallenstrom, President and CEO of Wickr.

DDC: Some people may not be aware of Wickr or encrypted communications. Can you describe what Wickr is and does? 

Joel: Wickr is a secure communications and collaboration company. We build software for mobile devices and desktop computers that provides the security of a face to face conversation over zero trust networks.  What's most unique is that we have built enterprise products on top of technology that has previously only been used in consumer products.

DDC: Now that most campaigns are working, to some degree, remotely to prevent the spread of the Coronavirus, how does Wickr help make them more secure when communicating and sending sensitive information?

Joel: Any time you’re communicating or sending sensitive information remotely there are risks. Wickr provides end-to-end encryption and a host of other security controls so that organizations can take the biggest risks off the table - risks like hostile mobile networks, public WiFi networks, etc. Wickr Pro users don’t have to trust these services because their data is secured prior to touching any of these potentially hostile systems.

The use of end-to-end encryption is different and often misunderstood.  Let me explain… Wickr Pro is fundamentally different from products like Zoom, Slack, WebEx, and Skype for Business that rely on client-to-server encryption. Client-to-server encryption (HTTPS, TLS) was built for web browsing. It’s really the wrong way to secure communications data. Client-to-server encryption essentially puts all your eggs in a single basket, in this case a server - and we have seen how unsuccessful corporations have been in their attempts to protect, patch and manage their servers!  If, or when, these systems are breached the attacker has access to everything. This is by design. It doesn't just have to be an outside attacker, insiders who are malicious or simply negligent have the ability to compromise all your centrally stored data and communications. End-to-end encryption completely eliminates this risk. 

DDC: For campaigns that are only communicating via email through services like Gsuite even with multi-factor authentication, how does it potentially put their campaign at risk?

Joel: Email just wasn’t built with security in mind, period. It’s not built for end-to-end security, for one, which leaves message content vulnerable to disclosure at key points along the path from sender to receiver, including as it sits in storage on the service provider’s servers. It’s not built to respect sensible data retention policies, either, which means it sits where it sits at the service provider for extended periods of time, needlessly extending the period of time in which it is vulnerable to unauthorized disclosure. If we look at recent attack trends as well, we see that web-based cloud email services are increasingly being targeted and losses are on the rise, and if you consider that web accounts of any kind are such an easy target for phishing and other attacks it kind of makes email communication the worst choice from a security perspective. 

DDC: Many people already use some form of encrypted communications, such as Signal or WhatsApp. How does Wickr differ from these services?

Joel: If Zoom and WhatsApp had a security baby the result would be Wickr Pro. The primary difference Wickr Pro provides is control and management. For example, we have 10,000 person corporate deployments that are managed and deployed by IT teams and small businesses managing their own free networks. Strong encryption is a critical component of Wickr Pro, and our encryption is second to none, but serious organizational use requires strong application security overall, administrative controls like SSO, privacy controls like 2FA, compliance features, etc. That’s what we provide in Wickr Pro. We also have Wickr Enterprise for customers who want to host their own instance, which is often the case in regulated industries and federal markets.

DDC: What are the most common concerns you hear from campaigns regarding adapting to secure communications?

Joel: First place would go to the perception that it will be hard to use. This stems from the traditional fear that security comes at the expense of usability. This goes away once you actually use Wickr Pro and see that it’s as easy as using your SMS app on mobile or email on desktop. Making security easy to use is the foundational goal of the product and company. Another concern is compliance.  Consumer products - you mentioned Signal and WhatsApp - tend to rub compliance officers the wrong way. When we set out to build Wickr Pro we knew there would need to be a way to keep the lawyers and compliance officers happy!   

DDC: Wickr recently announced an enhanced offering of its free services to help companies moving workers to remote working. What is that new offering and how do people take advantage of it?

Joel: We just wanted to do what we can to help. We’ve always offered a free option of Wickr Pro. Last week we decided to increase the size of Free Wickr Pro Networks to 30 and uncap features.  So, for example, you can now have a video conference for as long as you like. We wanted to remove economics as a barrier to access for organizations who need secure communications.

DDC: Wickr was one of the first companies to sign up with DDC to enhance the cybersecurity of campaigns. Why was it important for Wickr to join Defending Digital Campaigns' effort and how does it relate to Wickr's bigger vision and company values? 

Joel: DDC formalized what we and others were doing to make it more affordable for campaigns to acquire useful tools, and they did a fantastic job of it. We were all for it. This is the third election cycle where we have been helping campaigns, but the first where we have a real ally in the process.  We’ve all seen the dramatic impact data security issues can have on political campaigns (and by extension, all of us), so given how much we think we can help the situation we felt it important to step up.