As new threats emerge ahead of this year’s midterm elections, cybersecurity pros are trying to preach preparedness to political campaigns and organizations.
Given the size of the threat surface in the political industry, cybersecurity will be one of the big topics on the agenda at this week’s CampaignTech East Conference. So ahead of a talk he’s giving this Thursday, C&E spoke with Matt Ashburn, former CIA officer and newly minted Chief Strategy Officer of Langley Cyber, about the state of play in campaign cybersecurity.
C&E: The threat surface in the campaign industry is huge, but what are the ones that folks in the industry should be most concerned about?
Ashburn: The threat surface is large for nearly any organization, but campaigns have a unique combination of risks and challenges: dispersed and traveling workforces, high tempo and urgency of operations, fewer resources for IT, and less awareness of cyber threats. These factors can create a nightmare scenario for an adversary to exploit.
C&E: Paint a picture for me. You’re a political campaign this cycle. What’s the nightmare scenario?
Ashburn: The nightmare scenario can vary depending on the motivation and intent of the adversary. Hacktivists or opponents may attempt to obtain access to internal campaign information for purposes of public disclosure or competitive advantage. Information disclosed without context may appear unfavorable and embarass or disadvantage the candidacy. And nation-state actors may gain access to sway an election, sow distrust among voters, or gain valuable insight into US policy while it’s in the early stages of development.
C&E: I think part of the problem with cyber preparedness is that it almost seems too big to address. Burst that myth for me. What can folks in the industry do right now, this week, this month to really up their cyber resilience?
Ashburn: The top things to have an impact? It varies from end user to campaign leadership. If you truly want to protect your candidate or organization’s goals, I’d suggest two things for the everyday user. First, enable multi-factor authentication on all online services to prevent unauthorized access and beware of emails with a sense of urgency containing a link or attachment. If a message invokes a desire to rapidly click or open an attachment, be extra cautious — most compromises begin by users clicking a malicious link or attachment.
Second, if you’re in a position of authority in a campaign, emphasize good cyber hygiene and awareness from day one at in-processing and continually lead with a security-first mindset. Once a campaign is up and running with so much incoming day-to-day, it can be difficult to catch up on security without those foundations, especially with a dispersed staff.
In addition, don’t be afraid to ask for help. Most campaigns don’t have or require a full-time CISO, but it’s important to have experts engaged to assist well before a cyber incident occurs.