The latest cyber attack on a major party campaign committee should lead to greater demands on vendors and consultants to implement stricter cybersecurity protocols.
That’s according to Brian Franklin, a Democratic media consultant who launched the cybersecurity practice Campaign Defense to better address security issues in the campaign space.
The campaign committees, he said, “have had their hands full just getting their own internal compliance going and now that they’re getting better at that—theoretically—the question is, how much of that is filtering down to all of the campaigns and all of the people who are interacting with those committees—the vendors for those committees?”
To improve industry cybersecurity practices, Franklin said both major donors and decision-makers at committees and large political organizations should mandate improved cybersecurity from their vendors and consultants. “Say, ‘you’re not getting a dime until you do these 10 things,’” he said during a C&E event in D.C. on Dec. 4.
A report last week revealed staff at the NRCC were hacked during the midterms and that the attack compromised access to their email accounts. Four senior committee staffers had their inboxes surveilled for several months by a foreign intruder before the hack was detected by a committee vendor, according to Politico. No donor information was compromised during the incursion, and information from the emails hasn’t been leaked publicly.
Still, the fact that those emails accounts were penetrated shows the industry still has work to do to change the culture around cybersecurity, said Franklin.
“Digital consultants don’t really want to spend a lot of time talking about how insecure they are,” he said. “If you can solve the cultural problem, then the technical solutions will be able to be implemented very well.
“You’ve seen that at the committee level, where they have gotten a good level of compliance, but that hasn’t spilled downward,” he added, noting that in a bring-your-own equipment industry, committees and groups are as vulnerable as their vendor with the worst cybersecurity practices.
“If I’ve got one complaint against the committees, it’s that they haven’t made this mandatory,” Franklin said of cybersecurity protocols as simple as two-factor identification.
“They’ve actually argued against training in some instances, where they’ve said, ‘don’t spend the money because it’s too expensive for training,” he said. “Well, what’s the cost of not doing it?”
As recent history demonstrates, that cost can be as high as losing a major election, being embarrassed professionally by a leak of emails, losing valuable donor information, losing campaign money after it’s wired incorrectly to a nefarious individual, or having hacked strategic documents turn up online.
“To me, this is a disaster zone and we have to do triage,” said Franklin.
Eric Hodge, director of election security services at CyberScout, told C&E he agrees with Franklin’s assessment that the industry’s culture hasn’t adapted to the increased need for cybersecurity.
“In my experience, most of these kinds of issues where there’s some kind of an email incursion, it usually begins with some carelessness from the user,” said Hodge who has consulted for states on election security. “Education and awareness is generally thought to be the best defense. If everybody can recognize when [attacks are] coming, they’re a lot easier to beat.”
He recommended “having a ‘white hat’ organization preemptively do this kind of testing — send out fake phishing emails and [report] on how many people you got to fall for it, and then do it again a month later.”
In addition to maintaining a “vulnerability management program,” Hodge also suggested campaigns, groups, and committees get the latest cybersecurity software, which in some cases can identify phishing attack emails.
“There are better and next-generation anti-phishing or anti-malware that can be part of the solution, too,” he said. “If everybody has their eyes open in the organization than you are less likely to experience the bad consequences of a phishing attack.”
Hodge said that the industry has come a long way in the past two years. “The awareness is improving and it’s improving quickly,” he said. “We’re miles beyond where we were before the 2016 election.”
What will ultimately push more widespread adoption, according to Brian Franklin: “Fear is the motivating factor here. We should all be really worried about our careers, our jobs, our candidates, and that should be driving our compliance.”