I recently had the opportunity to participate in a panel on cybersecurity in the context of upcoming Bolivian elections. (Check out the video if interested!) One thing I took away from this event was that in the cyber world, the challenges parties face are universal.
I’ve been in this world for quite a few years. I’ve worked full-time on political campaigns, particularly for Hillary Clinton and John Kerry. Before all that, my first career was in systems and network security. Now, I work to help partners around the world communicate with their constituencies to deliver on democracy.
When I started out, I remember thinking at the time it was kind of a pity that clearly all the security challenges would soon be solved and this interesting digital security work would be unneeded. Unfortunately, I was wrong. It’s a frankly scary world out there online, and particularly so for campaigns. COVID-19 has only exacerbated the problem with parties and candidates forced to engage even more online.
The more we engage politically online, the more vulnerable we are. At the same time, criminal or authoritarian elements are getting more sophisticated in their attacks targeting political parties. Cybersecurity breaches can take down a campaign web site, disrupt donations; or lead to malicious content being posted triggering a take down of social media accounts. Hacks and digital theft of documents--and the media frenzy that follows-- like we saw in 2016 in the US can be enough to tip an election.
The good news is that there are some simple steps that campaigns can take to keep themselves safer in the internet era. It can seem impossible in the hustle of a campaign to make time for thinking about cybersecurity - but remember the consequences if you don’t. If prevention seems expensive, the cost of not securing digital assets can be incalculabe.. Fortunately, the basics can go a very long way to let you focus on campaigning on the issues that matter to voters, not dealing with the aftermath of a malicious hack.
Harvard University’s Belfer Center worked with the head of Hillary Clinton’s 2016 campaign, Robby Mook, and of Mitt Romney’s 2012 campaign, Matt Rhoades, to design a playbook capturing the fundamentals of digital security for campaigns. NDI and our sister organization IRI then adapted it for a global audience- check it out!
Here are some highlights:
- Establish a culture of information security awareness. Everyone, from candidate to volunteer, needs to demonstrate that they care. You can’t expect volunteers to be more serious than leadership – and we’ve seen that any volunteer in your team might accidentally do tremendous damage.
- Use the cloud for email and collaboration. By using the major cloud service providers like Google and Microsoft, you let their huge team of very highly paid security experts protect your stuff. By using online documents for most of your work, you make the damage from malware on your computer - or the loss from forgetting it on the bus - a lot less devastating. You can also focus your security efforts on protecting cloud access with good passwords and two-factor authentication (below.) As Andrew Carnegie said, “put all your eggs in one basket – and then watch that basket.”
- Use two-factor authentication in addition to good passwords. Can’t stress this one enough - the most important thing you can do to protect your account is to enable two-factor authentication. This is typically done with your smartphone, sometimes via text message or (much better) via special applications or even small hardware keys.
- Use encrypted messaging apps for anything sensitive. Using true end-to-end encrypted apps for sensitive messages means no one watching can capture what you’re saying. This includes Signal, Wickr and WhatsApp - if you’re not using these normally, consider doing so for your most sensitive conversations or among campaign leadership.
- Plan and prepare. In the cybersecurity world there is a joke that there are two kinds of people: those who have been hacked and those who do not realize they also have been hacked. Despite your best efforts, it might happen to you. Think in advance how you can minimize the amount of sensitive information that can be stolen if things go wrong, and come up with an incident response plan in advance
There’s a lot of internet threats to be concerned about out there; it can at times feel overwhelming, particularly when coupled with the pressure of a campaign. However, the important thing to bear in mind is that the simple steps outlined here can take you and your party a long way to being more secure and avoiding the disruptions that cybersecurity incidents can inflict on your campaign.