Two rules of cybersecurity and the campaign industry may extend into 2024, according to experts.
One rule is that all U.S. campaigns and their vendors are considered “high-risk” targets. And two, consultants are resistant to deploying cybersecurity protocols, although that’s beginning to change.
“I think you’re always going to see resistance in our space,” said Lyman Munschauer, an EVP at Targeted Victory.
Munschauer, speaking at C&E’s recent CampaignTech Innovation Summit in DC, recalled how he’s started to embrace cybersecurity measures like Google’s Titan Security Key or YubiKeys. He credited Defending Digital Campaigns (DDC), a non-partisan, non-profit group that provides cybersecurity support to federal campaigns, with helping change the industry’s recalcitrant culture.
“Their stuff is generally free, almost exclusively. It’s pretty simple stuff … if you run a good campaign already and you can just kind of piggyback off the top of it,” he said. “You run into resistance, but I do think people are really buying into it because they do see the effects when it goes south.”
Generally, that going “south” has resulted in big financial losses as state parties and campaigns have gotten phished and wired large payments mistakenly to cyber criminals. These attacks are anticipated to increase as even more money flows through campaigns in the presidential cycle next year.
It’s that vendor-client relationship — as well as the prevalent use of personal emails while doing political business — that are partly why Google considers both campaigns and consultants “high-risk” users of its tools.
“The vendors that they work with, the ecosystem, the donor ecosystem, all of that … we call high-risk users,” said Grace Hoyt, who’s on the Safety and Security Partnerships, Privacy, team at Google.
Part of the reason why practitioners and firms are so easily targeted is because they’re listed on public FEC reports, which allows cyber criminals to map the relationships between campaigns and their vendors. In fact, Munschauer recalled how he was recently targeted with a phishing email that appeared to come from a pollster he knew.
“The only reason I realized it wasn’t him was because of the signature at the bottom didn’t sound like him,” he said. “That’s where these are getting more and more sophisticated.”
These cyber attacks on the industry are relentless because they’re launched by different groups for different reasons. “They’re playing a long-term game,” said Jude Meche, chief information security officer at the DSCC.
“Sometimes they’re going after the people in and around campaigns in order to influence elections, to pick the candidate of their choice or to go against the candidate that they don’t align with.
“It can be just to sow discord in our democracy. If democracy sort of stumbles, they win.”
But they can also be just a “cash grab,” Meche added.
“They are looking to to fund their operations, to fund their nations. It’s an added benefit that they can knock countries they don’t align with down [and] they can steal money in and around the campaign process.”
