As a former government major, the first question I get asked is usually some variation of “who’s going to win in 2016?!” The second question: “How’d you end up in cybersecurity? What does cybersecurity even have to do with government?”
The answer, increasingly, is “everything.” After the recent data breach kerfuffle between the Sanders and and Clinton campaigns, the connection has become clearer. It’s not just about policy now – it’s about practice. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud, and even political hacktisvism. A recent study by Wakefield Research that examined American perceptions of the threat of political hacking, shows 64% of registered US voters believe it is likely that a 2016 presidential campaign will be hacked.
Calling the breach a “software glitch” or “data issue,” the media sought to make it a story of political intrigue and election drama. They’re not wrong: in today’s world, losing access to data, or data in the wrong hands, could spell defeat. But when “a vulnerability in the software was exploited,” it sounds a lot more like a data breach. While the fault for this particular breach lies with the company that Democratic National Committee had hired for its database, campaigns have access to all kinds of sensitive information and many potential threats.
So how well are campaigns protecting themselves? According to the Online Trust Alliance (OTA), the answer is….not well. The organization recently reported that 17 of 23 presidential campaign sites received failing grades on privacy, security, and consumer protections. While websites are just the “posters on the wall,” campaigns whose websites can be easily defaced, used to mislead potential supporters, or used as a pivot into the organization are most likely not paying much attention to data security. And with the level of personal data now collected by these campaigns – from contact and financial information to personal views on abortion, gun reform and other sensitive topics – securing data is more important than ever.
But here at Pwnie, we don’t just point out the problem: we want to give you solutions, like Kyle’s post on passphrases NOT passwords earlier this week. Yes, it’s difficult, if not impossible, to fully secure yourself, but a few simple steps will go a long way. Consider this a holiday gift for the campaigns themselves.
5 Ways the Presidential Campaigns Can Secure Themselves
1. Admin Rights and Rules.
Who has access to your data? To your computers? For that matter, to your candidate? A quick audit of the administrator privileges for all of your services (data, website, social media, etc) every couple of weeks shouldn’t take more than an hour and will help to reveal superfluous users and unnecessary access to potentially sensitive data.
If possible, whittle it down to the minimum number of people. I know that access is necessary for speed and flexibility, but a little creative thinking can go a long way. Have a higher-up who wants to post directly to social media? Great – but does she need the creds to every platform, or is she only ever going to post to Twitter? A newsletter that is written by two people but needs to be reviewed by twenty? Post an editable version somewhere outside of the email service and copy over to where it needs to be. It’s all about risk management and reduction (you’ll never get rid of risk entirely), but make sure you know what risk you’re accepting.
2. Train personnel on how to avoid becoming a conduit for attack.
This is a major undertaking that many very secure organizations haven’t been able to accomplish, and I can only give you a limited list in a summary post like this one. Luckily, you (campaigns) already have one major advantage: your personnel actually care. They wouldn’t be there working for you if they didn’t care about the campaign, so it’s vital that you remind them that they, personally, could be the end of the campaign if they don’t pay attention to their cyber hygiene.
- In this category, the top reminder is “passwords, passwords, passwords.” When the European Space Agency is using three-character combinations as passwords, it’s clear that we haven’t gotten to a point where everyone knows to use good passwords.
- Give them someone to talk to if they suspect something is up. Do your personnel know who to talk to if they’ve seen anything suspicious? Do they have someone to tell when they receive a suspicious email? Create a system of reporting so that helpful employees can be helpful.
- Public WiFi is dangerous! If cellular dongles or hotspots are not an option, remind them to be careful with what is sent (or logged into) via public WiFi.
- Install AntiVirus. Though many have claimed “the end of AntiVirus,” there’s no excuse to not protect yourself when there are excellent free options available.
- Remind them, too, that even their personal cyber safety can affect the campaign. A few simple steps might save them – and your campaign – a world of worry.
3. Be aware of the hardware.
We’ve said it, and we’ll say it again: hardware is another way into your organization. With the rise in the number of devices – both given out by the organization and brought in by employees and volunteers – the number of potential beachheads has skyrocketed. Without getting into the threats posed by the Internet of Things, start by asking yourself a question: what happens to any hardware provided by the campaign after an individual leaves, or the campaign is over? Is it wiped? Do you know what your volunteers are using on the campaign trail, and do you know if they’re leaking data?
4. Vet any third party providers.
NGP VAN’s claim on their blog that they “played no part in the October data issue that has been mentioned” is true in the sense that they did not help any campaign to download or export any data, but as with any third party data breach, their vulnerability led to the release of sensitive information. What other third party providers are you using? Do they value data protection? For most services, you have options: data security should rank right up there with price as an important deciding factor.
5. Use virtual private networks (VPNs).
While this might be a little more advanced than the previous suggestions, it isn’t as difficult as many might think. With many inexpensive VPN options available today, there’s no reason not to protect your sensitive communications by putting them on a private network.
This is only a preliminary (and cursory) overview, but as two more campaign staffers were just let go in light of the recent scandal and the race becomes even more contentious, these little things make a big difference.