Campaigns need to practice — not just preach — stronger digital security
You are not alone if you feel we’ve lost the plot in ensuring the protection of our next election from the cyber-shenanigans that plagued the 2016 Presidential Election and the 2018 mid-terms. It’s hard to ignore news that continues to surface about how deeply-rooted interference was in 2016, with attacks on election systems in all 50 states among the most recent revelations. And in written and verbal testimony now, Robert Mueller has said in no uncertain terms that interference from foreign adversaries is very real and that efforts to meddle in 2020 are already underway.
Gridlock in Congress means we can no longer afford to wait on federal regulations for real action. Instead we believe every campaign — in every party and at every level of government — must take the proper steps to ensure its own protection. The Russian interference in 2016 should be the only reminder that any campaign needs. And while candidates may be talking about broader election security issues, they need to get their own houses in order as well. So far, that doesn’t seem to have happened.
Only about half of the Democratic presidential campaigns will confirm that they’ve implemented even basic cybersecurity measures. The silence may be intended to avoid revealing anything about security strategy, but independent research that found holes in basic security tasks of the majority of the campaigns does not instill confidence.
Like many professionals that have worked for and protected some of the largest organizations in the public and private sector, we’re concerned for the security of our elections because we’ve seen how persistent and disciplined attackers can be, and we know the challenges they pose. These challenges are especially acute for an organization like a presidential campaign that often starts small, with limited resources, and can become very large and very dispersed very quickly. But when it comes to cybersecurity, these early days can be the most important.
Cyber attackers play the “long game” and — once they have even the slightest foothold in a campaign — they can move slowly and methodically towards their ultimate goal, whatever that may be, waiting for the most opportune moment.
From an attacker’s perspective, it’s much easier to breach a fledgling campaign, before its digital defenses are fully in place. And when it comes to the presidential race, as we get closer to identifying the two main party candidates, the tasks of an attacker will only get more difficult as the Secret Service, FBI and other federal agencies get involved.
National political campaigns should assume the worst can, will or has already happened (even if they just may not know about it yet). This is a mindset they should hold from the first day a candidate declares their run for office, if not sooner. And for most of the two-dozen presidential campaigns, that day was months ago. If they’re just realizing this now, they have a lot of catching-up to do.
It may sound far-fetched to think that an attacker could start by compromising someone even remotely related to a campaign — say, a staffer’s girlfriend’s parent — and then work their way into the inner circle. But for people who understand cybersecurity, this isn’t far-fetched at all.
Attackers are very sophisticated and persistent. And if they’re state-funded, there’s a low likelihood of flat-out stopping them.
Like most organizations that are well-poised to protect themselves, campaigns must embrace this truth and be ready to act quickly and transparently in the event of an incident. They need to test their processes and procedures and integrate security into the core of their campaign. And they need to find attackers early.
Implementing strong security doesn’t always start with expensive investments or advanced technical know-how. It’s just as important to integrate cybersecurity into organizational processes and think about it in a similar sense to how threats are gauged in the “real world.” This starts by auditing the attack surface, the people who are connected to the person at the center of the campaign (i.e. the candidate), and understanding who might target them and why. A solid understanding of this environment makes it possible to develop “circles of trust” and normal access and communication protocols. Only then will a campaign be able to detect behaviors that might indicate a breach or abnormal activity — like that attack that may originate through a staffer’s girlfriend’s parent.
With the large number of candidates running for president in 2020, the potential attack surface is bigger than ever. Anything can happen between now and election day, so it’s important for every campaign to get serious about cybersecurity. It’s not hyperbole to say that our democracy depends on it.
Rich Noguera is chief information security officer at the payments company Yapstone, and former chief information security officer at GAP Inc.
Rahul Kashyap is CEO of the cybersecurity firm Awake Security (@AwakeSecurity) and has worked on cybersecurity initiatives with the Defense Information Systems Agency, Department of Defense, and several other government agencies. Follow him on Twitter @rckashyap.