It’s a stark reality for campaigns: the threat of a cybersecurity breach is ever present, and that means the need to embrace better security protocols from top to bottom.
It ranges from the simple (things like enabling two-factor authentication and utilizing password management tools) to the more complex challenge of getting individual actors across organizations truly committed to ensuring their own security online.
Mike Sager, now the chief technology officer at EMILY’s List, was sounding the alarm on preparedness well ahead of the ’16 presidential cycle. C&E sat down with Sager to discuss where things stand before this year’s midterms and what individual campaigns and larger political organizations can do to improve the culture around security.
C&E: The industry has spent well over a year now talking much more seriously about the various cyber threats that campaigns and political organizations face. How prepared are we for them?
Mike Sager: I don’t believe it is ever truly possible to be as prepared as you’d want to be. In other words, there will always be more you can do, there will always be more steps you can take. There’s a joke in the cybersecurity space that the most secure computer is one that is one unplugged, in a box, in a locked vault, in a safe. And even then you’re not totally sure that that’s completely secure. The security options have become much better, in general, from the big companies and the products they’re producing.
C&E: Where are the biggest gaps in preparedness?
Sager: Google recently said only something like 10 percent of their users are enabling two-factor authentication. Now, that was all of Google’s users, that’s not political-specific. But it’s sort of difficult for me, living and breathing this stuff 24/7, to reframe how I think about these things for everyone else because most of the people I know have turned on two-factor.
The biggest gaps are generally the folks who say, “I’m not important enough to be attacked,” or “I’m just running for this small office so I don’t have to worry about this stuff.” That is just not true. There is no marginal cost to an attacker, regardless of the reason they’re doing it, for phishing. Whether it’s someone who’s working for a foreign government or someone who’s just looking to make some fast cash, phishing is the way they’re going to do it.
C&E: How do we get campaigns or even individual political operators who may not be taking this seriously enough to care?
Sager: I think it is incumbent on everyone in this space to build a security culture. A lot of people are doing this already. The message has gotten through to a number of people in a way that I don’t think was the case prior to 2016, but we still have a long way to go. If you’re running a campaign, if you are a vendor, then people will care when you make them care. It’s a cultural thing. You wouldn’t open a campaign office with no locks on the doors, so why would you let your campaign run an email account without two-factor?
C&E: Let's imagine someone reading this right now has done very little in the way of thinking about cybersecurity for their organization or campaign. Where do they start?
Sager: So the first thing I’ll just call out is that the Belfer Center at Harvard has put together the cybersecurity playbook for campaigns. That is a great resource that outlines different steps folks should be taking. I also wrote a medium post that some people have seen floating around that explains some of this as well.
The first place to go is email. Turn on two-factor authentication; at least using Google Authenticator, preferably with a security key. Google has an Advanced Protection program, which is a security key enforcement, that locks down some of the API enforcement. So I strongly encourage every single person who works in this space to turn on Google Advanced Protection on their personal account.
Just as an important sidebar to this: personal accounts are just as vulnerable as corporate enterprise and organizational accounts. In fact, if you read the Mueller Indictment, you’ll see that, of the 8 accounts that were specifically called out for being compromised by the Russian intelligence agency, two were DNC, two were DCCC, and four were personal accounts. So turn on two-factor, and don’t use text messaging, as text messaging can be intercepted. Open SMS is inherently insecure. You would not want that to be the key that unlocks your entire infrastructure.
C&E: And the importance of passwords remains something that’s too often overlooked.
Sager: Once you get a really strong two-factor in place, the next thing I would say to everyone is to use a password manager and make sure you’re using strong and unique passwords for each site on the internet. Even if you aren’t ready to go to that step, you should at least make sure your email password, your social media password, and your computer password are all different and unique, and not used anywhere else on the internet.
C&E: Foreign interference is a legitimate national security issue and a real threat to our democracy, but it has turned into a partisan food fight. What sort of responsibility do individual consultants have here, and how can the industry collectively push for these issues to be addressed more seriously?
Sager: Every single person needs to make security their responsibility, whether they’re an intern or a candidate or a strategist. You can’t say, “Oh, this is the job of the digital person.” This is everybody’s problem. The entire organization, if it’s a company, if it’s a single person, no matter who you are, has a responsibility to take security seriously. And you have a responsibility to your clients, to your candidate, and to your staff to do that, so we all have to make this part of our culture. There’s nobody who’s off the hook.
C&E: Do political parties and individual campaigns need designated departments and staff solely dedicated to combatting these threats and ensuring preparedness?
Sager: The DNC has a chief security officer. His name is Bob Lord, and he’s awesome. And so, yes: I think you see a number of the big vendors have all brought in, or already had in many cases, security officers. It’s not like every single campaign needs to hire a full-time CSO, though some campaigns probably should. If you’re a presidential campaign, you should have a CSO. Beyond that, there are a lot of places where it falls into the job of other people. I’m the CTO here, but there isn’t a person doing that CSO job at Emily’s List. Most orgs don’t have them, but the ones that are in that top line of fire definitely do.
For some campaigns, it’s going to make a lot of sense to hire security consultants; for others, it may not be necessary. If that staff is small enough and they’re implementing the right solutions, maybe you don’t need it, but that’s sort of a case-by-case kind of thing.
C&E: How does the industry as a whole move toward greater standardization when it comes to cybersecurity?
Sager: There’s some great work out right now from a group called the FIDO Alliance, which builds a standard for the security keys. Google has been doing a lot of stuff around this specifically, and the other vendors have it on their roadmap. You get the cheapest version of the device, it’s $20, and you can use it on Facebook, on Dropbox, on Gmail. It’s a physical device that plugs into your USB drive. I think we will increasingly see those standards adopted more widely.
I’m hoping, in general, there’s some recognition across our space that, say, today’s City Councilor is going to be a member of Congress, and then maybe will end up being a U.S. Senator. It’s just as important when you’re getting started to take this stuff seriously as when you’re already in that spot.