Secure communication inside a campaign is critical. Oftentimes, campaign staffers, and their vendors and consultants share highly sensitive data. Most campaigns use some form of information sharing and communication technology outside of traditional email or texting, and at DDC, we know that many campaigns use Slack. We had a great opportunity to ask some questions to Larkin Ryder, Slack’s Director of Product Security, and get some advice about how campaigns can more securely use Slack.

Campaigns have many communications tools available to them. What are the benefits of Slack or any tool that allows stronger team communications? 

Slack provides rich features for securely optimizing the work you do every day. Slack helps keep teams organized by dividing the various components into channels focused on specific projects, goals, or team-members. Users have control over who has access to and what type of information is stored in each channel. We also recently launched Slack Connect, a communications environment that provides a secure and productive way for organizations to communicate and collaborate with external parties within a shared channel.

Slack integrates with other productivity and software tools that you may already be using for your campaign, reducing the overhead and risk of switching between apps. It will change the way you work, the speed at which your organization can meet its goals, and how you organize projects.

Additionally, it’s worth noting that the number one attack vector leading to data breaches is phishing via email. Email is like having a front door with no lock on it. As the Director of Product Security at Slack, I’m lucky that all of our communication and collaboration is done in Slack. 

The people who you engage with in Slack are, for the most part, people with whom you already have a trusted relationship. This makes it easier to share information and to collaborate safely without the additional cognitive load of “should I click on this link?” and “am I okay to download this file?”

One of the issues we see in campaigns is that while they have many ways to communicate, they don’t always know which tool to use for which kind of communication. What advice do you have for campaigns around how Slack can fit with their overall communications practices and security practices?

I believe that you get the most benefit out of Slack the more you use it. Once you establish your Slack workspace (picking a team name and inviting members), you have a variety of communication conduits at the team’s disposal:

• Public channels for topics of general interest and projects where anyone might need to contribute; 

• Private channels for projects and data only relevant to a subset of team members;

• Direct messages (DMs) between two people or among a larger group for more transient and point-to-point conversations.

Slack lets you upload and share a variety of assets: files, images, code snippets, etc, in each of these conduits. Assets shared within a public channel are readable and searchable for every member of the Slack workspace. Assets shared within private channels or DMs are only visible to the members of those conversations.

If you are using GDrive, OneDrive, Box, etc, you can still use Slack to share links to these documents. Slack provides robust integrations with these file-sharing services, enabling access control and search indexing at your discretion. 

For some file-sharing services, Slack’s robust integrations give you the option to adjust permissions on your file to share with channel members from within Slack. I love this feature! I can keep all the documents I create in GDrive locked down. Then, when I paste the document link into a Slack message, Slack will prompt me to adjust the permissions. With one click, I can enable document sharing ONLY with the people already in the channel. I don’t have to remember and type the email address of each person with whom I want to share the document. I can respond to incremental document access requests from within Slack, too. This is a great example of how well-designed product integrations that reduce overhead and friction can also improve security.

Not all software and platform providers secure their platforms the same way. What is Slack’s approach to protecting users and data? 

This is a great question. Protecting the privacy and security of our customers' data is a top priority for Slack and independent agencies regularly certify that we meet the highest standards for information security management and protecting personal data in the cloud. Many government agencies, financial institutions, and other enterprise companies in regulated industries currently rely on Slack to keep their data secure and meet their compliance requirements. Slack provides extensive information on our website about our privacy and security practices. I’ll touch on a few highlights here, so you can get a sense of Slack’s extensive security program, but please visit https://slack.com/trust for a longer description of how Slack ensures the security and privacy of our service.

First and foremost, we spend a great deal of time evaluating the effectiveness of the security program itself. We engage world-class auditors to scrutinize our security program and we hire top-tier testers to try to break into our systems. We do this repeatedly and we encourage our customers to do it, too. We build our service using industry best practices for secure software development and constantly monitor our infrastructure for unexpected or suspicious activity. 

Let’s talk a bit more about data encryption. While “end-to-end” encryption is often touted as the safest choice, “end-to-end” encryption essentially means that a user has to be in possession of a specific device in order to read the data (or to enable another device to read the data).  While Slack’s service doesn’t require this (you can log in to Slack from any browser), Slack does encrypt all data in transit and at rest, meaning there are a number of protections already in place that help secure your data:

• Users can enable two-factor authentication so that there’s an extra layer of security in addition to the password. This ties account access, and thus data access, to a device in the user’s control.

• All communication between user devices and Slack’s servers is encrypted using strong encryption, meaning no plaintext data ever travels over internet connections.

• All data is encrypted while at rest on Slack’s servers, meaning your data is protected even if an unauthorized person tries to access your information while in storage.

When an organization or campaign sets up a new platform like Slack they may be in a rush or not fully aware of all the settings available. What security features should all Slack teams enable? 

There are a handful of Slack features you should use to make sure that any Slack workspace is safe. You may need to coordinate with the administrator of your Slack workspace to make sure these settings are in place:

• Two-factor authentication (2FA) requires users to be in control of a physical device, usually a phone but sometimes a smart token, in order to complete a new login. You should use 2FA to log in to any web-based service that contains data you care about. Your Slack administrator can make 2FA mandatory for all users of your Slack workspace. It’s easy to set up. Here are the instructions: https://slack.com/help/articles/204509068-Set-up-two-factor-authentication 

• Admin app approvals prevent users from installing new app integrations on a Slack workspace that haven’t been reviewed and approved by an administrator. This ensures that no one outside your workspace can read your data unless you trust them. The Slack app directory has many amazing and useful tools from very security-conscious vendors (Salesforce, Google, ServiceNow, etc, etc), but there are small app vendors whose security capabilities may not yet align with your security risk tolerance. Admins should exercise appropriate diligence on behalf of their teams. This guide walks you through setting up your configuration and process for safely managing apps on your Slack workspace.

• Access log reviews can be done by any user. If you visit https://my.slack.com/account/logs, you can see a record of each connection event to Slack. It’s not exciting reading, but it’s a good idea to review those access logs weekly. And if you see something unexpected, tell your Slack admin immediately!

Campaigns fluctuate in size quite a bit. What is Slack’s approach to user management?  What advice do you have for campaigns to manage users? 

Managing user membership in your Slack workspace conscientiously is one of the most important things you can do to protect the security of your Slack workspace. Generally, a good security practice is to adhere to something called the Principle of Least Privilege, wherein you strive to limit each user to the minimum set of capabilities necessary for them to do their job. This can be accomplished by periodically reviewing how your users’ responsibilities and relationships to your organization have changed. 

Slack offers several different classes of users and it’s important to understand the differences. 

• Guests 

  • Guest accounts are only available on paid plans and have limited availability. There are two types of guests:

    • Single-channel guest (or SCG) -- These users may only be invited to a single channel that the admin specifies. However, they can see profiles of and DM other users who are in the same channel.

    • Multi-channel guests (or MCG) -- These users may be invited to multiple channels. Any full member can invite the MCG to a new channel. MCGs cannot add themselves to channels or see any channels they are not invited to. They can see profiles of and DM other users who are in the same channels.

  • PRO TIP: Set an expiration date when you add a guest user to your Slack team. You can always extend it later or reactivate their account. This saves you from letting less trusted members of your organization overstay their welcome. 

• Full members - Full members can add or remove MCGs from channels, DM all other users in the workspace, post in and read from any public channel, etc. It is possible to give full members a wide variety of permissions or to reserve them for admins. For example, should full members be allowed to invite other users to your team, or should that ability be reserved for admins? 

• Admins -- Admins control the configuration of your Slack workspace (except in a very few cases that are reserved exclusively for owners). They control who else can take on admin tasks, including adding users, integrating apps from Slack’s app directory, managing channels and many other day-to-day administrative tasks. 

• Owners -- Owners have the ultimate authority over your Slack account and own the relationship between your organization and Slack. They control features like billing, authentication and access, security policies, etc. There can be only one Primary Owner, but the Primary Owner can transfer this responsibility to another user. 

You can find more details on the permissions of each user role here. 

On a related topic, campaigns—win or lose—shutdown after elections. Some may just be on hiatus until the next cycle. What are steps campaigns using Slack should take when they close or are in hibernation?

When you shutdown a campaign, you may wish to shutdown associated Slack workspaces. The workspace Owner can delete the workspace, which will remove all of the data from Slack’s backend. 

If you want to maintain your team (maybe you’ll be working together again soon), you can keep it active. Depending on your payment terms, Slack will only bill you for the users who are using Slack, based on Slack’s Fair Billing policy. 

From a security perspective, I recommend removing non-essential users from the team. The fewer people with access, the safer your data will be. 

I also recommend reviewing any documents you might have shared. If you are using Slack Connect, shared channels can be disconnected. The channels freeze when disconnected and can’t be modified by either team, but the data is still readable. You can reconnect the channel again in the future, if needed.

Note that Slack’s retention policy will still operate! If you have a 30-day retention period for any channels or your workspace overall, your data will still disappear once it is 30 days old, regardless of whether or not you are using it. 

What are one or two cool things you can do on Slack that most users don’t know?

This is the hardest question! Slack has so many cool features. Here are that handful I can’t live without:

• Quick switcher (CTRL-K) is a command I hope everyone knows about, but just in case, I’m putting it here. This will allow you to navigate Slack, to find messages or files or channels or people and jump right to the place you need to be. Just type <CTRL-K><thing-you-want-to-get-to> and the search results popup showing the channels, people, files, or messages you are looking for. 

• Reacji channeler is a fun way to organize your messages. Reacjis are the use of “emoji reactions” to respond to a message as a way to confirm receipt, give feedback, and/or reinforce the company’s culture in a quick and efficient way. With reacji channeler, using reacji, you can send a message to another channel. Obviously, it’s good to use less common reacji for this feature. 

• Link pasting is so easy in Slack. Copy the link, highlight the text to “linkify” and paste. Voila! Your text is now linked and clickable. 

• Reminders are incredibly easy to set in Slack. Using /remind and simple phrases you can set up reminders for things you (and others) need to do later. Reminders can go to yourself, others, to a channel. Reminders can be one time only or recurring. You can use simple phrases. No need to remember complex syntax. For example, 

  • /remind me to take out the trash tonight

  • /remind @johnsmith to call Stephanie for an update on 9/19/2020 at 2pm 

  • /remind #proj-lexicon “it’s time to post your status report” every Thursday at 9am

Wow, that was a lot, but I hope it is useful information. The Slack Help Center is also a great resource. You can use your web browser to search on most any how-to question and get an easy to follow guide for Slack. Finally, our wonderful customer agents are also a terrific resource. In your Slack desktop application, just click the (?) icon to the right of the search box at the top to get more help. Thank you for all you do to keep our elections secure!

With less than 3 weeks to go before Election Day, it’s never too late to enhance the cybersecurity of your campaign. With DDC's help, it can be done quickly and for free!

Here are some low lift things campaigns can still implement and how DDC can help: 

• Using the strongest authentication possible. Google convened more than 40 campaign and cybersecurity experts seeking their most important cybersecurity advice for campaigns and the clear answer was secure accounts with multifactor (or two-factor) authentication DDC can help secure accounts with:

  • Free Google Titan Security Keys. DDC eligible campaigns now get overnight shipping and our onboarding specialist can help you turn on Google’s Advanced Protection Program. Keys can also be used to secure social media accounts and your phone can be set up as a key!

  • Free YubiKeys from Yubico (first 10 are free, then 50% discounts for more) are usable across the internet to secure accounts and with Microsoft products. Contact us for more information and onboarding assistance.

  • LastPass password manager. Strong passwords are critical and password managers help create good password practices. DDC can help you get LastPass for free and onboarded on your campaign. This can be up and running within one day.

• Secure your website. Protecting your public-facing presence is critical as web traffic likely increases as the election nears. DDC can help you get Cloudflare for Campaigns up and running and protect your site from Distributed Denial of Service (DDoS) attacks and much more. Depending on current configurations, Cloudflare can be implemented in just a couple of hours. All you need to do is connect us with your web firm, and DDC and Cloudflare can take care of the rest. 

• Secure your social media accounts. Social media is one of the most important channels campaigns use to communicate with supporters. They can also be a target for disruption by adversaries. Securing them and making sure you are using the social media companies’ tools to protect campaigns is easy and quick to implement. Contact us for information on securing your accounts, and read our blog on Securing You Social Media Accounts with Facebook Connect. 

• Communicate privately and securely. Most campaigns we talk with are already using Wickr or Signal. Make sure staff know what is to be shared through those channels. If you are not using secure communications, DDC can help you onboard Wickr quickly (free for campaigns with less than 30 staff members).

• Be ready if anything goes wrong. If a cybersecurity incident should occur, you want to have done at least some planning. Read our recent blog Is Your Campaign Prepared for A Cyber Incident? for some basic questions you should be ready to answer if something happens.

• People are one of the best cybersecurity defenses. Consider a one-hour training from Foresight2020 to help staff use technology more securely. DDC can help organize.

The Cybersecurity and Infrastructure Security Agency at DHS (CISA) held a summit Defending Democracy. Watch our panel featuring DDC, Google, and Microsoft on efforts to protect campaigns.

 DDC is ready to help in any way we can. Contact us at info@defendcampaigns.org and get your campaign secured as quickly as possible.

Recently, Microsoft reported that nation-state adversaries were targeting political campaigns and their vendors in an attempt to access systems and data. Adversaries seeking to disrupt our democratic process know that the impact of their attacks will be greater as election day nears and campaigns have a shorter window to respond internally as well as to the public. Therefore, DDC expects that efforts to breach campaigns will increase, and unfortunately some will be successful. Clearly, taking steps to prevent an incident in the first place is a high priority (see our blog on steps to make campaigns more secure). 

Despite the best efforts to prevent a malicious cyber incident, it is possible that such an event could occur.  A campaign that suffers a cyber incident should be prepared to respond and recover from the potential negative impact on operations and their public image. 

Cyber incidents take many forms from infiltrating networks and stealing data to defacing or altering websites to freezing systems and demanding a ransom. And while we think of cyber incidents mostly as nation-states, hacktivists, or cybercriminals trying to disrupt or do harm to our democracy, they can also be accidental. For example, a laptop with sensitive or personal information gets lost or information gets incorrectly forwarded. They can even be as simple as a staffer or volunteer clicking on a link that in retrospect seemed suspicious. 

Some incidents may not involve the campaign’s technology or network. Instead, you might be notified by a third party you work with directly that they have had an incident and campaign data or sensitive information is at risk. In some cases, incidents are neither nefarious nor an internal accident. For example, how would you respond if a key vendor went down because of a cyber attack or a natural or manmade disaster restricted or closed off access to the internet or other technologies? 

You need to be prepared for all!

It is unrealistic for campaigns to create comprehensive written and practiced incident response plans. However, doing some basic preparation around initial steps the campaign will take is not complicated or time-consuming, and will be time well-spent should an incident occur.

The first step is having a core internal team that will create an approach and be alerted and respond to incidents. Team members should, at minimum, include the campaign manager, finance director, and any person or vendor handling your IT or security. Engaging your candidate in the development of your incident response is not required. However, candidates should be among, if not the first, person notified if an incident occurs. 

Ideally, in advance, the core teams would have thought through these questions and issues: 

• In addition to the core team, who are the people that need to be alerted? For example, legal, PR/comms, compliance, incident response vendor, and other vendors that could be impacted by an incident, such as data and fundraising (you could add any of these to the core team as well).

• Have you created a way for campaign staffers and others directly involved in the campaign to report an incident? Do people know who to reach out to and even that they should reach out if they see something concerning? Setting the tone that encourages reporting, even if the user made a mistake is an important part of detecting an incident, and could lead to immediate mitigation if for example someone clicked on a bad link and any malicious behavior can be prevented.

• How will you handle PR/communications? Some organizations have been judged more harshly about how they handled an incident including communications with impacted people then they were about the incident happening in the first place.

• In the event current technology becomes unusable, what are the contingency plans for maintaining continuity of operations until the technology is online again? Is there a way to revert to alternatives (e.g., another network or paper) if needed for creating records? How would you communicate internally with staff, volunteers, or vendors? Are you prepared to replace technology that may no longer be available or usable? 

• With legal and compliance, understand your obligations to people directly impacted.  Most states have data breach laws. You should know your state’s (and any other states where supporters data has been lost) requirements. You could be mandated to notify people in a specific manner, such as actually mailing them a letter or have other obligations to people whose data is lost or potentially lost.  If a vendor loses your data, you are going to want to be sure that they do the right thing by your supporters because whatever they do will reflect on you.

• Talk to key vendors about their incident response plans. Most campaigns have many third-party vendors. You should ask them about their cyber incident plans and evaluate your comfort level with how they will respond. At this late date, a campaign is unlikely to jump ship because of a vendor’s response.  However, if you think a vendor may have a weak or deficient plan, you can ask them to do better and/or be prepared to enhance your response if that vendor is impacted. 

As a campaign, you know that you are under a microscope. Being prepared for an incident and responding in an organized and professional manner, not only lessens the impact it demonstrates leadership and resilience.

Other Resources

Belfer Center Cybersecurity: Playbook for Campaigns

Critical Infrastructure Security Agency: Cyber Essentials

The 2020 election cycle is moving toward the final phase. Yes, there are still a few primaries to go but for the most part, ballots are set and campaigns are gearing up to get their candidates elected.

Now is an opportune moment for campaigns to shore up their cyber defenses to protect their staff and volunteers from potential threats. Here are five cybersecurity steps every campaign should take before Election Day: 

1. Turn on the strongest form of MFA or 2FA to protect accounts

2. Secure your website

3. Use and or enforce the use of encrypted communications

4. Encourage staff and others to secure accounts

5. Be prepared if an incident occurs

 Learn more about each of these and how Defending Digital Campaigns can help.

1.  Turn on the strongest form of MFA or 2FA to protect accounts: 

IF YOU ONLY DO ONE THING FOR THE REMAINDER OF THIS CYCLE, IMPLEMENT ACCOUNT PROTECTIONS!

Two simple truths: if you work on a campaign you are a target, and phishing and attempts to steal account logon information and credentials are the most likely ways a campaign will be hacked. 

Protecting accounts from being compromised is the most important cybersecurity priority for a campaign. A bad actor that gains access to email, share drives, social media, finance, or website editing accounts can do extraordinary damage to a candidate and a campaign. 

To achieve the best forms of protection, turn on multi-factor authentication sometimes referred to as MFA (multi-factor), or 2FA (two-factor authentication) on every account that allows it. If your campaign is using G Suite, you will want to use their Advanced Protection Program often referred to as APP (https://landing.google.com/advancedprotection/). If your campaign is using Office 365, you will want to use Account Guard (https://www.microsoftaccountguard.com/en-us/). Both require the use of a security key—a small piece of hardware that plugs into a USB port. 

DDC has FREE keys for campaigns from Google and Yubico and can even help your team implement them with the assistance of our Onboarding Specialist that can hold a quick training for your team. The same keys can also be used to secure social media accounts on Facebook and Twitter as well as many other services across the internet. If MFA is not available on important accounts, implement a password manager such as LastPass (available for free through DDC) or at minimum enforce password creation policies that result in long, strong, and unique passwords.

2. Secure your website: 

Your public facing presence is your candidate’s brand and connection to the community. Campaigns use their websites as a portal to introduce their candidate and his or her positions as well as for fundraising and in many cases to provide valuable information to voters about how to register and vote.  

Websites can be vulnerable to various kinds of attacks including being defaced with objectionable messages, brought to standstill via an attack that overwhelms a web service (known as a DDOS attack), and/or having content altered resulting in false information about a candidate or other critical information. DDC can provide access to a FREE account from Cloudflare (https://www.cloudflare.com/campaigns/usa/) that will protect your site from potential threats.

3. Use and or enforce the use of encrypted communications: 

Campaigns generate and share vast amounts of sensitive data and information. How and who that data can be shared with should be codified for campaign staff in a written or oral policy. 

Many campaigns we speak of report informal use of services like Wickr or Signal, which is a great start. However, most don’t have a specific policy about what is ok to be shared via email or what should only be shared in an encrypted channel. Communicate with your staff about how sensitive campaign data should be shared. DDC’s Onboarding Specialist can help campaigns set up Wickr, which is free for campaigns with less than 30 people, and reduced rates are available for larger campaigns through DDC.

4. Encourage staff and others to secure personal accounts: 

Bad actors trying to access your campaign will use many methods. One that is tried and true in the campaign space is attempting to compromise the personal emails and accounts of campaign staff, the candidate, the candidate’s family or close confidants, or third-party vendors because the assumption is they are not as strongly secured as campaign email.

If you have implemented security keys at the campaign, in most cases those keys can also be used to secure personal email accounts. At minimum, even though campaigns cannot likely enforce security on personal accounts or third-party accounts, they should be educating and encouraging anyone closely associated with the campaign to secure email and other sensitive accounts. Contact us for a discussion about how to secure personal accounts and expand  the perimeter of protection for your campaign.

5. Be prepared if an incident occurs: 

The common cybersecurity wisdom is that as the election approaches activity by bad actors will increase. Therefore, some incident response planning should be done even if it’s just the campaign manager and/or the finance director taking a few minutes to put together a short list of steps to take if something goes wrong. Questions to answer include: 

• Who are the people that need to be alerted (i.e., legal, comms, IT vendor, incident response vendor, law enforcement)? 

• In the event of an attack that renders technology unusable (for example ransomware), what are the contingency plans for maintaining operations (for example, maintaining paper records) until the technology becomes available? 

• How will the campaign communicate with anyone directly impacted by the breach as well as the general public and the media? 

If you are a campaign of over 25 people, contact DDC about potentially getting a free incident response retainer from Atlantic Data Forensics and discounted rates for response. 

Of course, there are other steps you can take as well including building a culture of cybersecurity through training and educating staff. DDC has several training partners including Foresight2020, Elevate Security, and Cybrary all of which are free to eligible campaigns. Protecting mobile devices with our partners, partners Lookout and Zimperium, and protecting against phishing with Agari and Area1.

DDC is here to help and It’s quick and easy to get started! The best way to start is to schedule a quick call so we can guide you through some ideas  about the best ways to secure your campaign. Email us at info@defendcampaigns.org and we will get the ball rolling!

Social media is critical to most campaigns providing opportunities to interact with supporters, convey key messages, fundraise, and advertise. In this COVID-19 world we are currently living in, social media platforms have become imperative to maintaining connections through engaging posts and live online events that replace retail politics, the lifeblood of many campaigns.

Successful social media efforts require constant engagement with the platform. Therefore, campaigns frequently have multiple people—staffers and volunteers—managing pages, posting information, and responding to comments, potential voters, and supporters.

Unfortunately, social media platforms are also used in nefarious ways as well. Bad actors can try and hack social media accounts to post false and misleading information appearing to come from the campaign, comment with links to bad information or phishing sites, try and agitate supporters, and more. 

Campaigns need to balance the good that comes from the reach and engagement of social networks while protecting against the risks.

Facebook has a special program for campaigns called Facebook Protect (https://www.facebook.com/gpa/facebook-protect).  The program is voluntary and helps Facebook to more quickly detect any potentially suspicious account activity by monitoring for attempts to hack the account, such as unusual login locations or unverified devices.

Facebook Protect is designed for:

• Candidates of federal, state and local offices and their campaign staff

• Federal, state and local elected officials and their staff

• Representatives from federal and state political party committees and their staff

• Federal, state and local agencies and departments’ Page admins who have a role in the elections process

• Any person or group with a blue badge-verified Page who is involved in the elections process

To get started with Facebook Protect, your page needs to be blue badge-verified. To start the process of verification you can go here: https://www.facebook.com/help/1288173394636262

If you use other Facebook products, increase your level of security by turning multifactor authentication: 

• Instagram: https://help.instagram.com/566810106808145

• WhatsApp: go to WhatsApp > Settings > Account > Two-Step Verification > Enable. 

At Defending Digital Campaigns, we offer free and reduced-price cybersecurity services to help campaigns implement better cybersecurity. We can also help you onboard cybersecurity products and services we make available, including helping you secure your Facebook account. 

We are thrilled to partner with Facebook to help campaigns secure their social media! The best way for campaigns to get started is to have a quick call with us. Please reach out to info@defendcampaigns.org to schedule an introductory call.

If you are a candidate, campaign manager, or staff member, you should be concerned about the risks of a cyberattack and the subsequent impacts should an incident occur. Attempts to compromise campaigns come from a variety of potential bad actors, including nation states looking to disrupt our democracy, cybercriminals looking to steal data they can monetize, and people that are opposed to candidates for any number of reasons. Incidents can also occur if campaign staff make mistakes or a device is lost or stolen.

Defending Digital Campaigns (DDC) was created to bring free and low-cost services to House, Senate, and Presidential Campaigns as well National Parties and Committees. To date, more than 120 campaigns have taken advantage of one of the free or reduced price services from one of our partners.

The generosity of the private sector to work to preserve the integrity of our electoral process is tremendous. However, understanding which products your campaign needs is about understanding your risks and applying the right products to your environment.  Campaigns differ from traditional organizations in a number of ways: what technology they use, how they grow, how long they are around, the different ways people interact with the campaign, and the high percentage of staff and volunteers that bring their own devices.  

Where to Start?

Rome wasn’t built in a day and the cyber defenses of a campaign aren’t either. You need to have a lens to evaluate your needs and build your cybersecurity posture over time as the campaign season unfolds and risks change. 

At DDC, we highly recommend applying the National Institute of Standards (NIST) Cybersecurity Framework to creating your approach to cybersecurity. NIST is a part of the US Department of Commerce, and The Cybersecurity Framework was developed in a collaboration between NIST, industry, and civil society. It is a simple non-technical way to think about protecting your campaign. It has five steps to establishing stronger cybersecurity:

Identify: What are the most valuable technology and data assets you have to protect and who is in need of protection? Prioritize your cybersecurity efforts from protecting the campaign’s “crown jewels.” Identify technologies in use including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored.  Don’t forget about your website as a valuable campaign asset. Because campaigns have many people interacting with the effort, lines between who is on the campaign and who is not are often blurry. Think beyond the candidate, staff, and volunteers to the spouse, children, consultants, and close confidantes with access to vital information needing protection. Campaigns often have accounts with shared access by several staffers such as social media or email accounts. Because campaigns fluctuate in size, needs will be different as you move from the primary to the general election.

Protect: Protect are the measures you take to strengthen defenses. You begin around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available;  protecting devices with endpoints; using encrypted communications for sharing sensitive documents or conducting confidential communications; protecting your website; setting up systems using security and privacy settings in the software you use (G Suite, Office); and ensuring software is up to date or patched. Since phishing as well as common mistakes can lead to cyber incidents, cybersecurity training for campaign staff and volunteers adds a layer of protection. Redundancy, in the form of data backups, reduces the impact of an incident or damaged or lost machines and mitigates the paralysis that can occur from a ransomware infection. Maintaining awareness of the threat environment and sharing with staff can increase protection.

Detect: Detection is becoming aware of something is wrong. This could include automatic notifications of things out of the ordinary such as suspicious email, unauthorized attempts to access a protected file or other areas of a network, a potentially dangerous download, and/or a machine being compromised. Your team is also part of your detection efforts. Campaign staff or volunteers may be the first to see a phishing attempt or suspicious information requests like immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported is an early warning system. Unfortunately, detection sometimes occurs when something significant has already happened, like being notified you have ransomware.

Respond: Being ready with a plan should an incident occur is an important part of cybersecurity. Your goal is to reduce downtime and get systems up and running as quickly as possible. Giving thought to alternatives to using technology, such as accepting donations by phone and keeping a paper record while technology is not available can reduce disruption. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Develop a communications plan to proactively inform the public and the media.  Be prepared to access IT support to remediate any damage to technology and consider having a forensic specialist available to investigate the attack or incident. 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection.

How do I get started?

The best way to get started is by asking yourself, an IT or cybersecurity professional, or an outside consultant to answer the following questions:

• What are the important technology and data assets that if compromised would most impact the campaign?

  1. What and where are the devices we use--phones, computers, printers, software?

  2. What are the most critical data assets that if lost, compromised, or access was curtailed would most hamper operations, be fodder for the media or opposition, or could be seen as a violation of trust by the public? 

  3. Who are we identifying as being part of the campaign? Do we need to include family members, other people close to the candidate, and their family members, key consultants*?

  4. What accounts are in need of protecting--financial, social media, third party apps for fundraising, voter lists--and who can access those accounts?

  5. How will risks change over time as the election gets closer or a race becomes more contentious?

• What has the campaign done to provide protection for these critical technology and data assets? What protections are in place for the campaign website? 

• How would we know if something went wrong?

• Are we prepared with a response? 

  1. Who are the people that need to be alerted (i.e., legal, comms, incident response vendor)?

  2. What are our contingency plans for maintaining operations until the technology becomes available?

  3. How will we communicate with anyone directly impacted by the breach as well as the general public and the media?

• How will we take lessons learned from an incident and strengthen the campaign going forward?

If you are a House, Senate, or Presidential Campaign, please reach out to us at info@defendcampaigns.org and set up a short call and we can determine your eligibility for our services and get your cybersecurity efforts up and running.

*You may have key consultants or other third providers critical to the campaign. Understanding what data, they can access or is shared with them and how they implement cybersecurity and to protect your data is critical. Even asking them to use the NIST Cybersecurity Framework or answering these questions is a good exercise to be sure they are protecting the campaign. 

We had an opportunity to pose some questions to our founding Board Member and a prominent political consultant in the Republican party, Matt Rhoades.

Mr. Rhoades currently serves as Co-CEO of CGCN Group, an integrated advocacy and strategic communications firm that specializes in helping corporations, nonprofits and trade associations navigate complex legislative and regulatory issues.

Mr. Rhoades gained prominence working at the highest levels of political organizations and campaigns. As campaign manager for Governor Mitt Romney’s 2012 presidential campaign, he successfully guided Governor Romney’s campaign to victory through a crowded field of candidates in the Republican presidential primary.

DDC: When did you first become aware of the importance of cybersecurity for campaigns?

Matt: In 2011, when I was managing Mitt Romney’s presidential campaign. We discovered that our campaign had been hacked by the Chinese government during the primaries, and cybersecurity became a very real issue, very quickly. Unfortunately, this forced us to use precious campaign dollars on higher levels of network security rather than on winning votes.

DDC: Defending Digital Campaigns was created after an initiative you participated in at the Belfer Center at Harvard creating cybersecurity playbooks for campaigns and election officials. What are some key takeaways from that effort?

Matt: The political climate was hyper-partisan after the 2016 election, and my experience at the Belfer Center helped elevate a serious issue in a non-partisan way. Cyber-attacks are a threat that does not discriminate between parties – Democrats and Republicans need to work together to solve this problem and defend America’s campaigns.

DDC: What led to the creation of DDC?

Matt: Robby Mook, Debbie Plunkett and my experience at Harvard played a big role in catalyzing the creation of DDC. We realized that our work could continue, and really make a difference if we created an independent, bipartisan organization that both Democrats and Republicans could get behind. 

DDC: The campaign world is adversarial. Yet, there is strong agreement that providing cybersecurity needs to be done in a bipartisan, nonaligned manner. Why is that so important? 

Matt: After the 2016 elections, the focus was exclusively on Russia. This attention was warranted, but it left us blind to possibly even more serious threats in China, Iran, North Korea, and even here domestically. We’ve learned that cybersecurity threats can come from anywhere, and anyone can be a target. Nation states and domestic hackers don’t care if you’re a liberal or conservative – they care about creating chaos and discord in our country. That’s the type of problem Americans can only solve if it’s united. 

DDC: Why is it important to offer cybersecurity services to campaigns for free or at a low-cost?

Matt: Good campaigns are cheap – they can’t afford to be worried about paying for cybersecurity software. I ran a presidential campaign and even we couldn’t afford that additional expense. How can local campaigns be expected to? All that campaigns should be focused on is winning votes, and offering these services for free or at a low cost allows that. 

DDC: It's undeniable that campaigns will look different this year due to COVID-19. Any advice about how campaigns should operate in this new environment?

Matt: Campaigns are always forced to make changes, and good campaigns always adapt to the environment they exist in. Be smart, make changes quickly, and don’t be scared.

If you are part of a US House, Senate or Presidential Campaign your campaign might be eligible for Defending Digital Campaigns free or reduced-priced cybersecurity products or services. Email: info@defendcampaigns.org

As our country is searching for a light at the end of the tunnel in the wake of a global pandemic, most campaigns are now working remotely to help flatten the coronavirus curve. Candidates are hosting virtual town halls, Twitter chats, and Facebook and Instagram lives in lieu of in-person events.

To highlight our cybersecurity partners, DDC launched an interview series on our new blog and we are excited to introduce Joel Wallenstrom, President and CEO of Wickr.

DDC: Some people may not be aware of Wickr or encrypted communications. Can you describe what Wickr is and does? 

Joel: Wickr is a secure communications and collaboration company. We build software for mobile devices and desktop computers that provides the security of a face to face conversation over zero trust networks.  What's most unique is that we have built enterprise products on top of technology that has previously only been used in consumer products.

DDC: Now that most campaigns are working, to some degree, remotely to prevent the spread of the Coronavirus, how does Wickr help make them more secure when communicating and sending sensitive information?

Joel: Any time you’re communicating or sending sensitive information remotely there are risks. Wickr provides end-to-end encryption and a host of other security controls so that organizations can take the biggest risks off the table - risks like hostile mobile networks, public WiFi networks, etc. Wickr Pro users don’t have to trust these services because their data is secured prior to touching any of these potentially hostile systems.

The use of end-to-end encryption is different and often misunderstood.  Let me explain… Wickr Pro is fundamentally different from products like Zoom, Slack, WebEx, and Skype for Business that rely on client-to-server encryption. Client-to-server encryption (HTTPS, TLS) was built for web browsing. It’s really the wrong way to secure communications data. Client-to-server encryption essentially puts all your eggs in a single basket, in this case a server - and we have seen how unsuccessful corporations have been in their attempts to protect, patch and manage their servers!  If, or when, these systems are breached the attacker has access to everything. This is by design. It doesn't just have to be an outside attacker, insiders who are malicious or simply negligent have the ability to compromise all your centrally stored data and communications. End-to-end encryption completely eliminates this risk. 

DDC: For campaigns that are only communicating via email through services like Gsuite even with multi-factor authentication, how does it potentially put their campaign at risk?

Joel: Email just wasn’t built with security in mind, period. It’s not built for end-to-end security, for one, which leaves message content vulnerable to disclosure at key points along the path from sender to receiver, including as it sits in storage on the service provider’s servers. It’s not built to respect sensible data retention policies, either, which means it sits where it sits at the service provider for extended periods of time, needlessly extending the period of time in which it is vulnerable to unauthorized disclosure. If we look at recent attack trends as well, we see that web-based cloud email services are increasingly being targeted and losses are on the rise, and if you consider that web accounts of any kind are such an easy target for phishing and other attacks it kind of makes email communication the worst choice from a security perspective. 

DDC: Many people already use some form of encrypted communications, such as Signal or WhatsApp. How does Wickr differ from these services?

Joel: If Zoom and WhatsApp had a security baby the result would be Wickr Pro. The primary difference Wickr Pro provides is control and management. For example, we have 10,000 person corporate deployments that are managed and deployed by IT teams and small businesses managing their own free networks. Strong encryption is a critical component of Wickr Pro, and our encryption is second to none, but serious organizational use requires strong application security overall, administrative controls like SSO, privacy controls like 2FA, compliance features, etc. That’s what we provide in Wickr Pro. We also have Wickr Enterprise for customers who want to host their own instance, which is often the case in regulated industries and federal markets.

DDC: What are the most common concerns you hear from campaigns regarding adapting to secure communications?

Joel: First place would go to the perception that it will be hard to use. This stems from the traditional fear that security comes at the expense of usability. This goes away once you actually use Wickr Pro and see that it’s as easy as using your SMS app on mobile or email on desktop. Making security easy to use is the foundational goal of the product and company. Another concern is compliance.  Consumer products - you mentioned Signal and WhatsApp - tend to rub compliance officers the wrong way. When we set out to build Wickr Pro we knew there would need to be a way to keep the lawyers and compliance officers happy!   

DDC: Wickr recently announced an enhanced offering of its free services to help companies moving workers to remote working. What is that new offering and how do people take advantage of it?

Joel: We just wanted to do what we can to help. We’ve always offered a free option of Wickr Pro. Last week we decided to increase the size of Free Wickr Pro Networks to 30 and uncap features.  So, for example, you can now have a video conference for as long as you like. We wanted to remove economics as a barrier to access for organizations who need secure communications.

DDC: Wickr was one of the first companies to sign up with DDC to enhance the cybersecurity of campaigns. Why was it important for Wickr to join Defending Digital Campaigns' effort and how does it relate to Wickr's bigger vision and company values? 

Joel: DDC formalized what we and others were doing to make it more affordable for campaigns to acquire useful tools, and they did a fantastic job of it. We were all for it. This is the third election cycle where we have been helping campaigns, but the first where we have a real ally in the process.  We’ve all seen the dramatic impact data security issues can have on political campaigns (and by extension, all of us), so given how much we think we can help the situation we felt it important to step up.