The recent security lapse where Deep Root Analytics left 198 million voter profiles on the internet without security and free for anyone to download is a stark reminder that campaigns and consultants still are not taking cybersecurity seriously enough in the wake of the election-related hacks of 2016. One of the key issues, however, is the lack of good advice as to what they should be doing to protect themselves.
Security awareness training
There are a few resources for free security awareness training like Stop. Think. Connect. at www.stopthinkconnect.org. Some key points of this training are targeted against some of the same threats seen in 2016. Many hacking attempts use deception and trickery to get users to compromise themselves. Vigilant users are the best protectors of their organizations. The DNC breach, for instance, relied on spoofing one of their vendors by using a slight misspelling of a domain name (“depatrment” instead of “department”). If users spot the deception, they won’t fall victim to the hacker.
The fake “google password reset” email received by John Podesta was spotted by an aide who asked trusted IT staff whether it was legitimate. Nothing more could have been expected of Podesta or his staff, they did what they were supposed to do. Their IT staff failed them.
Get a trusted cybersecurity advisor
Not every campaign needs a high-paying cybersecurity professional on staff, certainly the national parties, presidential campaigns, and major vendors to those entities. The rest need someone they can trust to run issues by them as they crop up and help them to set up things securely when they first get started.
Treat emails and messages as records
Every campaign since time eternal has periods of high-stress where people vent. The reality of modern life is that whenever that venting is put into an electronic message, it becomes a records and can persist permanently. No amount of social media privacy tools will protect someone over the long haul against these messages from getting out.
Use two-factor authentication with social media and email
Most social media services and gmail have the ability to require two-factor authentication to login to use the service. Essentially, they send a text message to your phone or use an app for a special code to log in. If you enable this you get two immediate benefits: if passwords are stolen you are still protected from having your accounts accessed, and whenever someone (including hackers) attempt to log in you will get a notification to your phone that it has occurred.
Require vendors to perform security assessments on their applications
Most modern campaigns use a variety of outside vendors for applications the campaign requires: voter outreach, campaign finance, social media, and so on. For each vendor that has access to your campaign’s sensitive data, require them to provide proof of an independent assessment of their tools. For web-based and mobile applications, ask them to provide proof of a penetration test and that their applications are secure.
Frequently updated mobile devices and computers
Most attacks rely on the victims having out-of-date software that has vulnerabilities. Software companies are constantly issuing updates, many of them increase the security of the phone or computer. It may be annoying, but consistent and rapid applying of software updates will help keep the underlying devices secure.
Recent events have shown that campaigns (and vendors) have to take cybersecurity more serious than ever. These steps are the basic minimum that any large campaign should take and many don’t cost a thing. Doing this may mean the difference between a secure campaign and being the next top story in the cable news cycle.
John Bambenek is a threat intelligence manager for Fidelis Cybersecurity and was involved in cybersecurity investigations involving both presidential campaigns in 2016.