Fast Track Security With New Titan Keys From Google

Today Google announced that it released two new Titan Security Keys that are built to the highest industry standard FIDO2*. These new keys help you reduce your reliance on passwords as the main form of safeguarding your accounts, and allow for the adoption of Google’s strongest form of protection for high-risk users, their Advanced Protection Program (APP).

If you know anything about DDC and how we help campaigns adopt better cybersecurity, you are well aware that the use of security keys along with enhanced protections like Google’s APP is our number one recommendation as the starting point to avoid hijacked accounts that result in leaked documents and emails and account takeovers for malicious use.

Why is it number one?

The bad actors' primary point of attempted compromise is going to be via accounts both organizational and personal. That means trying to gain access via stealing or otherwise attaining login credentials, such as tricking people into giving passwords through phishing, using a program to crack your password, or depositing malware on your computer that collects keystrokes as you enter your password.

 When you use a security key, even if they have your password, hackers can’t get in.

Staffers, volunteers, and others who work on behalf of a candidate or campaign are all considered high-risk computer users. Not all forms of multifactor authentication (MFA) are equally protective. Some methods, such as sending codes via SMS texts or email, are not nearly strong enough to protect your campaign or personal accounts.  Security keys, especially with the addition of enhanced protections, are the most phish-resistant and strongest authentication you can implement.

Keys are an easy and convenient way to rapidly upgrade your cybersecurity. For Federal campaigns and other DDC eligible organizations, they are also the cheapest as we can provide security keys from Google or Yubico for FREE.

There is more good news about keys too. One key can be used to secure multiple accounts. The same key you use to protect a Workspace account can be used to secure your personal Gmail account, Facebook account, Twitter account, Microsoft account, and many more across the internet. That’s because of the FIDO standards that are developed around interoperability.

Accounts can have multiple keys connected to them. This can be extremely helpful with accounts that are shared like info email accounts. Everyone who has access can register their key to the account. 

DDC recommends that everyone have two keys. One that has access as you use tech all day long, and one as a backup if you lose your primary key. You won’t be asked for a key every time you log in.

Think you're an eligible campaign, email us at info@defendcampaigns.org and we will double check, and if you are, we will get back to you on how to order your free keys and access other free cybersecurity products. 

If your campaign is not eligible to receive complimentary keys you can buy them directly at the Google Store.

Learn more about related topics from our Knowledge Base:

What type of key should I get?

How to turn on Google’s APP

How to set up multiple keys on Google shared accounts

Browse our Knowledge Base

About FIDO “The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. The FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation.”

Passkeys Q and A with Christiaan Brand, Group Product Manager at Google

If you use Gmail, you recently received an email from Google letting you know that your personal email account is now protected by a passkey, you no longer need to have a password to gain access to your Gmail Account.

Passkeys are arguably one of the most significant advances in protecting accounts in the last several years and are a harbinger of a sea change in cybersecurity that will eventually lead to the demise of the password. 

We have some questions about passkeys and thought you might too.

Google offered Defending Digital Campaigns an opportunity to pose some questions to Christiaan Brand, Group Product Manager at Google, leading their rollout of passkey. 

DDC: What is a passkey and how does it work?

CB: You can think of a passkey in the same way you think of a password. The only difference is that you don’t remember a passkey. Instead, it’s stored on a device such as your phone or computer. Whenever you want to log in somewhere, you prove your identity to your device (typically, by unlocking it with a fingerprint or face scan) and the device in turn proves that it has access to the passkey to the remote website. There’s nothing to remember and nothing to type. And best of all: passkeys cannot be phished like traditional passwords.

DDC: Since a passkey will, in most cases, involve the use of a biometric–fingerprint, face scan, etc.–some people may be concerned about how that data is secured and who has access to it. Can you explain that?

CB: Your biometric data is never shared with Google or any other third party – the screen lock only unlocks the passkey locally and neither your passkey or biometric data is transmitted to any remote service in any way. 

DDC: I already login to my phone and other devices and apps with a biometric. I am using passkeys or is there something else that is going to change?

CB: Today, users use a mixture of biometrics and passwords to log in to online services. With passkey, we’re hoping to systemically move all logins away from passwords. Mobile applications started their transition to biometrics a while ago, while websites could not harness the technology. With passkeys, we are delivering the convenience and security of authentication by simply “unlocking your device” everywhere.

DDC: Is implementing a passkey optional?

CB: Today, yes. But over time we are hoping all users will migrate over to the use of passkeys over passwords for their security.

DDC: Passkeys are not a solo effort by Google but part of a larger industry effort to advance cybersecurity. Can you shed some light on this collaborative effort and the importance of an industry-wide approach?

CB: Passkeys are the result of more than a decade of collaboration with like-minded companies as part of the FIDO Alliance. In security, it’s often a case of the rising tide that lifts all boats. We think that this technology will only be successful if we can change the way everyone thinks about authentication and signing in to services online. We are joined by many companies such as Apple, Microsoft, Facebook, Amazon, and others on this journey. 

DDC: What happens if I lose a device or account access? How do I regain access to my Google Account?

CB: On Apple devices, all your passkeys, including the one to your Google Account, are backed up to iCloud. That means that even if you lose your device, as long as you can sign back into your iCloud Account, you’ll have your passkeys available again to sign into your Google Account. On Android, your passkeys are backed up to the Google Password Manager. We highly recommend keeping a physical security key as a backup for access to your Google Account in case you lose all your other devices.

DDC: We know that the rollout to Gmail is just the first step. What are the future plans for passkeys and Google products?

CB: Passkeys are available for all Google products today, not only Gmail. Once you set up passkeys on your Google Account, all Google products are secured and accessible using passkeys. Today, users still need to take the step of navigating to g.co/passkeys and clicking on “Create a passkey” to get started with passkeys. Later this year, we have plans to make it even easier to get started with passkeys.

DDC: The promise of Passkeys is their usability across the internet with all kinds of web service providers. Do you have an estimate or maybe just an educated guess, about when passkeys will become the predominant way of accessing accounts ( we promise not to hold you to it)?

CB: I’d like to think that in a few years we will reach that tipping point where more users will use passkeys, than passwords. I do think it’s a somewhat aggressive timeline, but on the other hand, we’ve seen most major services jump onboard so maybe it’s within reach after all.

DDC Where can people learn more about passkeys and Google’s cybersecurity efforts?

CB: The best place to learn more would be at the Google Safety Center: https://safety.google/cybersecurity-advancements/

DDC thanks Christiaan for answering these questions and all Google does to help secure campaigns and high-risk users in the political space.

What are you thinking? Some Nation States Might Want to Know

Recently, it was reported that the email of the US Ambassador to China, the Secretary of Commerce, and a GOP Congressman was hacked by the Chinese. These announcements follow the revelation of email compromises leading up to recent diplomatic activities with China.

According to reporting by CNN, “the Biden administration believes that the Chinese hacking operation gave Beijing insights about US thinking heading into Blinken’s high-stakes trip to China in June.”

Why should this recent cyber incident be a concern for candidates, campaign staffers, and those who work in organizations in the political sector? After all, if you aren’t even in office yet, you are unlikely to engage in high-level diplomatic negotiations.

It would be understandable to not make an immediate connection. Most people think of cyber incidents as events that garner lots of attention like ransomware crashing critical infrastructure systems, attempts to take down websites, or stealing massive amounts or personal information.

To understand cyber incidents, you need to understand the attacker’s motivation. Cybercrime and attempts to steal money represent the vast majority of incidents that come to the public’s attention.  However, when it comes to nation-state cyber-attacks, money is not the motivation. It might be to sew disruption, erode public confidence in our democracy, or straight-out espionage like stealing intellectual property. Or, as in the case of these incursions, to gain a deeper understanding of the policy positions, underlying discussions, and approaches public officials might be taking in discussions.

If you are running for office or work in an organization that engages in policy work, especially foreign policy, you could be targeted as part of an information collection campaign. It could be to gain deeper insights into what you are thinking or proposing to others, and/or an effort to connect the dots and discover your contacts and professional affiliations to target them as well. 

The best defense is to lock down your logins using the strongest account protection possible. Hardening your core accounts, like your email, is the most important and impactful cybersecurity step you can take. As evidenced by these recent incidents, email accounts are a prime target. And, don’t forget to strengthen security on your personal accounts as well.

The good news is it’s not that hard to do. Defending Digital Campaign’s Knowledge Base has all the information you need to up your security with articles on protecting your accounts and using more secure methods of logging in like security keys and the new cutting-edge security of passkeys. If you are running for a Federal office you may be eligible for free cybersecurity tools from DDC. Contact us at info@defendcampaigns.org

Also read our recent blog on the Long Con, a similar effort to collect information through creating imposters who look to develop long-term professional relationships.

Written by Michael Kaiser, President and CEO of Defending Digital Campaigns.

Can Barbie Shed Light on Disinformation and Hacktivism?

Barbie is having a cultural moment, with social and traditional media awash in the news about this summer’s blockbuster movie. As bright and optimistic as Barbie’s world might be - and as she discovers in the film - there are darker forces at play in the real world. In fact, a recent Barbie disinformation campaign provides a great case study for not everything being as it appears, and contains a valuable lesson for those running campaigns and political organizations.

At DDC, we educate around three primary bad actors in cyberspace that put campaigns and organizations at risk: cybercriminals seeking to monetize crime, nation states attempting to disrupt, and hacktivists aimed at achieving a political end or righting a perceived injustice.  Barbie and her parent (pun intended) company Mattel fell victim to this last group.

In Barbie’s case, a group calling itself the Barbie Liberation Organization issued a fake press release that looked remarkably like a real release from Mattel, including a quote from their CEO, claiming there was going to be a new “Eco-Warrier Barbie” and that Mattel would go plastic free by 2030. The release featured a quote from actress Daryl Hannah, who the release claimed was Mattel’s new brand ambassador,  but who was in fact part of the false campaign

At first you might think this a benign effort of political theater. However, there were some actual consequences. The release the Barbie Liberation Army put out was such an exact facsimile that several news organizations, including People and the Washington Times, picked up as actual news. Of course, they later retracted their stories.

What the Barbie Liberation Army conducted was an extremely effective disinformation campaign. One of their stated goals on their website is:

“Our covert operations are carefully crafted to disrupt the status quo and inspire others to question constructs that confine them.”

This goal with the use of words like “covert operations” to “disrupt,” and “inspire others to question constructs” should not be taken lightly. Manipulating narratives using popular current events and creating partial truths are just the kinds of ideas and tactics that nation states and hacktivists use to disrupt our political system to formulate their playbooks.

Using impersonation -- whether to pose as  a person, company or organization -- underlie these efforts because they engender trust and belief that what is being said is true. While the Barbie Liberation Army’s goal seems to be educational, what if it wasn’t? What if their goal had been to spread false rumors about a candidate? What if a nation state engaged in activity like this to create support for candidates they thought were more sympathetic to their policy goals? A disinformation campaign like this in the closing days of a campaign as voters are solidifying their support around a candidate, could have serious negative consequences. For example, it could sway a small percentage of voters in a close election to change their vote and an outcome or discourage people from voting at all.

Plenty of people have mixed feelings about Barbie. But we can probably all agree she is not a role model for subverting our democracy.

Written by Michael Kaiser, President and CEO of Defending Digital Campaigns

Be On the Look Out for the 'Long Con'

Cybersecurity awareness often focuses on keeping your antenna up for threats. Sometimes it's a reminder to Be On The Look Out (BOLO) for a specific threat. In a recent Washington Post article, Tim Starks outlines what he calls the “long con,” a highly targeted phishing attempt that doesn’t follow the traditional phishing approach.

According to Starks:

“In recent years, these phishing attempts have become more sophisticated. Sometimes they don’t even include links or attachments. Instead, the hackers build rapport with experts…” 

The long con uses impersonation and repeated contact over time to develop relationships with the target. Eventually, the bad actor may send an email with a malicious link or attachment with malware. By the time that email arrives, the target’s guard is down and they are more likely to click or download without much thought. 

Or they might never attempt to steal credentials or drop malicious code on a computer. They may be engaged in espionage of other sorts, such as developing information sources used for other intelligence purposes or attempting to influence the recipient of the emails toward specific policy ideas sympathetic to a country or other stakeholders.

Why is understanding the long con important to people in the political sector? Because if you work for a campaign or political organization, you are at a higher risk and could be targeted because of your affiliation.

Another reason to be on high alert is that most phishing prevention has been based on training computer users to be defended against individual attempts of phishing through email, texts, or social posts. Spam and anti-phishing programs that protect most inboxes and text messages are good at blocking or alerting users to the vast majority of phishing attempts. And most of us are pretty savvy now and can avoid the more obvious phishing attempts.

However, these targeted attempts could easily make their way to us. In the case of the long con, you need to be on alert to impersonation attempts and efforts to create more lasting relationships.  They could also start as outreach via other networks such as LinkedIn, or via email of someone claiming to have attended the same event as you did in an effort to spark a connection.

In addition to an upcoming presidential election, there will be 11 gubernatorial races, 86 state legislative chambers will be up for election, 33 senate seats and the entire US House will be on the ballot in 2024. When we think in cybersecurity terms, this is a huge attack surface and bad actors have many entry points.

So BOLO for the long con and other attempts to compromise you and your accounts.

Sprint to Cybersecurity as You Sprint to Election Day

This is it, the last final weeks until Election Day. Your campaign is in full swing and you are laser-focused on winning.

As you should be!

Your time is extremely limited for anything other than what’s already on your long to-do list. 

However, you should be aware that cybersecurity risks increase as Election Day nears. And that securing your campaign can be done quickly and for FREE. We are here to help you sprint to cybersecurity. 

At this stage of the campaign, we highly recommend two key areas that are easy to implement and have the biggest impact: protecting your website through Cloudflare and securing accounts using Google or Yubico security keys.

Secure your website with Cloudflare: 

Websites can be vulnerable to attacks that prevent people from accessing them, defacements, and content changes. Cloudflare for Campaigns offers business-level service to federal campaigns for FREE! To get started, email us at info@defendcampaigns.org and once we’ve double-checked your eligibility, our support team will get you set up as soon as possible! 
The approximate time commitment: 20 minutes

Secure campaign and personal accounts with security keys:

Your core accounts–email, document sharing, social media, and financial are the biggest targets for bad actors. The highest form of protection is to use a security key–a small physical device that plugs into a USB port–on your computer or phone. We offer FREE Google or Yubico security keys that can be used on multiple accounts and offer the best protection against potential threats!

To get started, email us at info@defendcampaigns.org and once we’ve double-checked your eligibility, our support team will send you promo codes along with instructions to get you set and super-secured up as soon as possible!
The approximate time commitment: 5 minutes

Instructions on how to turn on core accounts using security keys


Activate keys on Google Workspace/Gmail: 15 minutes
Instructions: https://defendcampaigns.zendesk.com/hc/en-us/articles/1500001296322-How-to-Turn-on-Google-APP-with-your-Keys-1-minute-read-video-

Activate keys on Windows: 10 minutes
Instructions: https://defendcampaigns.zendesk.com/hc/en-us/articles/9482615044115

Activate Keys on Facebook: 10 minutes
Instructions: https://defendcampaigns.zendesk.com/hc/en-us/articles/1500006954082-Protecting-Your-Facebook-Account-2-minute-read-video-

Activate keys on Twitter: 10 minutes
Instructions: https://defendcampaigns.zendesk.com/hc/en-us/articles/4412676307859-Protecting-your-Twitter-Account-2-Minute-Read-

Don’t wait until the last minute! If you’re a federal campaign on the November 2022 ballot, email us at info@defendcampaigns.org and our support team will get back to you as soon as possible.

Together, we can sprint to cybersecurity!

Protect Your Campaign Website: A Conversation with LangleyCyber

Defending Digital Campaigns (DDC) recently had an opportunity to pose some questions to Mike Schmuhl and Matt Ashburn two of the founders of LangleyCyber. LangleyCyber provides a comprehensive suite of cybersecurity solutions and services, including incident response, investigation and forensic services, and security assessments among several others. LangleyCyber’s team is unique because it brings together individuals with vast experience in the US Government as well as those with high level political experience.

We asked Mike and Matt some questions following a recent incident LangleyCyber responded to and mitigated.

DDC: You work with a variety of players in the campaign and political space. What do you see as some of the kinds of threats or vulnerabilities that most concern you leading into the 2022 election?  

LC: Misconfiguration of existing networks and a lack of process and planning around cybersecurity are the biggest threats that concern us leading into the 2022 election. Most threats and vulnerabilities are focused on spear-phishing, which are targeted phishing attacks against a dispersed workforce. For many in the campaign and political space, they have the tools but often lack the expertise to configure security policy settings properly. The high rate of turnover surrounding political campaigns creates necessary turmoil that can be exploited by vigilant attackers. New hires, volunteers, and other individuals associated with campaigns for short periods of time are the most vulnerable user base. Even small organizations should look to formalize their cybersecurity programs and implement robust Identity and Access Management controls. 

DDC: Recently, LangleyCyber assisted a political organization that had their website compromised. Can you tell us a little about what happened and how you were able to remediate it?  

LC: In July, an attacker of unknown motivation configured one of our clients’ websites to redirect to a URL hosted on Russia Today (RT), the Russian state-controlled television network. They targeted the political organization’s website through a dormant WordPress administrator account and cracked the password in a very short period. Without multifactor authentication (MFA) enabled, the attacker removed access for all other users, made configuration changes to the sites title and tags using derogatory political language, and set up a simple HTTP 301 web redirect from the compromised site to a URL hosted on RT’s Russian-language website.   

We remediated the situation by regaining control of the site, implementing a web application firewall (WAF) to prevent future attacks, and maturing vulnerability management and incident response planning to ensure the organization can face future threats.  

 

DDC: What lessons should others take away from this incident about protecting a website?  

LC: Basic cybersecurity best practices would’ve prevented this attack entirely. Tools such as Cloudflare are important, but just having them isn’t enough; They must be configured correctly for them to be useful.  

Some specific lessons include:  

  • Regularly auditing user accounts with administrative privileges, disabling unused/dormant accounts, and configuring access controls with least privilege

  • Using strong, complex passwords and enabling multifactor authentication (MFA)

  • Ensuring all software is updated on a regular basis with the latest security updates; including plugins and third-party libraries

  • Ensuring your organization has plans for vulnerability management, incident response, and continuous monitoring in place

 

DDC: Given the limited resources of campaigns and political organizations, what’s your advice for campaigns and organizations generally around responding to a cyber incident?  

LC: Because resources are limited, the best advice is to establish contact with a reputable cybersecurity firm and create policies and procedures ahead of time. If you are calling once an incident has occurred, it’s too late. Cybersecurity should be taken seriously before a bad day occurs, not after. Additionally, utilize free resources and engage with experts to configure your system properly as well as to ensure you’re implementing cybersecurity best practices adhering to industry standards such as the DNC checklist, CISA guidance, NSA Top 10, etc.   

  

DDC: Sometimes people say time is of the essence when a cyber incident takes place. Do you agree? If so, why?  

LC: Yes, time is of the essence! When a cyber incident occurs, having policies and procedures in place so everyone knows their roles and responsibilities can be the difference between a minor, contained incident and a major breach. The faster an incident can be identified and dealt with, the better. It’s important that you use time efficiently, not developing relationships or creating a plan on the spot. The shorter and more contained an incident response is, the less likely there will be long-term harm to your organization.  

For more information on how to protect your campaign or organization visit DDC’s Knowledge Base: www.defendcampaigns.org/resources

Political Sector Tech Users Say Cybersecurity Threats Increasing

Recently Google and YouGov conducted a survey* of  high risk users across ten markets and these are the results from the US including people in the political sector and journalists. Google shared the data with Defending Digital Campaigns since protecting campaigns and tech users in the political sector is a shared goal.

Google is one of DDC’s prime partners in protecting campaigns. Google distributes free Titan Security Keys to eligible entities through DDC and has funded DDC’s widely available training efforts. Today, Google has also released a blog describing the ways they are working to protect campaigns during the midterms.

The purpose of the survey was to:

“ to understand how those working in these professions feel about the cyber threats posed to them, how these threats have evolved, and what they are doing to protect themselves.” 

The learnings are important as we head into election season.

 These technology users show high awareness about the risk:

  • Eighty-three percent  believe that the threat of cyber attacks on them has increased in the last two years

  • Fifty-nine percent  believe that their professions make them more likely to be a target of hacking or phishing

  • Seventy-three percent believe the risk is a result of increasingly sophisticated hacking/phishing techniques 

Their concerns are not theoretical:

  • Forty-one percent report  having had digital accounts hacked or accessed by others without permission in the last 12 months alone 

  • For those in the political sector the number was significantly higher with 82% reporting digital accounts hacked or accessed

And the cybersecurity incidents have an impact: 51% believe increased threats have made their jobs harder to do.

It’s not all bad news as there was significant understanding among respondents about what protective measures would enhance their cybersecurity and many had taken action. There were differences between the political sector participants and the journalists:

  • Forty-four percent of the political sector respondents preferred the use of multifactor authentication or a security key, and 44% use unique passwords.

  • Journalists shared unique passwords as a preventive measure with 59% reporting they do and 54% report using multifactor authentication or a security key.

At Defending Digital Campaigns (DDC), we believe that everyone associated with a political campaign is at higher risk. The high number of political respondents in this survey that report account hacks or unauthorized access bears that out. Protecting accounts both campaign related and personal is critical. The basic tools of self protection–multifactor authentication coupled with a security key and password managers–are readily available and easy to implement . They are baseline, core protections for everyone in the campaign space.

DDC can help. You can learn about multifactor authentication and how to turn it on for key accounts like email and social as well as the free easy to use browser based password managers in Chrome, Edge, and Firefox at DDC’s Knowledge Base. DDC also has free security keys for eligible campaigns. Our training program covers everything you need to know about securing yourself, your campaign, or your organization. Go ahead and register today.

Gearing up for the 2022 elections is not just about putting the pieces in place to win an election. It needs to include implementing cybersecurity protections in an environment that is bound to see increased threats.

Michael Kaiser
President and CEO

*Google, in partnership with YouGov, surveyed 705 respondents (350 politicos and 355 journalists) across ten markets: UK, US, BRU, CAN, FR, DE, IT, NL, PL & ES, with the research taking place between 26 October and 1 December 2021 


Safer Internet Day 2022: A New Opportunity for Collaboration

February 8th is Safer Internet Day, an education and awareness event celebrated around the world. For the most part, the day has been focused on children’s online safety. However, in recent years the acknowledgment of the day has broadened to a more general effort to keep people and organizations safer and more secure online.

Today, in honor of Safer Internet Day, Defending Digital Campaigns (DDC) is proud to be included in a new effort to cyber secure our democracy. Today, Google announced The Campaign Security Project a series of partnerships between Google, DDC, and organizations that recruit, train, and support people running for office. The goal is to help the campaigns and candidates that work with these organizations adopt better cybersecurity practices and in doing so protect an essential element of our democracy.

In this new effort, DDC will be collaborating with:

  • Veterans Campaign

  • Collective Future

  • Women’s Public Leadership Network

  • LGBTQ Victory Institute

  • Center for American Ideas

  • Emerge

  • Latino Victory

Campaigns happen in every community in America. Candidates seeking elected office are the backbone of our democracy, and where the marketplace for ideas about governing faces their first test. Disrupting that process could be the goal of a variety of bad actors from nation-states not wanting our democracy to thrive to hacktivists who do not want ideas they disagree with to prevail to cyber criminals wanting to steal data and monetize it.

This new collaboration builds on the important role that partnerships have long played in achieving better cybersecurity. The effort announced today brings cyber expertise to a diverse set of organizations committed to reaching as many of their campaigns and constituents as possible with training, information, and education on strengthening their cybersecurity posture.

At DDC, we are open to collaborating and partnering with groups that support candidates. We work with nonprofit organizations, digital firms, other vendors in the political space, and state parties. Feel free to reach out to us at info@defendcampaigns.org if you are interested in a collaborative relationship.

Our mission is to protect political campaigns from cybersecurity threats and bad actors. The efforts announced today augment DDC’s nonpartisan, nonaligned core efforts providing eligible entities (national committees, state parties, and federal campaigns) with free cybersecurity products,  onboarding support, and training. You can learn more about eligibility here.

DDC conducts regular training for candidates, campaign staffers, and organizations in the political sphere that is widely available. The current training schedule can be found at www.defendcampaigns.org/events.

We applaud the great work going on around the world on Safer Internet Day. You can follow along on social media at #SaferInternetDay and #SID2022.

Michael Kaiser

President & CEO

Defending Digital Campaigns

 


Let's Start 2022 Midterms by Securing Your Campaign Early

As the New Year begins, in the world of politics, the countdown to the 2022 midterm elections starts in earnest. One lesson DDC learned in the 2020 cycle, was campaigns should address cybersecurity as early as possible. Even if your campaign is only 1-2 people right now, this is the time to begin implementing cybersecurity. You want to be ready to expand and have your cybersecurity expand with you.

DON'T BE OVERWHELMED!

Implementing protections that will address the most common threats is easy, and we can help in many ways. Our Knowledge Base is full of information on how to implement cybersecurity for your campaign.

If you are an eligible federal campaign or committee, we have free products and services and can assist with implementation quickly. We also host virtual cybersecurity trainings specifically for political campaigns throughout the year. See: DDC eligibility

Here are some of the top ways to start off the new year more cyber secure and links to more information on each topic that can be found in the Knowledge Base:

  • Establish your minimums: Decide what tools and products each person in your campaign will use, such as using multi-factor authentication with a security key, password manager, and encrypted communications. See: Cybersecurity Basics

  • Articulate a policy and maintain a culture of cybersecurity:  When onboarding staff and volunteers,  articulate your expectations for what cybersecurity measures people should take including how to handle sensitive information and other practices they should follow. See: Sample Policy and Creating a Culture of Cybersecurity

  • Configure your systems: Within your Google Workspace or Office 365, you can create controls for each user to ensure some practices are in place, such as mandatory multifactor authentication, long, complex passwords, and more. See: Platforms

  • Protect your website: You want your online home secured from defacements or attempts to bring it down as soon as possible. See: Protect Your Website

  • Evaluate your risk: Every computer user faces general risks, such as phishing attempts and efforts to break into accounts. Evaluate the potential for heightened risks, such as a tight race or one that will determine the balance of power. See: Assessing Risk

  • Create an incident response plan: You want to be ready before anything happens. Identify your response team, think about the continuity of operations, and understand your legal requirements. See: Create an Incident Response Plan


We are here to help throughout the campaign and election season. Sign up to get our monthly newsletter and stay up to date on our upcoming training sessions, new blog posts, and more!


Interview with Alex Bores of Foresight Partners

Alex leads Foresight Partners, a nonprofit that provides cybersecurity training and services to campaigns. DDC partners with Foresight to bring free awareness training to DDC eligible campaigns.

 

DDC: Tell us a bit about why you started Foresight Partners? 

Foresight Partners was started because people asked for it. After 2016, everyone knew the importance of cybersecurity for campaigns. Precisely because it was so salient, I assumed that people were already reaching out to campaigns to help them set things up securely. However, a friend of mine was running for Congress, and kept asking for advice on how to secure his devices and communications. After a few back and forths, he said, “You know, if you made a training course on this stuff, I would take it.”

That planted the idea for a workshop. What we found, much to our surprise, was that campaigns were not getting this interactive engagement on cybersecurity, and they had a real hunger for it. The raw information was out there in venues like the Belfer Cybersecurity Campaign Playbook, the DNC Checklist, or the FBI Protected Voices Project. But if campaigns had questions, or if suggestions from the established sources seemed burdensome, they didn’t know who to ask.

The niche we filled is making training accessible and fun so that it actually motivates staffers to take the actions that make themselves, their colleagues, and their candidates safer. And our work snowballed from there.

DDC: Does training make a difference? I know many people downplay the role that user awareness can play.

Training is so important! As much as we in the cyber community like to talk about 0-days and Advanced Persistent Threats, IBM has found that 95% of breaches involve human error. Which, said another way, means campaigns can reduce their risk 95% simply by changing their behavior.

The issue, of course, is that most cybersecurity training makes people’s eyes roll to the back of their heads. There are some exceptions - Mike Sager at Emily’s List does an awesome job, and the Maine Democrats security team has a home grown training that is very engaging. But many of the standard trainings that campaigns have had to sit through feel like checking-the-box exercises.

 We give hour-long trainings to campaigns, but my favorite part is always the last ten minutes. If you have done it right and established a level of trust, campaign staffers open up with all sorts of idiosyncratic cybersecurity questions that show that they have been thinking about security, but never had a person they thought they could ask about it or a venue to easily get answers.

What started as a focus on training grew to much more, largely from questions we got in those last ten minutes. Campaigns asked for further examples of phishing emails, so we started running phishing campaign assessments. One campaign mailed us a malicious flash drive they had been sent for forensic analysis! A state party worked with us to do a comprehensive security assessment. We ended up working with campaigns to securely set-up email, set up password managers and security keys, secure their communications platforms, etc. But it’s important to also let campaign staff know why every step is important, or they’ll stop using them.

DDC: What were you able to accomplish in the recent election cycle?

In 2020 we worked with over 140 campaigns at and with 14 state parties, which makes us the largest provider of live, personalized cybersecurity training for campaigns in the country. We conducted training for candidates and staff on campaigns running for state house all the way through Congressional and Presidential campaigns. 

However, our goal was not the numbers, but the effectiveness of the training. A big question in cybersecurity broadly, and in securing campaigns specifically, is whether people actually implement “best practices.” For example, based on our pre-training survey of participating campaigns, only 53% of congressional staffers used two-factor authentication on their campaign email account, and only 28% use password managers, despite both steps being highly recommended by every guide and being free for campaigns through programs that DDC runs.

We focus on delivering information and follow-up so people take action. Within one week of taking our training, over 60% of trainees added 2FA to a new account, the number using password managers had nearly doubled, and 98% made at least one concrete improvement to their cybersecurity practices.

DDC: A lot of people think that campaigns do not know anything about cybersecurity. DDC found that many of the campaign managers we spoke with had some awareness about what they were supposed to do but not always the tools or knowledge. What was your experience?

Absolutely agree. Campaign managers are juggling a million things. They know cybersecurity is important, but presenting them with a checklist that is not customized for their specific situation breaks down the second the advice conflicts with something they think will help them win.

 Campaign managers are smart and hard working. If you present them with good information about risks, they can make good choices.

 

DDC: What have you been up to since 2020?

A couple of different initiatives. We got a lot of questions about disinformation in 2020, and so earlier this year we put together a new training course and table top exercise on that topic. We gave that training to a few campaigns, and then FDA and HHS got wind of it, and asked if we could adapt it to disinformation around vaccines or other health topics. So we ran a couple of sessions with their security teams, and we continue to offer it broadly.

The second initiative is about partnering more deeply with campaigns. 2020 was a whirlwind. 2021 has fewer active campaigns, which is allowing us to spend more time with each. For example, we are working with gubernatorial campaigns on setting up their GSuite securely, transitioning staffers (and the candidates) onto password managers, rolling out DMARC, defining their onboarding processes, and more. The multiyear timeframes allow for a more thoughtful approach to security, and we’re enjoying these deep partnerships.

 

DDC: I understand that you are creating some new resource guides for campaigns. Tell us about what you are creating, where they can be found, and what you are planning going forward.

Whenever we can, we like to document our guides and share them broadly. We’ve published guides on password managers, 2FA, and securing your home wifi router. We have a template onboarding checklist campaigns can copy, and a two-pager of top tips with links to further instructions. All of this information is available at https://foresightpartners.us/resources

 

DDC: If you get every campaign to institute just one cybersecurity measure, what would it be?

I know DDC recommends security keys as the first thing that campaigns do, and that is great advice. Password managers are also a top suggestion. I’ll highlight another one, which is updating software.

I can’t convey the number of times we have come across staffers that are very aware of cybersecurity and practice good digital hygiene, but are still running an operating system that reached end of life a couple of years ago.

Everyone knows that they are supposed to update software, but many are not sure why, and it presents an inconvenience that they feel impedes on their day-to-day work.

People just need to hear that all software has bugs and that bugs are routinely publicly disclosed, leaving you completely defenseless unless you update software regularly. And also that major attacks (e.g. Equifax, WannaCry) happened because of unpatched software.

So please, update your software! This applies to laptops, phones, browsers, campaign websites - everything!

Why Do We Shoot Ourselves in the Foot in Cybersecurity?

In cybersecurity, we always live with a fog of threat surrounding us. Each day we learn of a new vulnerability or perhaps a successful attack. And some of these, for example, the recent SolarWinds attack, have a deep and lasting impact that can shake the foundation of our cybersecurity posture to the core. 

Too often we get consumed and sidetracked by false narratives around risk. After more than a decade in cybersecurity, there is one thing I know: not all threats are created equal, but unfortunately, they are often treated that way.

A few weeks ago there was an announcement of a potential vulnerability in one of the core protections that many of us promote for all users: security keys or tokens. These small pieces of hardware offered by two of our partners, Google and Yubico, are critical for primary account protection. So critical that DDC strongly recommends security keys to be the first thing every campaign should implement as soon as they launch. In the 2020 election cycle, DDC gave away more than 10,000 keys to campaigns.

So when I read the headline in The Hacker News: New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys,  it quickly got my attention and sent a shiver down my spine.

Upon reading the article, I saw an egregious example of what I call cybersecurity theater. It’s the way the cybersecurity community spins information to create drama around a potential threat. Unfortunately, it’s a common practice in the cybersecurity space.

To my mind, these do more harm than good and in this case, verges on malpractice. These are strong words, I know,  so let’s take a closer look.

 The headline is misleading. If you just based your reaction on the headline, and for many people that is all they will read, your takeaway might be that security keys are not effective. The risk is that some people might not adopt security keys since they read somewhere they can be hacked. Hopefully, this won’t be the case since what the researchers found is that keys are an effective security precaution. They create real obstacles to incursions when being used. 

Reading more deeply into the article--seven paragraphs down assuming you have made it this far-- you finally come to this:

“The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful. An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.”

And finally in the second to last paragraph:

“Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.”

It’s not inconceivable that someone would come into my driveway one night, pop the hood on my car, disassemble my engine, remove a bearing from the driveshaft, put it all back together again, and depart before dawn. As we all know, anything is possible.

It took a long time for the idea that cybersecurity is about risk management to become a paradigm. The fact is through a risk management lens, 99.9% of computer users are not vulnerable to be exploited by the vulnerabilities researchers describe in this article. Don’t forget the headline that called this a “New Attack” when in reality the article describes a theoretical possibility, not a known event. Yes, a determined nation-state might make a go of it, although they would have to have boots on the ground around the target.

I fully support the role of cybersecurity researchers that probe networks, hardware, and software for soft spots as well the media that help spread important news in the field. Their role is critical. I think we need to hold ourselves and the way we present issues to the public to a higher standard. The researchers could have gotten just as much credit for reframing their findings in a positive way.

It is difficult enough to get most people to follow basic cybersecurity advice. Why would we shoot ourselves in the foot and make it even harder for the public to adopt one of the most significant actions they could take to be safer and more secure online?

Author: Michael Kaiser is the President and CEO of Defending Digital Campaigns. You can follow him on Twitter at @MKaiserDDC.

Campaign Cybersecurity Does Not End on Election Day

The votes have been cast. Campaigns that have been in motion for the last many months growing quickly, adding people, technology, and data, are now  winding down. Every campaign has digital assets that need to be secured when the election is over. In many cases, the campaign’s tech infrastructure will be used again. How you close your campaign and maintain it during the “off” times should be on your radar. Done right, you can keep the campaign’s assets secure and be ready to ramp up quickly when the time comes. 

Here’s some advice from DDC and our partners on a secure wind down. 

Secure and protect key campaign credentials:  Similar to during the campaign, protecting credentials is critical. Someone--the candidate, legal counsel, trusted third party--needs to retain access and/or know how to access (by having credentials) the campaigns legacy technology portfolio. These could be things like your GSuite or Office 365 administration accounts, website, Dropbox, communication tools like Wickr, accounts with third parties for fundraising, data, etc. These credentials should be stored somewhere safe. If they need to be written down, just make sure they are kept in a secure location.

Some campaigns may choose to designate a person as the ‘Security & Credential Manager’ (SCM). This person will be responsible for retaining campaign login credentials across services and profiles, preserving security protocols, and maintaining ownership over vital campaign data. This person could be the candidate, a trusted staff member,  or the campaign’s attorney.

Campaigns likely have many shared accounts where multiple staff members have access. That access should be changed following the campaign. Below are some site specific information for popular services. In general, you can restrict access going forward by changing the password if it is a shared account with a single password, or managing users in the account section of a service that has registered users. Of course any password changes should follow good  practices making passwords long and strong and unique, or better yet using 2 factor authentication like a Google Titan or Yubico Security Key.

Removing Access to Campaign Social Media Accounts: It is highly likely that during the campaign a number of different users have been given access to various social media accounts with posting and other privileges. Here’s some tips to securing popular social media sites:

  • Facebook: Identify who has access to the candidate’s page and remove people as needed. Go to the candidate/campaign page  and under settings click Page Roles. Here you will see all people associated with the page and their privileges (administrator, editor, etc.)  Remove or edit privileges for everyone who is no longer working for the candidate. 

    • Make sure to have at least one remaining person that is either the candidate or their designee with administrative privileges. .

  • Twitter: Offboarding Considerations:If users have connected to a Twitter handle, the fastest way to remove access is to change the password for the account. If users have connected via a tool like Tweet Deck, their access will be canceled. Of course any new password should be long and strong and again stored in safe keeping with the appropriate person(s)

  • Instagram: Similarly to Twitter, the best way to eliminate someone’s access to an Instagram account, business or personal, would be to change the password. If someone else is managing your account, like a Social Media Manager, and they will no longer be with the campaign, be sure to get the password from them when they go. Then, you can log in and change the login email address to one you have access to, and change the password as well. 

G Suite  

A large number of campaigns use GSuite to manage their email, documents, and other communications.

There are a number of steps to be taken to manage the G Suite account post campaign. Below are some actions that G Suite Admin should take:

  • Connected devices: during the course of the campaign, people with email accounts will have connected devices to the G Suite account. These will include a PC/laptop, phones, and possibly tablets. As part of the wind down process, someone should review a list of devices currently accessing G Suite Data: From the Google Admin Panel go to  Devices >  you will see boxes for Mobile and Endpoints (these are the PC/laptops)> Devices

    • You can Manually remove the G Suite data from any device by selecting it and clicking the “Wipe Accounts” icon in the upper right of the table and if you want to delete the device click on the three vertical bullets to see that option. Also, good time to check if there are any legacy devices such as phones no longer in use by the candidate or others and delete them as well.

  • Manage Users: You likely are going  to want to delete or suspend users. You manage users via the Admin Console >Users. If you are a super admin, you can transfer files to another user that will remain active, if needed. You will get this option in the deletion process. There may be some users you want to suspend so you can reactivate the account later.  This will disable login & therefore email/document access. You will still be billed for suspended users. 

  • Shared Email accounts: Most campaigns will have at least one shared account where multiple users can access the inbox. Typical examples of these might be an info or press email. Some may be emails connected to the website. These accounts could have been set up in a number of ways.

    • Email Forwarding: A lot of times emails that come into these accounts are auto forwarded to other accounts. In these cases you would need to go into the inbox for that account (reset the password if you don’t have it in the admin console). Once in the inbox go to settings> see all>forwarding. Here’s where you can edit where the emails get forwarded.

    • Shared Password: People access the account via a shared password. Change the password. If you are suspending or deleting users there access will be terminated. 

    • Auto Response: If the accounts are going to remain active, it might be good to add an auto response to any incoming mail. This would be good if they are attached to a website that’s still live. Just let people know if the email will be responded to or not or any other pertinent information like email us or call us. You can create this process from the inbox under settings>see all>general (first tab) vacations will be toward the bottom of the page.

For more information regarding managing your GSuite account, please see the Google Help page dedicated to supporting Admin GSuite users here: https://support.google.com/a/?hl=en#topic=4388346

Personal devices staff have used: In most campaigns, staff use personal devices for their campaign related activities.  To the extent possible, it is advised to remove as much campaign data as possible from those devices. It may not be possible to force staff to change personal devices. That’s why doing some of the other measures of deleting users and changing passwords on accounts is so important.  Here’s what you should aim to have staff do:

  • Uninstall any campaign-provided software or endpoint protection sensors ( unless they can be converted to personal use)

  • Oversee the removal of any campaign data on phones, tablets, computers, etc.

  • If possible, it is recommended to wipe personal devices before departure (as above this can be done via GSuite for Google account data).

Website:  Securing your website is important. There are a few issues to be aware of and addressed:

  • Domain registration: Your web address can expire. Like other key accountants, the account where the domain is registered should be on the list of accounts and credentials. If your domain is managed within Google it will be accessible through the Admin Console. If the domain is registered via another service like GoDaddy, you will want to be sure to review the account and validate that the right contact person and email are associated with the account. This will insure that any notifications go to the proper person, such as any upcoming renewals. In most cases, setting up auto renewal is the easiest way to stay current. You will need to be sure you are doing this for all domains. Many campaigns have variations like Janedoeforcongress.com ( and maybe other extensions like .info or .us all need to be preserved), JaneDoeforAmerica.com, Janeforanystate.com. These domains should be preserved for the next cycle and have likely been set up to auto forward to the primary campaign domain. Through the registrations service, you can manage forwarding.

  • Certificates: SSL, etc: SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure.  A website needs an SSL certificate in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. To get a free SSL certificate, domain owners can sign up for Cloudflare and select an SSL option in their SSL settings. This article has further instructions 0n setting up SSL with Cloudflare: https://support.cloudflare.com/hc/en-us/articles/360024787372-How-do-I-add-SSL-to-my-site-. You can also check to make sure SSL encryption is working correctly on a website with the Cloudflare Diagnostic Center: https://www.cloudflare.com/diagnostic-center/. The registrar of your account or your web developers should also be able to help with certificates.

A few other considerations:

1. GOOGLE TITAN KEYS/ YUBIKEYS- If you ordered Google Titan Keys or Yubikeys via DDC, they are yours to keep, and we strongly encourage you to continue using them. If you do not have them set up to secure your personal email account, we highly recommend it. 

For Google users, we also recommend enrolling your personal Gmail accounts in Advanced Protection Program using your Titan Keys. You can do this by logging in to your personal email account and visiting this URL, which will take you through enrolling in APP: https://landing.google.com/advancedprotection/. Please let us know if you need any assistance with this. 

And bring the keys to your next campaign to get off to a secure start!

2. LASTPASS TEAMS- If you signed up for LastPass Teams, the account is only free for 1 year, so when that period is over, staff will no longer have access to the team vaults or any shared folders of passwords (unless you pay to continue with LastPass Teams). For a smooth transition away from Teams, we recommend “removing” their accounts from the Teams account.  Doing so will transition their account from being a Teams User to being a Free User.  They’ll retain all account data. 

For an admin to remove a user: Go to the LastPass admin console > Users > select the desired user(s) > More Actions > Remove selected users from company.

It's also important to remember that if a LastPass account is connected to a user's campaign email address, they will lose access if the campaign email address is suspended. To resolve this issue and keep accounts in tact, staff who are using a campaign address must:

3. CLOUDFLARE-  For those of you who took advantage of the free campaign upgrade of Cloudflare, Cloudflare has let us know that they plan on downgrading the domains in December, and will provide ample notice in advance. When they send out the notice, it will include an option to continue with the upgraded features, for a cost that they haven’t determined yet. If you don’t decide to pay to continue, that’s ok- you’ll remain on the free tier of Cloudflare, which is a great service as well. 

4. WICKR- As for now, WickrPro will continue to allow 30 free users per account. They are considering rolling it back to 10, but will be sure to give everyone advanced notice if this happens.  

For offboarding staff and removing a user from WickrPro - Wickr Pro Network Admins can simply open up the Admin Controls > Team Directory > Manage and delete the user who is leaving the campaign. 

If you have any additional questions about offboarding, or would like to set up a call to discuss an offboarding plan for you and your campaign team, please send an email to info@defendcampaigns.org and we’ll get right back to you with some options. 

Q and A with Larkin Ryder, Director of Product Security at Slack

Secure communication inside a campaign is critical. Oftentimes, campaign staffers, and their vendors and consultants share highly sensitive data. Most campaigns use some form of information sharing and communication technology outside of traditional email or texting, and at DDC, we know that many campaigns use Slack. We had a great opportunity to ask some questions to Larkin Ryder, Slack’s Director of Product Security, and get some advice about how campaigns can more securely use Slack.

Campaigns have many communications tools available to them. What are the benefits of Slack or any tool that allows stronger team communications? 

Slack provides rich features for securely optimizing the work you do every day. Slack helps keep teams organized by dividing the various components into channels focused on specific projects, goals, or team-members. Users have control over who has access to and what type of information is stored in each channel. We also recently launched Slack Connect, a communications environment that provides a secure and productive way for organizations to communicate and collaborate with external parties within a shared channel.

Slack integrates with other productivity and software tools that you may already be using for your campaign, reducing the overhead and risk of switching between apps. It will change the way you work, the speed at which your organization can meet its goals, and how you organize projects.

Additionally, it’s worth noting that the number one attack vector leading to data breaches is phishing via email. Email is like having a front door with no lock on it. As the Director of Product Security at Slack, I’m lucky that all of our communication and collaboration is done in Slack. 

The people who you engage with in Slack are, for the most part, people with whom you already have a trusted relationship. This makes it easier to share information and to collaborate safely without the additional cognitive load of “should I click on this link?” and “am I okay to download this file?”

One of the issues we see in campaigns is that while they have many ways to communicate, they don’t always know which tool to use for which kind of communication. What advice do you have for campaigns around how Slack can fit with their overall communications practices and security practices?

I believe that you get the most benefit out of Slack the more you use it. Once you establish your Slack workspace (picking a team name and inviting members), you have a variety of communication conduits at the team’s disposal:

  • Public channels for topics of general interest and projects where anyone might need to contribute; 

  • Private channels for projects and data only relevant to a subset of team members;

  • Direct messages (DMs) between two people or among a larger group for more transient and point-to-point conversations.

Slack lets you upload and share a variety of assets: files, images, code snippets, etc, in each of these conduits. Assets shared within a public channel are readable and searchable for every member of the Slack workspace. Assets shared within private channels or DMs are only visible to the members of those conversations.

If you are using GDrive, OneDrive, Box, etc, you can still use Slack to share links to these documents. Slack provides robust integrations with these file-sharing services, enabling access control and search indexing at your discretion. 

For some file-sharing services, Slack’s robust integrations give you the option to adjust permissions on your file to share with channel members from within Slack. I love this feature! I can keep all the documents I create in GDrive locked down. Then, when I paste the document link into a Slack message, Slack will prompt me to adjust the permissions. With one click, I can enable document sharing ONLY with the people already in the channel. I don’t have to remember and type the email address of each person with whom I want to share the document. I can respond to incremental document access requests from within Slack, too. This is a great example of how well-designed product integrations that reduce overhead and friction can also improve security.

Not all software and platform providers secure their platforms the same way. What is Slack’s approach to protecting users and data? 

This is a great question. Protecting the privacy and security of our customers' data is a top priority for Slack and independent agencies regularly certify that we meet the highest standards for information security management and protecting personal data in the cloud. Many government agencies, financial institutions, and other enterprise companies in regulated industries currently rely on Slack to keep their data secure and meet their compliance requirements. Slack provides extensive information on our website about our privacy and security practices. I’ll touch on a few highlights here, so you can get a sense of Slack’s extensive security program, but please visit https://slack.com/trust for a longer description of how Slack ensures the security and privacy of our service.

First and foremost, we spend a great deal of time evaluating the effectiveness of the security program itself. We engage world-class auditors to scrutinize our security program and we hire top-tier testers to try to break into our systems. We do this repeatedly and we encourage our customers to do it, too. We build our service using industry best practices for secure software development and constantly monitor our infrastructure for unexpected or suspicious activity. 

Let’s talk a bit more about data encryption. While “end-to-end” encryption is often touted as the safest choice, “end-to-end” encryption essentially means that a user has to be in possession of a specific device in order to read the data (or to enable another device to read the data).  While Slack’s service doesn’t require this (you can log in to Slack from any browser), Slack does encrypt all data in transit and at rest, meaning there are a number of protections already in place that help secure your data:

  • Users can enable two-factor authentication so that there’s an extra layer of security in addition to the password. This ties account access, and thus data access, to a device in the user’s control.

  • All communication between user devices and Slack’s servers is encrypted using strong encryption, meaning no plaintext data ever travels over internet connections.

  • All data is encrypted while at rest on Slack’s servers, meaning your data is protected even if an unauthorized person tries to access your information while in storage.

When an organization or campaign sets up a new platform like Slack they may be in a rush or not fully aware of all the settings available. What security features should all Slack teams enable? 

There are a handful of Slack features you should use to make sure that any Slack workspace is safe. You may need to coordinate with the administrator of your Slack workspace to make sure these settings are in place:

  • Two-factor authentication (2FA) requires users to be in control of a physical device, usually a phone but sometimes a smart token, in order to complete a new login. You should use 2FA to log in to any web-based service that contains data you care about. Your Slack administrator can make 2FA mandatory for all users of your Slack workspace. It’s easy to set up. Here are the instructions: https://slack.com/help/articles/204509068-Set-up-two-factor-authentication 

  • Admin app approvals prevent users from installing new app integrations on a Slack workspace that haven’t been reviewed and approved by an administrator. This ensures that no one outside your workspace can read your data unless you trust them. The Slack app directory has many amazing and useful tools from very security-conscious vendors (Salesforce, Google, ServiceNow, etc, etc), but there are small app vendors whose security capabilities may not yet align with your security risk tolerance. Admins should exercise appropriate diligence on behalf of their teams. This guide walks you through setting up your configuration and process for safely managing apps on your Slack workspace.

  • Access log reviews can be done by any user. If you visit https://my.slack.com/account/logs, you can see a record of each connection event to Slack. It’s not exciting reading, but it’s a good idea to review those access logs weekly. And if you see something unexpected, tell your Slack admin immediately!

Campaigns fluctuate in size quite a bit. What is Slack’s approach to user management?  What advice do you have for campaigns to manage users? 

Managing user membership in your Slack workspace conscientiously is one of the most important things you can do to protect the security of your Slack workspace. Generally, a good security practice is to adhere to something called the Principle of Least Privilege, wherein you strive to limit each user to the minimum set of capabilities necessary for them to do their job. This can be accomplished by periodically reviewing how your users’ responsibilities and relationships to your organization have changed. 

Slack offers several different classes of users and it’s important to understand the differences. 

  • Guests 

    • Guest accounts are only available on paid plans and have limited availability. There are two types of guests:

      • Single-channel guest (or SCG) -- These users may only be invited to a single channel that the admin specifies. However, they can see profiles of and DM other users who are in the same channel.

      • Multi-channel guests (or MCG) -- These users may be invited to multiple channels. Any full member can invite the MCG to a new channel. MCGs cannot add themselves to channels or see any channels they are not invited to. They can see profiles of and DM other users who are in the same channels.

    • PRO TIP: Set an expiration date when you add a guest user to your Slack team. You can always extend it later or reactivate their account. This saves you from letting less trusted members of your organization overstay their welcome. 

  • Full members - Full members can add or remove MCGs from channels, DM all other users in the workspace, post in and read from any public channel, etc. It is possible to give full members a wide variety of permissions or to reserve them for admins. For example, should full members be allowed to invite other users to your team, or should that ability be reserved for admins? 

  • Admins -- Admins control the configuration of your Slack workspace (except in a very few cases that are reserved exclusively for owners). They control who else can take on admin tasks, including adding users, integrating apps from Slack’s app directory, managing channels and many other day-to-day administrative tasks. 

  • Owners -- Owners have the ultimate authority over your Slack account and own the relationship between your organization and Slack. They control features like billing, authentication and access, security policies, etc. There can be only one Primary Owner, but the Primary Owner can transfer this responsibility to another user. 

You can find more details on the permissions of each user role here

On a related topic, campaigns—win or lose—shutdown after elections. Some may just be on hiatus until the next cycle. What are steps campaigns using Slack should take when they close or are in hibernation?

When you shutdown a campaign, you may wish to shutdown associated Slack workspaces. The workspace Owner can delete the workspace, which will remove all of the data from Slack’s backend. 

If you want to maintain your team (maybe you’ll be working together again soon), you can keep it active. Depending on your payment terms, Slack will only bill you for the users who are using Slack, based on Slack’s Fair Billing policy. 

From a security perspective, I recommend removing non-essential users from the team. The fewer people with access, the safer your data will be. 

I also recommend reviewing any documents you might have shared. If you are using Slack Connect, shared channels can be disconnected. The channels freeze when disconnected and can’t be modified by either team, but the data is still readable. You can reconnect the channel again in the future, if needed.

Note that Slack’s retention policy will still operate! If you have a 30-day retention period for any channels or your workspace overall, your data will still disappear once it is 30 days old, regardless of whether or not you are using it. 

What are one or two cool things you can do on Slack that most users don’t know?

This is the hardest question! Slack has so many cool features. Here are that handful I can’t live without:

  • Quick switcher (CTRL-K) is a command I hope everyone knows about, but just in case, I’m putting it here. This will allow you to navigate Slack, to find messages or files or channels or people and jump right to the place you need to be. Just type <CTRL-K><thing-you-want-to-get-to> and the search results popup showing the channels, people, files, or messages you are looking for. 

  • Reacji channeler is a fun way to organize your messages. Reacjis are the use of “emoji reactions” to respond to a message as a way to confirm receipt, give feedback, and/or reinforce the company’s culture in a quick and efficient way. With reacji channeler, using reacji, you can send a message to another channel. Obviously, it’s good to use less common reacji for this feature. 

  • Link pasting is so easy in Slack. Copy the link, highlight the text to “linkify” and paste. Voila! Your text is now linked and clickable. 

  • Reminders are incredibly easy to set in Slack. Using /remind and simple phrases you can set up reminders for things you (and others) need to do later. Reminders can go to yourself, others, to a channel. Reminders can be one time only or recurring. You can use simple phrases. No need to remember complex syntax. For example, 

    • /remind me to take out the trash tonight

    • /remind @johnsmith to call Stephanie for an update on 9/19/2020 at 2pm 

    • /remind #proj-lexicon “it’s time to post your status report” every Thursday at 9am

Wow, that was a lot, but I hope it is useful information. The Slack Help Center is also a great resource. You can use your web browser to search on most any how-to question and get an easy to follow guide for Slack. Finally, our wonderful customer agents are also a terrific resource. In your Slack desktop application, just click the (?) icon to the right of the search box at the top to get more help. Thank you for all you do to keep our elections secure!

It's Not Too Late to Secure Your Campaign

With less than 3 weeks to go before Election Day, it’s never too late to enhance the cybersecurity of your campaign. With DDC's help, it can be done quickly and for free!

Here are some low lift things campaigns can still implement and how DDC can help: 

  • Using the strongest authentication possible. Google convened more than 40 campaign and cybersecurity experts seeking their most important cybersecurity advice for campaigns and the clear answer was secure accounts with multifactor (or two-factor) authentication DDC can help secure accounts with:

    • Free Google Titan Security Keys. DDC eligible campaigns now get overnight shipping and our onboarding specialist can help you turn on Google’s Advanced Protection Program. Keys can also be used to secure social media accounts and your phone can be set up as a key!

    • Free YubiKeys from Yubico (first 10 are free, then 50% discounts for more) are usable across the internet to secure accounts and with Microsoft products. Contact us for more information and onboarding assistance.

    • LastPass password manager. Strong passwords are critical and password managers help create good password practices. DDC can help you get LastPass for free and onboarded on your campaign. This can be up and running within one day.

  • Secure your website. Protecting your public-facing presence is critical as web traffic likely increases as the election nears. DDC can help you get Cloudflare for Campaigns up and running and protect your site from Distributed Denial of Service (DDoS) attacks and much more. Depending on current configurations, Cloudflare can be implemented in just a couple of hours. All you need to do is connect us with your web firm, and DDC and Cloudflare can take care of the rest. 

  • Secure your social media accounts. Social media is one of the most important channels campaigns use to communicate with supporters. They can also be a target for disruption by adversaries. Securing them and making sure you are using the social media companies’ tools to protect campaigns is easy and quick to implement. Contact us for information on securing your accounts, and read our blog on Securing You Social Media Accounts with Facebook Connect

  • Communicate privately and securely. Most campaigns we talk with are already using Wickr or Signal. Make sure staff know what is to be shared through those channels. If you are not using secure communications, DDC can help you onboard Wickr quickly (free for campaigns with less than 30 staff members).

  • Be ready if anything goes wrong. If a cybersecurity incident should occur, you want to have done at least some planning. Read our recent blog Is Your Campaign Prepared for A Cyber Incident? for some basic questions you should be ready to answer if something happens.

  • People are one of the best cybersecurity defenses. Consider a one-hour training from Foresight2020 to help staff use technology more securely. DDC can help organize.

The Cybersecurity and Infrastructure Security Agency at DHS (CISA) held a summit Defending Democracy. Watch our panel featuring DDC, Google, and Microsoft on efforts to protect campaigns.

 DDC is ready to help in any way we can. Contact us at info@defendcampaigns.org and get your campaign secured as quickly as possible.

Is Your Campaign Prepared for a Cyber Incident?

Recently, Microsoft reported that nation-state adversaries were targeting political campaigns and their vendors in an attempt to access systems and data. Adversaries seeking to disrupt our democratic process know that the impact of their attacks will be greater as election day nears and campaigns have a shorter window to respond internally as well as to the public. Therefore, DDC expects that efforts to breach campaigns will increase, and unfortunately some will be successful. Clearly, taking steps to prevent an incident in the first place is a high priority (see our blog on steps to make campaigns more secure). 

Despite the best efforts to prevent a malicious cyber incident, it is possible that such an event could occur.  A campaign that suffers a cyber incident should be prepared to respond and recover from the potential negative impact on operations and their public image. 

Cyber incidents take many forms from infiltrating networks and stealing data to defacing or altering websites to freezing systems and demanding a ransom. And while we think of cyber incidents mostly as nation-states, hacktivists, or cybercriminals trying to disrupt or do harm to our democracy, they can also be accidental. For example, a laptop with sensitive or personal information gets lost or information gets incorrectly forwarded. They can even be as simple as a staffer or volunteer clicking on a link that in retrospect seemed suspicious. 

Some incidents may not involve the campaign’s technology or network. Instead, you might be notified by a third party you work with directly that they have had an incident and campaign data or sensitive information is at risk. In some cases, incidents are neither nefarious nor an internal accident. For example, how would you respond if a key vendor went down because of a cyber attack or a natural or manmade disaster restricted or closed off access to the internet or other technologies? 

You need to be prepared for all!

It is unrealistic for campaigns to create comprehensive written and practiced incident response plans. However, doing some basic preparation around initial steps the campaign will take is not complicated or time-consuming, and will be time well-spent should an incident occur.

The first step is having a core internal team that will create an approach and be alerted and respond to incidents. Team members should, at minimum, include the campaign manager, finance director, and any person or vendor handling your IT or security. Engaging your candidate in the development of your incident response is not required. However, candidates should be among, if not the first, person notified if an incident occurs. 

Ideally, in advance, the core teams would have thought through these questions and issues: 

  • In addition to the core team, who are the people that need to be alerted? For example, legal, PR/comms, compliance, incident response vendor, and other vendors that could be impacted by an incident, such as data and fundraising (you could add any of these to the core team as well).

  • Have you created a way for campaign staffers and others directly involved in the campaign to report an incident? Do people know who to reach out to and even that they should reach out if they see something concerning? Setting the tone that encourages reporting, even if the user made a mistake is an important part of detecting an incident, and could lead to immediate mitigation if for example someone clicked on a bad link and any malicious behavior can be prevented.

  • How will you handle PR/communications? Some organizations have been judged more harshly about how they handled an incident including communications with impacted people then they were about the incident happening in the first place.

  • In the event current technology becomes unusable, what are the contingency plans for maintaining continuity of operations until the technology is online again? Is there a way to revert to alternatives (e.g., another network or paper) if needed for creating records? How would you communicate internally with staff, volunteers, or vendors? Are you prepared to replace technology that may no longer be available or usable? 

  • With legal and compliance, understand your obligations to people directly impacted.  Most states have data breach laws. You should know your state’s (and any other states where supporters data has been lost) requirements. You could be mandated to notify people in a specific manner, such as actually mailing them a letter or have other obligations to people whose data is lost or potentially lost.  If a vendor loses your data, you are going to want to be sure that they do the right thing by your supporters because whatever they do will reflect on you.

  • Talk to key vendors about their incident response plans. Most campaigns have many third-party vendors. You should ask them about their cyber incident plans and evaluate your comfort level with how they will respond. At this late date, a campaign is unlikely to jump ship because of a vendor’s response.  However, if you think a vendor may have a weak or deficient plan, you can ask them to do better and/or be prepared to enhance your response if that vendor is impacted. 

As a campaign, you know that you are under a microscope. Being prepared for an incident and responding in an organized and professional manner, not only lessens the impact it demonstrates leadership and resilience.

Other Resources

Belfer Center Cybersecurity: Playbook for Campaigns

Critical Infrastructure Security Agency: Cyber Essentials

Five Cybersecurity Steps For Every Campaign Before Election Day

The 2020 election cycle is moving toward the final phase. Yes, there are still a few primaries to go but for the most part, ballots are set and campaigns are gearing up to get their candidates elected.

Now is an opportune moment for campaigns to shore up their cyber defenses to protect their staff and volunteers from potential threats. Here are five cybersecurity steps every campaign should take before Election Day: 

  1. Turn on the strongest form of MFA or 2FA to protect accounts

  2. Secure your website

  3. Use and or enforce the use of encrypted communications

  4. Encourage staff and others to secure accounts

  5. Be prepared if an incident occurs

 Learn more about each of these and how Defending Digital Campaigns can help.

1.  Turn on the strongest form of MFA or 2FA to protect accounts: 

IF YOU ONLY DO ONE THING FOR THE REMAINDER OF THIS CYCLE, IMPLEMENT ACCOUNT PROTECTIONS!

Two simple truths: if you work on a campaign you are a target, and phishing and attempts to steal account logon information and credentials are the most likely ways a campaign will be hacked. 

Protecting accounts from being compromised is the most important cybersecurity priority for a campaign. A bad actor that gains access to email, share drives, social media, finance, or website editing accounts can do extraordinary damage to a candidate and a campaign. 

To achieve the best forms of protection, turn on multi-factor authentication sometimes referred to as MFA (multi-factor), or 2FA (two-factor authentication) on every account that allows it. If your campaign is using G Suite, you will want to use their Advanced Protection Program often referred to as APP (https://landing.google.com/advancedprotection/). If your campaign is using Office 365, you will want to use Account Guard (https://www.microsoftaccountguard.com/en-us/). Both require the use of a security key—a small piece of hardware that plugs into a USB port. 

DDC has FREE keys for campaigns from Google and Yubico and can even help your team implement them with the assistance of our Onboarding Specialist that can hold a quick training for your team. The same keys can also be used to secure social media accounts on Facebook and Twitter as well as many other services across the internet. If MFA is not available on important accounts, implement a password manager such as LastPass (available for free through DDC) or at minimum enforce password creation policies that result in long, strong, and unique passwords.

2. Secure your website: 

Your public facing presence is your candidate’s brand and connection to the community. Campaigns use their websites as a portal to introduce their candidate and his or her positions as well as for fundraising and in many cases to provide valuable information to voters about how to register and vote.  

Websites can be vulnerable to various kinds of attacks including being defaced with objectionable messages, brought to standstill via an attack that overwhelms a web service (known as a DDOS attack), and/or having content altered resulting in false information about a candidate or other critical information. DDC can provide access to a FREE account from Cloudflare (https://www.cloudflare.com/campaigns/usa/) that will protect your site from potential threats.

3. Use and or enforce the use of encrypted communications: 

Campaigns generate and share vast amounts of sensitive data and information. How and who that data can be shared with should be codified for campaign staff in a written or oral policy. 

Many campaigns we speak of report informal use of services like Wickr or Signal, which is a great start. However, most don’t have a specific policy about what is ok to be shared via email or what should only be shared in an encrypted channel. Communicate with your staff about how sensitive campaign data should be shared. DDC’s Onboarding Specialist can help campaigns set up Wickr, which is free for campaigns with less than 30 people, and reduced rates are available for larger campaigns through DDC.

4. Encourage staff and others to secure personal accounts: 

Bad actors trying to access your campaign will use many methods. One that is tried and true in the campaign space is attempting to compromise the personal emails and accounts of campaign staff, the candidate, the candidate’s family or close confidants, or third-party vendors because the assumption is they are not as strongly secured as campaign email.

If you have implemented security keys at the campaign, in most cases those keys can also be used to secure personal email accounts. At minimum, even though campaigns cannot likely enforce security on personal accounts or third-party accounts, they should be educating and encouraging anyone closely associated with the campaign to secure email and other sensitive accounts. Contact us for a discussion about how to secure personal accounts and expand  the perimeter of protection for your campaign.

5. Be prepared if an incident occurs: 

The common cybersecurity wisdom is that as the election approaches activity by bad actors will increase. Therefore, some incident response planning should be done even if it’s just the campaign manager and/or the finance director taking a few minutes to put together a short list of steps to take if something goes wrong. Questions to answer include: 

  • Who are the people that need to be alerted (i.e., legal, comms, IT vendor, incident response vendor, law enforcement)? 

  • In the event of an attack that renders technology unusable (for example ransomware), what are the contingency plans for maintaining operations (for example, maintaining paper records) until the technology becomes available? 

  • How will the campaign communicate with anyone directly impacted by the breach as well as the general public and the media? 

If you are a campaign of over 25 people, contact DDC about potentially getting a free incident response retainer from Atlantic Data Forensics and discounted rates for response. 

Of course, there are other steps you can take as well including building a culture of cybersecurity through training and educating staff. DDC has several training partners including Foresight2020, Elevate Security, and Cybrary all of which are free to eligible campaigns. Protecting mobile devices with our partners, partners Lookout and Zimperium, and protecting against phishing with Agari and Area1.

DDC is here to help and It’s quick and easy to get started! The best way to start is to schedule a quick call so we can guide you through some ideas  about the best ways to secure your campaign. Email us at info@defendcampaigns.org and we will get the ball rolling!

Securing Your Social Media Accounts with Facebook Protect

Social media is critical to most campaigns providing opportunities to interact with supporters, convey key messages, fundraise, and advertise. In this COVID-19 world we are currently living in, social media platforms have become imperative to maintaining connections through engaging posts and live online events that replace retail politics, the lifeblood of many campaigns.

Successful social media efforts require constant engagement with the platform. Therefore, campaigns frequently have multiple people—staffers and volunteers—managing pages, posting information, and responding to comments, potential voters, and supporters.

Unfortunately, social media platforms are also used in nefarious ways as well. Bad actors can try and hack social media accounts to post false and misleading information appearing to come from the campaign, comment with links to bad information or phishing sites, try and agitate supporters, and more. 

Campaigns need to balance the good that comes from the reach and engagement of social networks while protecting against the risks.

Facebook has a special program for campaigns called Facebook Protect (https://www.facebook.com/gpa/facebook-protect).  The program is voluntary and helps Facebook to more quickly detect any potentially suspicious account activity by monitoring for attempts to hack the account, such as unusual login locations or unverified devices.

Facebook Protect is designed for:

  • Candidates of federal, state and local offices and their campaign staff

  • Federal, state and local elected officials and their staff

  • Representatives from federal and state political party committees and their staff

  • Federal, state and local agencies and departments’ Page admins who have a role in the elections process

  • Any person or group with a blue badge-verified Page who is involved in the elections process

To get started with Facebook Protect, your page needs to be blue badge-verified. To start the process of verification you can go here: https://www.facebook.com/help/1288173394636262

If you use other Facebook products, increase your level of security by turning multifactor authentication: 

At Defending Digital Campaigns, we offer free and reduced-price cybersecurity services to help campaigns implement better cybersecurity. We can also help you onboard cybersecurity products and services we make available, including helping you secure your Facebook account. 

We are thrilled to partner with Facebook to help campaigns secure their social media! The best way for campaigns to get started is to have a quick call with us. Please reach out to info@defendcampaigns.org to schedule an introductory call.

Cybersecurity for Campaigns: Understanding and Reducing Your Risk

Image source: https://www.nist.gov/cyberframework

Image source: https://www.nist.gov/cyberframework

If you are a candidate, campaign manager, or staff member, you should be concerned about the risks of a cyberattack and the subsequent impacts should an incident occur. Attempts to compromise campaigns come from a variety of potential bad actors, including nation states looking to disrupt our democracy, cybercriminals looking to steal data they can monetize, and people that are opposed to candidates for any number of reasons. Incidents can also occur if campaign staff make mistakes or a device is lost or stolen.

Defending Digital Campaigns (DDC) was created to bring free and low-cost services to House, Senate, and Presidential Campaigns as well National Parties and Committees. To date, more than 120 campaigns have taken advantage of one of the free or reduced price services from one of our partners.

The generosity of the private sector to work to preserve the integrity of our electoral process is tremendous. However, understanding which products your campaign needs is about understanding your risks and applying the right products to your environment.  Campaigns differ from traditional organizations in a number of ways: what technology they use, how they grow, how long they are around, the different ways people interact with the campaign, and the high percentage of staff and volunteers that bring their own devices.  

Where to Start?

Rome wasn’t built in a day and the cyber defenses of a campaign aren’t either. You need to have a lens to evaluate your needs and build your cybersecurity posture over time as the campaign season unfolds and risks change. 

At DDC, we highly recommend applying the National Institute of Standards (NIST) Cybersecurity Framework to creating your approach to cybersecurity. NIST is a part of the US Department of Commerce, and The Cybersecurity Framework was developed in a collaboration between NIST, industry, and civil society. It is a simple non-technical way to think about protecting your campaign. It has five steps to establishing stronger cybersecurity:

Identify: What are the most valuable technology and data assets you have to protect and who is in need of protection? Prioritize your cybersecurity efforts from protecting the campaign’s “crown jewels.” Identify technologies in use including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored.  Don’t forget about your website as a valuable campaign asset. Because campaigns have many people interacting with the effort, lines between who is on the campaign and who is not are often blurry. Think beyond the candidate, staff, and volunteers to the spouse, children, consultants, and close confidantes with access to vital information needing protection. Campaigns often have accounts with shared access by several staffers such as social media or email accounts. Because campaigns fluctuate in size, needs will be different as you move from the primary to the general election.

Protect: Protect are the measures you take to strengthen defenses. You begin around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available;  protecting devices with endpoints; using encrypted communications for sharing sensitive documents or conducting confidential communications; protecting your website; setting up systems using security and privacy settings in the software you use (G Suite, Office); and ensuring software is up to date or patched. Since phishing as well as common mistakes can lead to cyber incidents, cybersecurity training for campaign staff and volunteers adds a layer of protection. Redundancy, in the form of data backups, reduces the impact of an incident or damaged or lost machines and mitigates the paralysis that can occur from a ransomware infection. Maintaining awareness of the threat environment and sharing with staff can increase protection.

Detect: Detection is becoming aware of something is wrong. This could include automatic notifications of things out of the ordinary such as suspicious email, unauthorized attempts to access a protected file or other areas of a network, a potentially dangerous download, and/or a machine being compromised. Your team is also part of your detection efforts. Campaign staff or volunteers may be the first to see a phishing attempt or suspicious information requests like immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported is an early warning system. Unfortunately, detection sometimes occurs when something significant has already happened, like being notified you have ransomware.

Respond: Being ready with a plan should an incident occur is an important part of cybersecurity. Your goal is to reduce downtime and get systems up and running as quickly as possible. Giving thought to alternatives to using technology, such as accepting donations by phone and keeping a paper record while technology is not available can reduce disruption. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Develop a communications plan to proactively inform the public and the media.  Be prepared to access IT support to remediate any damage to technology and consider having a forensic specialist available to investigate the attack or incident. 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection.

How do I get started?

The best way to get started is by asking yourself, an IT or cybersecurity professional, or an outside consultant to answer the following questions:

  • What are the important technology and data assets that if compromised would most impact the campaign?

    1. What and where are the devices we use--phones, computers, printers, software?

    2. What are the most critical data assets that if lost, compromised, or access was curtailed would most hamper operations, be fodder for the media or opposition, or could be seen as a violation of trust by the public? 

    3. Who are we identifying as being part of the campaign? Do we need to include family members, other people close to the candidate, and their family members, key consultants*?

    4. What accounts are in need of protecting--financial, social media, third party apps for fundraising, voter lists--and who can access those accounts?

    5. How will risks change over time as the election gets closer or a race becomes more contentious?

  • What has the campaign done to provide protection for these critical technology and data assets? What protections are in place for the campaign website? 

  • How would we know if something went wrong?

  • Are we prepared with a response? 

    1. Who are the people that need to be alerted (i.e., legal, comms, incident response vendor)?

    2. What are our contingency plans for maintaining operations until the technology becomes available?

    3. How will we communicate with anyone directly impacted by the breach as well as the general public and the media?

  • How will we take lessons learned from an incident and strengthen the campaign going forward?

If you are a House, Senate, or Presidential Campaign, please reach out to us at info@defendcampaigns.org and set up a short call and we can determine your eligibility for our services and get your cybersecurity efforts up and running.

*You may have key consultants or other third providers critical to the campaign. Understanding what data, they can access or is shared with them and how they implement cybersecurity and to protect your data is critical. Even asking them to use the NIST Cybersecurity Framework or answering these questions is a good exercise to be sure they are protecting the campaign. 

Q and A with Matt Rhoades, Campaign Veteran, and DDC Co-Founder

We had an opportunity to pose some questions to our founding Board Member and a prominent political consultant in the Republican party, Matt Rhoades.

Mr. Rhoades currently serves as Co-CEO of CGCN Group, an integrated advocacy and strategic communications firm that specializes in helping corporations, nonprofits and trade associations navigate complex legislative and regulatory issues.

Mr. Rhoades gained prominence working at the highest levels of political organizations and campaigns. As campaign manager for Governor Mitt Romney’s 2012 presidential campaign, he successfully guided Governor Romney’s campaign to victory through a crowded field of candidates in the Republican presidential primary.

DDC: When did you first become aware of the importance of cybersecurity for campaigns?

Matt: In 2011, when I was managing Mitt Romney’s presidential campaign. We discovered that our campaign had been hacked by the Chinese government during the primaries, and cybersecurity became a very real issue, very quickly. Unfortunately, this forced us to use precious campaign dollars on higher levels of network security rather than on winning votes.

DDC: Defending Digital Campaigns was created after an initiative you participated in at the Belfer Center at Harvard creating cybersecurity playbooks for campaigns and election officials. What are some key takeaways from that effort?

Matt: The political climate was hyper-partisan after the 2016 election, and my experience at the Belfer Center helped elevate a serious issue in a non-partisan way. Cyber-attacks are a threat that does not discriminate between parties – Democrats and Republicans need to work together to solve this problem and defend America’s campaigns.

DDC: What led to the creation of DDC?

Matt: Robby Mook, Debbie Plunkett and my experience at Harvard played a big role in catalyzing the creation of DDC. We realized that our work could continue, and really make a difference if we created an independent, bipartisan organization that both Democrats and Republicans could get behind. 

DDC: The campaign world is adversarial. Yet, there is strong agreement that providing cybersecurity needs to be done in a bipartisan, nonaligned manner. Why is that so important? 

Matt: After the 2016 elections, the focus was exclusively on Russia. This attention was warranted, but it left us blind to possibly even more serious threats in China, Iran, North Korea, and even here domestically. We’ve learned that cybersecurity threats can come from anywhere, and anyone can be a target. Nation states and domestic hackers don’t care if you’re a liberal or conservative – they care about creating chaos and discord in our country. That’s the type of problem Americans can only solve if it’s united. 

DDC: Why is it important to offer cybersecurity services to campaigns for free or at a low-cost?

Matt: Good campaigns are cheap – they can’t afford to be worried about paying for cybersecurity software. I ran a presidential campaign and even we couldn’t afford that additional expense. How can local campaigns be expected to? All that campaigns should be focused on is winning votes, and offering these services for free or at a low cost allows that. 

DDC: It's undeniable that campaigns will look different this year due to COVID-19. Any advice about how campaigns should operate in this new environment?

Matt: Campaigns are always forced to make changes, and good campaigns always adapt to the environment they exist in. Be smart, make changes quickly, and don’t be scared.

If you are part of a US House, Senate or Presidential Campaign your campaign might be eligible for Defending Digital Campaigns free or reduced-priced cybersecurity products or services. Email: info@defendcampaigns.org