The election ecosystem is a prime target for cybersecurity threats and the 2022 United States Midterm election cycle has been no different. Though many security improvements have been made in recent years, bad actors continue to become more sophisticated in gaining access to private information – often driven by phishing attacks. Officials in charge of elections need to ensure the strongest possible IT security to ensure voter registration databases, voting infrastructure, election night reporting, and other critical systems are protected.
As we near the runoff election in Georgia on December 6, individuals involved in the campaigns should expect more vigorous phishing attacks, data theft, ransomware, and disinformation efforts. While legions of cybersecurity professionals work around the clock to protect our democracy, it’s important to be vigilant to defend against foreign adversaries or domestic actors who seek to tamper with election outcomes. However, the truth of the matter is that the role of election security extends beyond political organizations and there are many ways to help in the ongoing battle. This includes simple steps such as adoption of modern multi-factor authentication (MFA) and phishing-resistant MFA tools like the YubiKey.
To better understand the threats that political organizations and candidates face leading up to, during and following elections, as well as the actions they can take to stay secure, we recently sat down for a Q&A with Michael Kaiser, president and CEO of Defending Digital Campaigns (DDC). At DDC, Michael leads efforts to improve the cybersecurity of campaigns and political organizations. He has worked in cybersecurity and privacy for over 14 years and was previously the Executive Director of the National Cyber Security Alliance (NCSA), a public private partnership working with industry leaders, government officials, and civil society.
DDC is a nonprofit C4, nonpartisan and non-aligned organization providing access to cybersecurity products, services and information regardless of party affiliation. DDC’s efforts include providing free and low-cost cybersecurity products and services to DDC eligible entities, and bringing training broadly to candidates and campaign staffers, and political organizations. In 2020, DDC directly helped more than 185 campaigns and has given away more than $2 million in products.
Check out the full Q&A with Michael below.
Campaigns are quite different from other kinds of organizations and enterprises that most cybersecurity professionals work with on a daily basis. How do campaigns differ and what challenges does that raise?
Campaigns do not typically operate in the same way traditional enterprises and most cybersecurity professionals do. Campaigns are small, exist for a short period of time, and are singularly focused on one outcome: winning. That focus on winning means that anything that distracts from that mission will not be a priority. Unfortunately, sometimes cybersecurity is seen as distracting.
Another stark difference cybersecurity professionals would find is that campaigns are what I like to call “squishy” perimetered organizations. Candidates can have family members, close confidants, people raising funds, and others with access to sensitive information and all potential targets. All these factors pose significant challenges in not only getting cybersecurity adopted by the campaign itself but also ensuring that people around the campaign are protected as well.
Let’s talk about the people who work in the political sphere. I know we generally consider people in politics – not only campaigns but the space generally – at higher risk. Can you describe what people specifically and why they are at higher risk?
At DDC we say, “if you work in politics you are at higher risk.” They are at higher risk because they are targeted by more bad actors than most. The stakes are higher and the impact of a compromise can be larger.
In addition to cybercriminals, people working in the political space can be targeted by nation states who see America as a threat as well as hacktivists who don’t want a candidate or certain ideas to prevail. These bad actors will target people via work and personal accounts. They understand that there is a thin line between the two – if any line at all.
Since there are high levels of connectivity between people in the political space, people can be targeted to gain access to others. For example, a bad actor may target vendors to reach campaigns or target officials in state parties or other organizations to reach campaigns. This creates a heightened risk to people and organizations throughout the sector.
Though we’re past the 2022 midterm elections, we’re now coming up on the runoff election in Georgia on December 6. Cloudflare provided stats last year that found the days leading up to elections are the riskiest time for campaigns as they face an increase in cyberattacks. What can campaigns do right now to increase security in the closing days leading up to the runoff? Given the challenges you have outlined in the nature of campaigns, what does DDC do to help campaigns be more cyber secure?
Under our Federal Elections Commission Advisory Opinion, DDC can provide free products and onboarding support to federal campaigns and committees (Presidential Campaigns, US House and Senate Races and committees like the DNC and RNC). DDC focuses on a few high impact steps that are easy to implement that campaigns can take to be better defended.
Because account compromise remains the number one threat, we always recommend that campaign staffers and those associated with campaigns adopt the strongest authentication possible on campaign and personal accounts. Therefore, our top recommendation is always the adoption of phishing-resistant solutions, including security keys like the YubiKey, which Yubico provides at no-cost through their Secure It Forward program. Additionally, turning on extra protections like Google’s Advanced Protection Program or Microsoft’s AccountGuard program. The flexibility of security keys also allows accessing greater protections on other highly used platforms like social media.
We also encourage the implementation of a password manager for additional account protections. We see websites as a significant vulnerability. Defacements, DDoS Attacks, and content changes are ways in which bad actors attempt to disrupt campaigns. Another product we offer is Cloudflare for Campaigns. We handhold, as necessary, the implementation of these products through our onboarding support.
You’ve talked about the importance of collaboration for campaign security in the past. Can you share your thoughts on collaboration within campaign security, including great examples of collaboration now and improvements that can be made on this front in the future?
In my experience, collaboration is one of the most essential aspects of cybersecurity. The internet and our online world is a shared environment and no one person, public or private entity, or organization can secure everything or everyone. We need to work together.
DDC was founded on the concept of a collaboration. We need to work hand-in-hand with industry and stakeholders in the political sector to achieve our mission. At DDC, we work with companies like Yubico, Google, Cloudflare, and Microsoft that are committed to securing democracy and high risk users. We also work with national committees like the Republican National Committee and the Democratic National Committee.
There are many complexities in reaching and serving campaigns in this space including campaign finance laws, difficulty conducting outreach, and providing onboarding assistance. By working in collaboration and building on trust, we can overcome many of these challenges.
Although it’s critical to ensure security is tightened leading up to and during elections, election security for campaigns and politicians is an ongoing battle — whether they’re in office or a candidate preparing to run for another future election. What are some top security tips and best practices you can share for the “off” times between elections, including next year?
It’s extremely important that campaigns take the steps to close down with cybersecurity in mind and maintain security between elections. A few tips are:
- Secure and store credentials (logins and passwords) to key accounts and services in a safe manner using something like a password manager. Make sure a trusted person has access to administrative accounts so that when the next campaign spins up the team is not locked out.
- Delete users and consolidate data. Any user accounts not needed in the interim (for example, email accounts if departing staff and volunteers) should be deleted. A dormant account is a prime target for bad actors since if they are able to gain access, no one may notice. Save any needed documents to an active user account before deleting.
- Keep websites secure between campaigns. This can include making sure you have protections from DDoS attacks in place (like Cloudflare’s free product available to everyone). Additionally, be sure that you continue to pay for the domain so it doesn’t expire and someone can impersonate the campaign. It’s also important to keep your certificates up-to-date. Certificates authenticates a website’s identity and enables an encrypted connection.
- Remove access to social media. You may have shared a password or added people to social media accounts during the campaign. Remove people and change passwords as needed, and also remove campaign data from personal devices.
As we’re coming up on the end of the year, what are some things around election security you’re concerned about for next year? Are there any things you’re optimistic about?
I think more in terms of election cycles than years. In 2024, in addition to a presidential election, there will be 11 gubernatorial races, 86 of the 99 state legislative chambers will be up for election, and 33 senate seats and the entire US House will be on the ballot. In cybersecurity terms, that’s a large attack surface that’s hard to defend.
Given what I mentioned earlier about how campaigns differ from other organizations, there is a significant challenge ensuring we protect this most essential element of our democracy. It will take a concerted effort by a wide range of stakeholders to help campaigns defend against cyber threats.
Even in the face of the challenges, I remain hopeful we can rise to the challenge. In the few years that DDC has been in existence, I’ve seen growing awareness among campaigns about the need for cybersecurity. We have a strong cadre of companies willing to help with products and services, and as time goes on I expect cybersecurity will be more built into products and easier to implement.