After the 2016 U.S. election, one thing is sure: We will be talking about cyber security in the context of elections in the near future, and possibly forever.
Securing a political campaign presents a unique challenge, especially in the United States where over $6 billion was spent in a single cycle to elect candidates on the federal, state and local level. The victors of these campaigns will potentially make decisions that can affect trillions of dollars in spending, along with global security and trade.
“Security depends a good deal on culture – and as campaigns are thrown together and are temporary things – culture can be quite variable,” Sean Sullivan, F-Secure Security Advisor, told me.
A presidential campaign has to put together the infrastructure for what is essentially a massive corporation in a few months. And as with any large corporation, there is generally no question about whether if a large campaign is going to be hacked.
The question is: “When?”
With this threat landscape in mind, former high-ranking campaign officials from the U.S.’s two major parties have united through the Belfer Center for Science and Internet at Harvard University to release what they call Cybersecurity Campaign Playbook.
“The information assembled here is for any campaign in any party,” the Playbook’s Welcome reads. “It was designed to give you simple, actionable information that will make your campaign’s information more secure from adversaries trying to attack your or-ganization—and our democracy. Most of all, we hope this resource allows you to spend more time on what you signed up for—campaigning.”
Sullivan calls the document “a good start” and noted that the “Top 5 Checklist” it opens with offers “some good basics.”
Here is that Checklist:
1. Set the Tone:
Take cybersecurity seriously. Take responsibility for reducing risk, train your staff, and set the example. Human error is the number one cause of breaches.
2. Use the cloud:
A big, commercial cloud service will be much more secure than anything you can set up. Use a cloud-based office suite like GSuite or Microsoft365 that will provide all your basic office functions and a safe place to store information.
3. Use two-factor authentication:
Require 2FA for all important accounts, including your office suite, any other email or storage services, and your social media accounts. Use a mobile app or physical key for your second factor, not text messaging.
4. Create strong, long passwords:
For your passwords, create SOMETHINGREALLYLONGLIKETHISSTRING, not something really short like Th1$. Contrary to popular belief, a long string of random words without symbols is more difficult to break than something short, with L0t$ 0f $ymB01$. A password manager can help, too.
5. Plan and prepare:
Have a plan in case your security is compromised. Know whom to call for technical help, understand your legal obligations, and be ready to communicate internally and externally as rapidly as possible.
These suggestions — especially 1 through 4 — are pretty good for anyone who does business online, or wants to keep hackers out of their accounts. Any campaign or company can take our Cyber Security Stress test to get a sense of how solid your security culture is.
Step 5 is especially crucial for a campaign or a business, which is why we created this poster to remind people what to do when you’ve been hacked.
For an individual, step 5 is a little tougher to pull off because you likely don’t have any IT pros on your payroll, which is probably true for even for smaller campaigns. You still need a plan. Make sure to regain control of your compromised accounts, which is why two-factor authentication matters so much.
Preparation is the best plan, of course. Keep your software updated and make sure you’re running a complete Internet Security like F-Secure TOTAL. You can mitigate much of the damage you should expect from conventional cyber attacks by making sure that not only are your passwords strong and long, they’re also unique for each of your most important accounts. As the checklist notes, a password manager helps, and you can use our F-Secure KEY for free on one device. Having off-site backups of your files will also reduce some of the damage of a ransomware attack.
If you matter at all in the twenty-first century, you are a target.
Campaigns and the elections they contest matter very much and can have severe consequences. Campaign security isn’t just about preserving privacy, it’s about preserving the legitimacy democracy requires. This report looks like a decent first step toward improving the cyber security fair elections need.