How Should Political Campaigns Deal with Information Security?

Information security needs to be one of any political campaign‘s highest priorities, but making relatively cheap, simple changes are within nearly every campaign’s reach.

2016 should have changed the way political campaigns think about their information security, but not everyone knows what to do. It would be a pity if the ability to properly secure information was simultaneously expensive and necessary for successful campaigns, limiting potential candidates and campaigns to wealthy or connected people. Fortunately, nearly any campaign should be able to afford and implement sufficiently robust cybersecurity to protect itself from outside interference, by following a few simple steps. Most important is empowering members of the campaign to ensure their own information security, and holding them accountable for their information security.

Any contemporary campaign should follow the following steps, and campaigns failing to do so are being irresponsible, or incompetent.

  • Appoint and empower a capable individual responsible for information security
  • Retain the services of a reliable information security firm to monitor, probe and investigate information security
  • Purchase a corporate password manager (e.g. Lastpass, not sponsored) and require all members of the campaign to use a password manager for all their passwords
  • Purchase a corporate email system with end-to-end encryption and 2FA, and require all members of the campaign to use it for any campaign related email
  • Encrypt all campaign documents, and store all documents on encrypted drives
  • Provide all campaign workers with information security training, and summarily and publicly dismiss any worker who fails to maintain information security hygiene

Information Security Manager

The information security manager should be someone the candidate/campaign organizer trusts, but must also understand information security. The information security manager must be empowered to remove people from the campaign who are security threats, work directly with law enforcment, and stop activities that are hazardous to information. Consequently, the information security manager will necessarily be very powerful and important within a campaign, roughly equal to the campaign manager. The further down the chain the information security manager is, and information security issues are, the higher risk of infosec violations will become.

Information Security Firm

Just like organizations should have external audits for finances, they should have external evaluation and monitoring for information security. Security firms keep abreast of evolving threats as their job, in a way internal infosec specialsts cannot. If a crisis arises the firm will be better positioned to respond if you have been working with them already, and having an integrated defense in place makes a crisis less likely.

Password Manager

The single greatest threat to information security is password reuse, and the best way around password reuse is a password manager. If you use the same password and (heaven forbid) username on bestbeaniebabies.com and the campaign servers, when bestbeaniebabies.com gets compromised, the thieves also have access to your password for the campaign. Good password managers, of which there are many, use robust encryption and only you have the key, making compromise nearly impossible, but allowing you to have a different password on every site. If you really want to get high tech, you can even provide generate passwords as answers to your security question, making the “Guccifer” technique also impossible.

Two-Factor Authentication

Two-factor authentication, properly implemented, makes stealing access much harder. It is possible to get around 2FA, but very difficult, and essentially impossible with the scattershot approaches that make up the majority of attacks. With 2FA even if a threat actor has your password they cannot get access to your account without access to your second factor. Even in the worst case, this buys you time to reset your password, and in practice it makes phishing much harder.

Encryption

Even if a threat actor gains access to your files, it will do nothing for them if the files are encrypted. Encryption also defends against interception over networks. Encryption can be cracked, but only with difficulty.

Responsibility and Accountability

Far too many organizations treat information security failures like forces of nature, and not the result of poor decisions. No information security rule will cover all situations; sometimes the best solution will be to send a message unencrypted, and putting rules in place that make it impossible for responsible people to make responsible decisions when appropriate makes it more likely that circumstances will coerce them into making less secure decisions. But you must hold people accountable for the decisions they make, so that they appropriately weight their choices, and so you can eliminate people who are irresponsible.

Put another way, if a campaign tried to reduce waste by forbidding use of campaign vehicles for anything other than travel to and from campaign sites, then when an emergency arose, the staff might spend even more money on a taxi. However, if you let staff use vehicles however they wanted, and did not fire the staffer who took the vehicles to the strip club you are courting disaster.

What’s not on the list

Many other techniques will further improve security if campaigns want to use them, and campaigns in high-risk environments may wish to use them, although with additional cost. VPNs are excellent ways to control access and defend against surveillance. Using code words to refer to important issues and locations can reduce standard surveillance. Fresnel lenses on screens reduce opportunity for simple “over-the-shoulder” observation. Honeypots can make it more difficult to determine which data are correct.

I’m happy to talk threat environment with anyone interested, but I recommend the basics because, while the cost of entry is initially high, maintenance is relatively low. I have heard from many people that “this is just so hard!” I imagine that going through and substituting Yale locks for old-timey skeleton keys was initially hard, too, but no one thinks a thing about having them now. The same is true with the basic security steps I recommend. With just a few appropriate people in place, the kind of people necessary for any organization today, and the right tools for people to use, it is actually easier in most cases to meet basic security standards than to operate insecurely. It is certainly easier than dealing with an unfortunate information leak.