Recently, Microsoft reported that nation-state adversaries were targeting political campaigns and their vendors in an attempt to access systems and data. Adversaries seeking to disrupt our democratic process know that the impact of their attacks will be greater as election day nears and campaigns have a shorter window to respond internally as well as to the public. Therefore, DDC expects that efforts to breach campaigns will increase, and unfortunately some will be successful. Clearly, taking steps to prevent an incident in the first place is a high priority (see our blog on steps to make campaigns more secure). 

Despite the best efforts to prevent a malicious cyber incident, it is possible that such an event could occur.  A campaign that suffers a cyber incident should be prepared to respond and recover from the potential negative impact on operations and their public image. 

Cyber incidents take many forms from infiltrating networks and stealing data to defacing or altering websites to freezing systems and demanding a ransom. And while we think of cyber incidents mostly as nation-states, hacktivists, or cybercriminals trying to disrupt or do harm to our democracy, they can also be accidental. For example, a laptop with sensitive or personal information gets lost or information gets incorrectly forwarded. They can even be as simple as a staffer or volunteer clicking on a link that in retrospect seemed suspicious. 

Some incidents may not involve the campaign’s technology or network. Instead, you might be notified by a third party you work with directly that they have had an incident and campaign data or sensitive information is at risk. In some cases, incidents are neither nefarious nor an internal accident. For example, how would you respond if a key vendor went down because of a cyber attack or a natural or manmade disaster restricted or closed off access to the internet or other technologies? 

You need to be prepared for all!

It is unrealistic for campaigns to create comprehensive written and practiced incident response plans. However, doing some basic preparation around initial steps the campaign will take is not complicated or time-consuming, and will be time well-spent should an incident occur.

The first step is having a core internal team that will create an approach and be alerted and respond to incidents. Team members should, at minimum, include the campaign manager, finance director, and any person or vendor handling your IT or security. Engaging your candidate in the development of your incident response is not required. However, candidates should be among, if not the first, person notified if an incident occurs. 

Ideally, in advance, the core teams would have thought through these questions and issues: 

• In addition to the core team, who are the people that need to be alerted? For example, legal, PR/comms, compliance, incident response vendor, and other vendors that could be impacted by an incident, such as data and fundraising (you could add any of these to the core team as well).

• Have you created a way for campaign staffers and others directly involved in the campaign to report an incident? Do people know who to reach out to and even that they should reach out if they see something concerning? Setting the tone that encourages reporting, even if the user made a mistake is an important part of detecting an incident, and could lead to immediate mitigation if for example someone clicked on a bad link and any malicious behavior can be prevented.

• How will you handle PR/communications? Some organizations have been judged more harshly about how they handled an incident including communications with impacted people then they were about the incident happening in the first place.

• In the event current technology becomes unusable, what are the contingency plans for maintaining continuity of operations until the technology is online again? Is there a way to revert to alternatives (e.g., another network or paper) if needed for creating records? How would you communicate internally with staff, volunteers, or vendors? Are you prepared to replace technology that may no longer be available or usable? 

• With legal and compliance, understand your obligations to people directly impacted.  Most states have data breach laws. You should know your state’s (and any other states where supporters data has been lost) requirements. You could be mandated to notify people in a specific manner, such as actually mailing them a letter or have other obligations to people whose data is lost or potentially lost.  If a vendor loses your data, you are going to want to be sure that they do the right thing by your supporters because whatever they do will reflect on you.

• Talk to key vendors about their incident response plans. Most campaigns have many third-party vendors. You should ask them about their cyber incident plans and evaluate your comfort level with how they will respond. At this late date, a campaign is unlikely to jump ship because of a vendor’s response.  However, if you think a vendor may have a weak or deficient plan, you can ask them to do better and/or be prepared to enhance your response if that vendor is impacted. 

As a campaign, you know that you are under a microscope. Being prepared for an incident and responding in an organized and professional manner, not only lessens the impact it demonstrates leadership and resilience.

Other Resources

Belfer Center Cybersecurity: Playbook for Campaigns

Critical Infrastructure Security Agency: Cyber Essentials

The 2020 election cycle is moving toward the final phase. Yes, there are still a few primaries to go but for the most part, ballots are set and campaigns are gearing up to get their candidates elected.

Now is an opportune moment for campaigns to shore up their cyber defenses to protect their staff and volunteers from potential threats. Here are five cybersecurity steps every campaign should take before Election Day: 

1. Turn on the strongest form of MFA or 2FA to protect accounts

2. Secure your website

3. Use and or enforce the use of encrypted communications

4. Encourage staff and others to secure accounts

5. Be prepared if an incident occurs

 Learn more about each of these and how Defending Digital Campaigns can help.

1.  Turn on the strongest form of MFA or 2FA to protect accounts: 

IF YOU ONLY DO ONE THING FOR THE REMAINDER OF THIS CYCLE, IMPLEMENT ACCOUNT PROTECTIONS!

Two simple truths: if you work on a campaign you are a target, and phishing and attempts to steal account logon information and credentials are the most likely ways a campaign will be hacked. 

Protecting accounts from being compromised is the most important cybersecurity priority for a campaign. A bad actor that gains access to email, share drives, social media, finance, or website editing accounts can do extraordinary damage to a candidate and a campaign. 

To achieve the best forms of protection, turn on multi-factor authentication sometimes referred to as MFA (multi-factor), or 2FA (two-factor authentication) on every account that allows it. If your campaign is using G Suite, you will want to use their Advanced Protection Program often referred to as APP (https://landing.google.com/advancedprotection/). If your campaign is using Office 365, you will want to use Account Guard (https://www.microsoftaccountguard.com/en-us/). Both require the use of a security key—a small piece of hardware that plugs into a USB port. 

DDC has FREE keys for campaigns from Google and Yubico and can even help your team implement them with the assistance of our Onboarding Specialist that can hold a quick training for your team. The same keys can also be used to secure social media accounts on Facebook and Twitter as well as many other services across the internet. If MFA is not available on important accounts, implement a password manager such as LastPass (available for free through DDC) or at minimum enforce password creation policies that result in long, strong, and unique passwords.

2. Secure your website: 

Your public facing presence is your candidate’s brand and connection to the community. Campaigns use their websites as a portal to introduce their candidate and his or her positions as well as for fundraising and in many cases to provide valuable information to voters about how to register and vote.  

Websites can be vulnerable to various kinds of attacks including being defaced with objectionable messages, brought to standstill via an attack that overwhelms a web service (known as a DDOS attack), and/or having content altered resulting in false information about a candidate or other critical information. DDC can provide access to a FREE account from Cloudflare (https://www.cloudflare.com/campaigns/usa/) that will protect your site from potential threats.

3. Use and or enforce the use of encrypted communications: 

Campaigns generate and share vast amounts of sensitive data and information. How and who that data can be shared with should be codified for campaign staff in a written or oral policy. 

Many campaigns we speak of report informal use of services like Wickr or Signal, which is a great start. However, most don’t have a specific policy about what is ok to be shared via email or what should only be shared in an encrypted channel. Communicate with your staff about how sensitive campaign data should be shared. DDC’s Onboarding Specialist can help campaigns set up Wickr, which is free for campaigns with less than 30 people, and reduced rates are available for larger campaigns through DDC.

4. Encourage staff and others to secure personal accounts: 

Bad actors trying to access your campaign will use many methods. One that is tried and true in the campaign space is attempting to compromise the personal emails and accounts of campaign staff, the candidate, the candidate’s family or close confidants, or third-party vendors because the assumption is they are not as strongly secured as campaign email.

If you have implemented security keys at the campaign, in most cases those keys can also be used to secure personal email accounts. At minimum, even though campaigns cannot likely enforce security on personal accounts or third-party accounts, they should be educating and encouraging anyone closely associated with the campaign to secure email and other sensitive accounts. Contact us for a discussion about how to secure personal accounts and expand  the perimeter of protection for your campaign.

5. Be prepared if an incident occurs: 

The common cybersecurity wisdom is that as the election approaches activity by bad actors will increase. Therefore, some incident response planning should be done even if it’s just the campaign manager and/or the finance director taking a few minutes to put together a short list of steps to take if something goes wrong. Questions to answer include: 

• Who are the people that need to be alerted (i.e., legal, comms, IT vendor, incident response vendor, law enforcement)? 

• In the event of an attack that renders technology unusable (for example ransomware), what are the contingency plans for maintaining operations (for example, maintaining paper records) until the technology becomes available? 

• How will the campaign communicate with anyone directly impacted by the breach as well as the general public and the media? 

If you are a campaign of over 25 people, contact DDC about potentially getting a free incident response retainer from Atlantic Data Forensics and discounted rates for response. 

Of course, there are other steps you can take as well including building a culture of cybersecurity through training and educating staff. DDC has several training partners including Foresight2020, Elevate Security, and Cybrary all of which are free to eligible campaigns. Protecting mobile devices with our partners, partners Lookout and Zimperium, and protecting against phishing with Agari and Area1.

DDC is here to help and It’s quick and easy to get started! The best way to start is to schedule a quick call so we can guide you through some ideas  about the best ways to secure your campaign. Email us at info@defendcampaigns.org and we will get the ball rolling!

Social media is critical to most campaigns providing opportunities to interact with supporters, convey key messages, fundraise, and advertise. In this COVID-19 world we are currently living in, social media platforms have become imperative to maintaining connections through engaging posts and live online events that replace retail politics, the lifeblood of many campaigns.

Successful social media efforts require constant engagement with the platform. Therefore, campaigns frequently have multiple people—staffers and volunteers—managing pages, posting information, and responding to comments, potential voters, and supporters.

Unfortunately, social media platforms are also used in nefarious ways as well. Bad actors can try and hack social media accounts to post false and misleading information appearing to come from the campaign, comment with links to bad information or phishing sites, try and agitate supporters, and more. 

Campaigns need to balance the good that comes from the reach and engagement of social networks while protecting against the risks.

Facebook has a special program for campaigns called Facebook Protect (https://www.facebook.com/gpa/facebook-protect).  The program is voluntary and helps Facebook to more quickly detect any potentially suspicious account activity by monitoring for attempts to hack the account, such as unusual login locations or unverified devices.

Facebook Protect is designed for:

• Candidates of federal, state and local offices and their campaign staff

• Federal, state and local elected officials and their staff

• Representatives from federal and state political party committees and their staff

• Federal, state and local agencies and departments’ Page admins who have a role in the elections process

• Any person or group with a blue badge-verified Page who is involved in the elections process

To get started with Facebook Protect, your page needs to be blue badge-verified. To start the process of verification you can go here: https://www.facebook.com/help/1288173394636262

If you use other Facebook products, increase your level of security by turning multifactor authentication: 

• Instagram: https://help.instagram.com/566810106808145

• WhatsApp: go to WhatsApp > Settings > Account > Two-Step Verification > Enable. 

At Defending Digital Campaigns, we offer free and reduced-price cybersecurity services to help campaigns implement better cybersecurity. We can also help you onboard cybersecurity products and services we make available, including helping you secure your Facebook account. 

We are thrilled to partner with Facebook to help campaigns secure their social media! The best way for campaigns to get started is to have a quick call with us. Please reach out to info@defendcampaigns.org to schedule an introductory call.

If you are a candidate, campaign manager, or staff member, you should be concerned about the risks of a cyberattack and the subsequent impacts should an incident occur. Attempts to compromise campaigns come from a variety of potential bad actors, including nation states looking to disrupt our democracy, cybercriminals looking to steal data they can monetize, and people that are opposed to candidates for any number of reasons. Incidents can also occur if campaign staff make mistakes or a device is lost or stolen.

Defending Digital Campaigns (DDC) was created to bring free and low-cost services to House, Senate, and Presidential Campaigns as well National Parties and Committees. To date, more than 120 campaigns have taken advantage of one of the free or reduced price services from one of our partners.

The generosity of the private sector to work to preserve the integrity of our electoral process is tremendous. However, understanding which products your campaign needs is about understanding your risks and applying the right products to your environment.  Campaigns differ from traditional organizations in a number of ways: what technology they use, how they grow, how long they are around, the different ways people interact with the campaign, and the high percentage of staff and volunteers that bring their own devices.  

Where to Start?

Rome wasn’t built in a day and the cyber defenses of a campaign aren’t either. You need to have a lens to evaluate your needs and build your cybersecurity posture over time as the campaign season unfolds and risks change. 

At DDC, we highly recommend applying the National Institute of Standards (NIST) Cybersecurity Framework to creating your approach to cybersecurity. NIST is a part of the US Department of Commerce, and The Cybersecurity Framework was developed in a collaboration between NIST, industry, and civil society. It is a simple non-technical way to think about protecting your campaign. It has five steps to establishing stronger cybersecurity:

Identify: What are the most valuable technology and data assets you have to protect and who is in need of protection? Prioritize your cybersecurity efforts from protecting the campaign’s “crown jewels.” Identify technologies in use including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored.  Don’t forget about your website as a valuable campaign asset. Because campaigns have many people interacting with the effort, lines between who is on the campaign and who is not are often blurry. Think beyond the candidate, staff, and volunteers to the spouse, children, consultants, and close confidantes with access to vital information needing protection. Campaigns often have accounts with shared access by several staffers such as social media or email accounts. Because campaigns fluctuate in size, needs will be different as you move from the primary to the general election.

Protect: Protect are the measures you take to strengthen defenses. You begin around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available;  protecting devices with endpoints; using encrypted communications for sharing sensitive documents or conducting confidential communications; protecting your website; setting up systems using security and privacy settings in the software you use (G Suite, Office); and ensuring software is up to date or patched. Since phishing as well as common mistakes can lead to cyber incidents, cybersecurity training for campaign staff and volunteers adds a layer of protection. Redundancy, in the form of data backups, reduces the impact of an incident or damaged or lost machines and mitigates the paralysis that can occur from a ransomware infection. Maintaining awareness of the threat environment and sharing with staff can increase protection.

Detect: Detection is becoming aware of something is wrong. This could include automatic notifications of things out of the ordinary such as suspicious email, unauthorized attempts to access a protected file or other areas of a network, a potentially dangerous download, and/or a machine being compromised. Your team is also part of your detection efforts. Campaign staff or volunteers may be the first to see a phishing attempt or suspicious information requests like immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported is an early warning system. Unfortunately, detection sometimes occurs when something significant has already happened, like being notified you have ransomware.

Respond: Being ready with a plan should an incident occur is an important part of cybersecurity. Your goal is to reduce downtime and get systems up and running as quickly as possible. Giving thought to alternatives to using technology, such as accepting donations by phone and keeping a paper record while technology is not available can reduce disruption. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Develop a communications plan to proactively inform the public and the media.  Be prepared to access IT support to remediate any damage to technology and consider having a forensic specialist available to investigate the attack or incident. 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection.

How do I get started?

The best way to get started is by asking yourself, an IT or cybersecurity professional, or an outside consultant to answer the following questions:

• What are the important technology and data assets that if compromised would most impact the campaign?

  1. What and where are the devices we use--phones, computers, printers, software?

  2. What are the most critical data assets that if lost, compromised, or access was curtailed would most hamper operations, be fodder for the media or opposition, or could be seen as a violation of trust by the public? 

  3. Who are we identifying as being part of the campaign? Do we need to include family members, other people close to the candidate, and their family members, key consultants*?

  4. What accounts are in need of protecting--financial, social media, third party apps for fundraising, voter lists--and who can access those accounts?

  5. How will risks change over time as the election gets closer or a race becomes more contentious?

• What has the campaign done to provide protection for these critical technology and data assets? What protections are in place for the campaign website? 

• How would we know if something went wrong?

• Are we prepared with a response? 

  1. Who are the people that need to be alerted (i.e., legal, comms, incident response vendor)?

  2. What are our contingency plans for maintaining operations until the technology becomes available?

  3. How will we communicate with anyone directly impacted by the breach as well as the general public and the media?

• How will we take lessons learned from an incident and strengthen the campaign going forward?

If you are a House, Senate, or Presidential Campaign, please reach out to us at info@defendcampaigns.org and set up a short call and we can determine your eligibility for our services and get your cybersecurity efforts up and running.

*You may have key consultants or other third providers critical to the campaign. Understanding what data, they can access or is shared with them and how they implement cybersecurity and to protect your data is critical. Even asking them to use the NIST Cybersecurity Framework or answering these questions is a good exercise to be sure they are protecting the campaign. 

We had an opportunity to pose some questions to our founding Board Member and a prominent political consultant in the Republican party, Matt Rhoades.

Mr. Rhoades currently serves as Co-CEO of CGCN Group, an integrated advocacy and strategic communications firm that specializes in helping corporations, nonprofits and trade associations navigate complex legislative and regulatory issues.

Mr. Rhoades gained prominence working at the highest levels of political organizations and campaigns. As campaign manager for Governor Mitt Romney’s 2012 presidential campaign, he successfully guided Governor Romney’s campaign to victory through a crowded field of candidates in the Republican presidential primary.

DDC: When did you first become aware of the importance of cybersecurity for campaigns?

Matt: In 2011, when I was managing Mitt Romney’s presidential campaign. We discovered that our campaign had been hacked by the Chinese government during the primaries, and cybersecurity became a very real issue, very quickly. Unfortunately, this forced us to use precious campaign dollars on higher levels of network security rather than on winning votes.

DDC: Defending Digital Campaigns was created after an initiative you participated in at the Belfer Center at Harvard creating cybersecurity playbooks for campaigns and election officials. What are some key takeaways from that effort?

Matt: The political climate was hyper-partisan after the 2016 election, and my experience at the Belfer Center helped elevate a serious issue in a non-partisan way. Cyber-attacks are a threat that does not discriminate between parties – Democrats and Republicans need to work together to solve this problem and defend America’s campaigns.

DDC: What led to the creation of DDC?

Matt: Robby Mook, Debbie Plunkett and my experience at Harvard played a big role in catalyzing the creation of DDC. We realized that our work could continue, and really make a difference if we created an independent, bipartisan organization that both Democrats and Republicans could get behind. 

DDC: The campaign world is adversarial. Yet, there is strong agreement that providing cybersecurity needs to be done in a bipartisan, nonaligned manner. Why is that so important? 

Matt: After the 2016 elections, the focus was exclusively on Russia. This attention was warranted, but it left us blind to possibly even more serious threats in China, Iran, North Korea, and even here domestically. We’ve learned that cybersecurity threats can come from anywhere, and anyone can be a target. Nation states and domestic hackers don’t care if you’re a liberal or conservative – they care about creating chaos and discord in our country. That’s the type of problem Americans can only solve if it’s united. 

DDC: Why is it important to offer cybersecurity services to campaigns for free or at a low-cost?

Matt: Good campaigns are cheap – they can’t afford to be worried about paying for cybersecurity software. I ran a presidential campaign and even we couldn’t afford that additional expense. How can local campaigns be expected to? All that campaigns should be focused on is winning votes, and offering these services for free or at a low cost allows that. 

DDC: It's undeniable that campaigns will look different this year due to COVID-19. Any advice about how campaigns should operate in this new environment?

Matt: Campaigns are always forced to make changes, and good campaigns always adapt to the environment they exist in. Be smart, make changes quickly, and don’t be scared.

If you are part of a US House, Senate or Presidential Campaign your campaign might be eligible for Defending Digital Campaigns free or reduced-priced cybersecurity products or services. Email: info@defendcampaigns.org

As our country is searching for a light at the end of the tunnel in the wake of a global pandemic, most campaigns are now working remotely to help flatten the coronavirus curve. Candidates are hosting virtual town halls, Twitter chats, and Facebook and Instagram lives in lieu of in-person events.

To highlight our cybersecurity partners, DDC launched an interview series on our new blog and we are excited to introduce Joel Wallenstrom, President and CEO of Wickr.

DDC: Some people may not be aware of Wickr or encrypted communications. Can you describe what Wickr is and does? 

Joel: Wickr is a secure communications and collaboration company. We build software for mobile devices and desktop computers that provides the security of a face to face conversation over zero trust networks.  What's most unique is that we have built enterprise products on top of technology that has previously only been used in consumer products.

DDC: Now that most campaigns are working, to some degree, remotely to prevent the spread of the Coronavirus, how does Wickr help make them more secure when communicating and sending sensitive information?

Joel: Any time you’re communicating or sending sensitive information remotely there are risks. Wickr provides end-to-end encryption and a host of other security controls so that organizations can take the biggest risks off the table - risks like hostile mobile networks, public WiFi networks, etc. Wickr Pro users don’t have to trust these services because their data is secured prior to touching any of these potentially hostile systems.

The use of end-to-end encryption is different and often misunderstood.  Let me explain… Wickr Pro is fundamentally different from products like Zoom, Slack, WebEx, and Skype for Business that rely on client-to-server encryption. Client-to-server encryption (HTTPS, TLS) was built for web browsing. It’s really the wrong way to secure communications data. Client-to-server encryption essentially puts all your eggs in a single basket, in this case a server - and we have seen how unsuccessful corporations have been in their attempts to protect, patch and manage their servers!  If, or when, these systems are breached the attacker has access to everything. This is by design. It doesn't just have to be an outside attacker, insiders who are malicious or simply negligent have the ability to compromise all your centrally stored data and communications. End-to-end encryption completely eliminates this risk. 

DDC: For campaigns that are only communicating via email through services like Gsuite even with multi-factor authentication, how does it potentially put their campaign at risk?

Joel: Email just wasn’t built with security in mind, period. It’s not built for end-to-end security, for one, which leaves message content vulnerable to disclosure at key points along the path from sender to receiver, including as it sits in storage on the service provider’s servers. It’s not built to respect sensible data retention policies, either, which means it sits where it sits at the service provider for extended periods of time, needlessly extending the period of time in which it is vulnerable to unauthorized disclosure. If we look at recent attack trends as well, we see that web-based cloud email services are increasingly being targeted and losses are on the rise, and if you consider that web accounts of any kind are such an easy target for phishing and other attacks it kind of makes email communication the worst choice from a security perspective. 

DDC: Many people already use some form of encrypted communications, such as Signal or WhatsApp. How does Wickr differ from these services?

Joel: If Zoom and WhatsApp had a security baby the result would be Wickr Pro. The primary difference Wickr Pro provides is control and management. For example, we have 10,000 person corporate deployments that are managed and deployed by IT teams and small businesses managing their own free networks. Strong encryption is a critical component of Wickr Pro, and our encryption is second to none, but serious organizational use requires strong application security overall, administrative controls like SSO, privacy controls like 2FA, compliance features, etc. That’s what we provide in Wickr Pro. We also have Wickr Enterprise for customers who want to host their own instance, which is often the case in regulated industries and federal markets.

DDC: What are the most common concerns you hear from campaigns regarding adapting to secure communications?

Joel: First place would go to the perception that it will be hard to use. This stems from the traditional fear that security comes at the expense of usability. This goes away once you actually use Wickr Pro and see that it’s as easy as using your SMS app on mobile or email on desktop. Making security easy to use is the foundational goal of the product and company. Another concern is compliance.  Consumer products - you mentioned Signal and WhatsApp - tend to rub compliance officers the wrong way. When we set out to build Wickr Pro we knew there would need to be a way to keep the lawyers and compliance officers happy!   

DDC: Wickr recently announced an enhanced offering of its free services to help companies moving workers to remote working. What is that new offering and how do people take advantage of it?

Joel: We just wanted to do what we can to help. We’ve always offered a free option of Wickr Pro. Last week we decided to increase the size of Free Wickr Pro Networks to 30 and uncap features.  So, for example, you can now have a video conference for as long as you like. We wanted to remove economics as a barrier to access for organizations who need secure communications.

DDC: Wickr was one of the first companies to sign up with DDC to enhance the cybersecurity of campaigns. Why was it important for Wickr to join Defending Digital Campaigns' effort and how does it relate to Wickr's bigger vision and company values? 

Joel: DDC formalized what we and others were doing to make it more affordable for campaigns to acquire useful tools, and they did a fantastic job of it. We were all for it. This is the third election cycle where we have been helping campaigns, but the first where we have a real ally in the process.  We’ve all seen the dramatic impact data security issues can have on political campaigns (and by extension, all of us), so given how much we think we can help the situation we felt it important to step up.