There is little surprising in reports of Russian hackers penetrating the Democratic National Committee’s computer network and accessing the party's opposition research file on presumptive Republican nominee Donald Trump. The 2016 campaigns and other political groups have been in the sights of hackers for months. In March, the hacktivist group Anonymous declared "total war" against Trump.
The DNC hack, which began almost a year ago, was the work of two groups of Russian hackers which have targeted U.S. institutions before, according to the Washington Post.
It’s a stark reminder that campaigns and committees need to start taking cybersecurity more seriously, and it likely won’t be the only reminder campaigns will be treated to this election cycle.
Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals: credit card numbers, bank account information, addresses, online identities. The assets go on and on and cybercriminals are just like bank robbers in the old days: they follow the money.
In the DNC hack, the perpetrators accessed opposition research and monitored the committee’s internal email and chat communications. But the risk that financial data could have been accessed is real.
So if you’re on a campaign, whether it be, state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you could potentially lose your supporters, donors and even the election.
Here’s what campaigns need to do: Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user ids and passwords from the campaign. For example, your campaign domain might be: VoteSallySue.com but donor details could be stored at MustProtectDetails.com.
Using that same practice, run all of your internal communications on a domain name that's not the campaign name: email addresses shouldn’t be henry@VoteSallySue.com but rather henry@MustProtectDetails.com.
Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications such as Signal or Threema. Also, be sure to encrypt all of your campaign’s donor data. We have yet to hear a report of a campaign’s donor data being hacked but we will, of that I am sure. It’d be too lucrative not to try.
Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank, or organization that has recently been hacked.
Your organization must also be sure to train technology and campaign staff to spot spear phishing emails and scams. Oh, sure, you think everyone knows not to “click on that link,” but recent studies illustrate doing just that is the number one cause of breaches among employees.
Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don’t you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. You want your supporters to feel the same way.
Finally, post a privacy policy that's easy to read, easy to find, and you’ll find voters may just have more confidence in your agenda.
Theresa Payton is president and CEO of Fortalice Solutions, a cyber-security consultancy, and co-founder of Dark Cubed, a technology startup. She served as White House chief information officer under President George W. Bush.