Campaigns likely first noticed the denial of service attacks (DDoS) on Dyn last Friday when their Twitter feeds slowed or the Airbnb booking they were going to make for a surrogate stopped loading.
The attack against Dyn, a kind of “phone book for the Internet,” was felt across the United States on websites ranging from Reddit and the New York Times. The company called the incident a “highly distributed attack involving 10s of millions of IP addresses” and its chief strategy officer warned there are likely more to come.
Bruce Schneier, an internet security expert, has made similar warnings. In a recent essay, he wrote: “Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.”
It may be difficult for campaigns to contextualize in a cycle where hacked emails are routinely published, and organizations ranging from the Clinton campaign to the Democratic National Committee have fallen victim to cyber attacks.
So how concerned should this incident make campaigns and how can they best protect their digital assets ahead of Election Day? C&E asked Gabe Hammersmith, the CTO of Revolution Messaging, to put it in perspective.
C&E: Should campaigns be worried by the Dyn DNS attack?
Hammersmith: Yes. But only so much as they worry about other catastrophic events beyond their control, like natural disasters or terrorist attacks.
C&E: Can campaigns take any lessons from Bruce Schneier's warning that some person or group is learning to take the internet offline?
Hammersmith: Friday’s attack on Dyn could be considered a proof-of-concept for Bruce Schneier’s warnings. It was absolutely massive, truly historic in size and scope, but still a long way from taking the internet offline.
So far we haven’t seen any evidence to suggest that any evil doers have both the resources and the desire to successfully pull off such a caper, but these events should serve as a reminder to campaigns that our data in “the cloud” isn’t as omnipresent as we’d like to think. Campaigns should work with an IT professional to map out a disaster recovery plan, and that plan should explore questions such as, “what do we do if the internet is out for an hour, or a day, or a week?”
C&E: What can campaigns do to protect themselves?
Hammersmith: For protection from garden variety DDoS attacks, the best thing a campaign can do is utilize a vendor who provides DDoS protection services. For larger events such as Friday’s attack (where a DDoS protection vendor was targeted), a campaign can retain the services of an IT professional who has a deep understanding of internet services, infrastructure, and routing. This individual would be able to use that knowledge to quickly react to new and unprecedented threats and outages, and minimize the collateral effects to the campaign.
C&E: Do these cyber attacks reinforce how old school tactics like paper lists could still be useful?
Hammersmith: In my opinion, keeping paper lists on hand is akin to illuminating an office with gas lamps to protect against a power grid failure. Keeping paper lists around comes with its own security risks. Old school tactics can still fall prey to old school dirty tricks, which often do not require the technical expertise necessary for a cyber attack.
Keep in mind that I’ve also advocated for paperless offices throughout my career, so my bias might be showing. Instead of paper, I would encourage campaigns to think twice about where they are storing and backing up their most prized digital assets. In many cases, this can be as simple as keeping a local on-site backup of data that’s typically stored and accessed in the cloud.