From phishing attacks and social engineering schemes to the threat of nation-state hackers, protecting digital accounts and assets should be a top priority for political strategists through Election Day.
Last week, C&E hosted a conversation on dealing with the heightened risk of cybersecurity threats between now and November, headlined by Michael Kaiser, CEO of Defending Digital Campaigns, and Grace Hoyt who heads privacy, safety and security partnerships at Google.
The big takeaway for political professionals: the threats are closer than many of us think, and anyone working in the campaign space should consider themselves a high-risk user and a potential target for hackers and other bad actors. More importantly: It’s never too late to put stronger security measures into place and create an incident response plan that would be deployed in the event of a breach.
Here are six strategies our cybersecurity experts recommended putting in place at all levels of your campaign or political organization.
1. Prioritize Strong Account Security
In this environment, it’s critical to get the basics right and that starts with prioritizing strong account security. From candidates to staff to volunteers to vendors, anyone working in the orbit of a campaign is now a high-risk target.
The bare minimum: securing accounts with multi-factor authentication (MFA). However, not all MFA is created equal. Campaign staff and consultants should ideally be taking advantage of passkeys, which are passwordless and provide encrypted access that’s difficult to breach.
Google’s Advanced Protection Program is a free service designed for high-risk users, particularly campaign staff. Hoyt recommends campaigns at every take advantage of it to help secure both the personal and work accounts of staffers.
2. Be Vigilant When It Comes to Phishing Attacks
We all know that phishing is a serious threat, and breach attempts are only getting more sophisticated. Phishing emails can compromise individual accounts, which hackers then use as entry points into the larger campaign. But it’s important to realize, Michael Kaiser emphasized, that such threats aren’t limited to email—social media, texts, and even trusted vendors can be used to deceive campaign staff into sharing credentials or sensitive data.
One of the more common things Kaiser said he has heard this cycle: breaches originating with campaign vendors resulting in an email to the campaign that may say something like, “pay this invoice today and get 10% off. Or one that’s spoofing your boss and it says, I promised we’d pay this invoice today. Pay it now … Those are the types of things I would tell people to be on the alert for.”
To minimize the threat of phishing:
- Train staff to identify phishing attempts across all communication channels.
- Stress the importance of questioning suspicious emails, texts, or links.
- Use anti-phishing tools like Google’s Project Shield, which helps campaigns guard against denial-of-service (DDoS) attacks that could disrupt campaign websites at critical moments.
3. Prepare for Attacks as Election Day Nears
As Election Day approaches, the likelihood of cyberattacks increases. Hackers will try to create chaos by targeting websites, spreading misinformation through social media, or attempting to hack into financial accounts. These threats are particularly pronounced in battleground states and highly competitive races.
Kaiser noted that response planning is essential. Campaigns should not only focus on preventing attacks but also have plans for how to respond if one occurs. This includes:
- Identifying key team members who will lead any incident response.
- Creating backup systems for critical functions.
- Ensuring websites and communication platforms are secured against potential DDoS attacks that could take them offline when voters need key information.
Cybercrime is also a serious emerging threat for political campaigns, said Kaiser, who noted several incidents of campaigns having funds hacked and stolen this cycle that have gone unreported. Given the calendar, he said, “we’re entering the most dangerous moment [for campaigns] right now.”
4. Engage with Vendors on Cybersecurity
Third-party vendors who manage campaign data or provide digital services can be weak links if they are not taking cybersecurity seriously. Campaigns should engage vendors in discussions about their security practices and ensure they follow strict protocols. Key questions to ask vendors include:
- What MFA methods do they use for their staff?
- Do they have a cybersecurity incident response plan?
- How do they secure campaign data and prevent unauthorized access?
Kaiser advised that campaigns consider including cybersecurity expectations in their contracts with vendors and be prepared to move to another vendor if they feel their concerns are being brushed off.
5. Foster a Culture of Cybersecurity Awareness
Building a culture of cybersecurity awareness within the campaign or political organization is vital to ensuring everyone—from entry-level staff to top strategists—remains vigilant. Campaigns should emphasize that reporting suspicious activities is critical and create a non-punitive environment where staff can report potential issues without fear of blame.
In the weeks before Election Day, campaign staffers and consultants will be working at maximum capacity, potentially making it easier for bad actors to breach their targets. The worst thing a campaign or organization can do is create a top-down culture with disincentives for owning up to a mistake. If a staffer does end up clicking on a suspect link in an email or text, the damage may be compounded many times over if they don’t feel like they can immediately bring it to the attention of leadership, said Kaiser.
6. Plan for Post-Election Cybersecurity Risks
Even after Election Day, cybersecurity risks persist, especially if races remain too close to call or are headed for recounts. Expect hackers to attempt to exploit this post-election period by spreading false information, targeting websites, or trying to access internal communications.
Political campaigns in 2024 face an unprecedented range of cybersecurity threats. From phishing and DDoS attacks to nation-state hackers, the stakes are high. By implementing strong MFA protocols, securing campaign and personal accounts, planning for cyber incidents, and engaging vendors in security discussions, campaigns can reduce these risks.
As Hoyt put it, “There’s no better time than today to think about this.” Taking steps now ensures that campaigns are prepared for whatever cybersecurity threats come their way in the critical weeks ahead.
