Political campaigns

Political campaigns face tough security challenges

Securing any organization is a challenge, but the task of securing a political campaign is its own brand of difficulty, combining many corporate security hurdles with the somewhat organized chaos of startup life. While there are many tools and technologies available to campaigns, they don’t always take advantage of them, for financial reasons, opportunity, or other factors that aren’t always obvious.

As the November elections approach, the government and private sector have focused on securing election infrastructure, such as electronic voting machines, voter registration databases and results reporting systems. . This work is primarily the responsibility of federal, state and local election officials. But the flip side is the work needed to secure the campaigns themselves, all the different devices, accounts, networks, and other systems used by candidates and their staff. The teams that do this work are usually ad hoc, made up of consultants and contractors hired at the start of a campaign, often with a small window of time to complete their tasks. And while the threats to election infrastructure are real, events in recent years have shown that campaigns are just as high on the agenda for foreign attackers, and they typically work without dedicated security personnel or even IT staff.

“Campaigns are short-lived and resources are limited. Their short lifespan and limited resources make security difficult,” Google researcher Sunny Consolvo said during a talk on election campaign security at the Enigma conference on Monday.

“They have blurred boundaries and work with people from many different organizations. They are also chaotically busy and generally have little knowledge of security, so they are unlikely to prioritize security. »

Google researchers conducted a study of more than 25 participants directly involved in political campaigns from all political backgrounds, including candidates, campaign staff, digital directors and others, and examined the tools and the techniques they used to protect themselves and their campaigns. Although the size and level of campaign funding varied, they all faced a common set of challenges. One of the main issues is that campaigns typically ramp up very quickly, so they need to have their networks and devices up and running and sharing resources in a short amount of time. Therefore, the priority is to make sure things work, so that safety can take a back seat. Another challenge is the number of accounts used by campaign staff. There are email, social media, storage, cloud, fundraising and other accounts to consider, some of which are shared or co-owned by multiple staff members. And, it’s not uncommon for staff members to use personal email and social media accounts for campaign work, which adds more visibility.

“They thought it would be narcissistic to think nation states would be after them.”

“Many campaigns don’t have IT staff, and if they do, they can’t protect personal accounts. Account security is a relatively recent concern,” Consolvo said.

The heightened focus on campaign security in 2020 is a direct result of the attacks on the Democratic National Committee in 2016 that had a tangible effect on election results. Even though email account access was a key factor in these attacks, the use of two-factor authentication to protect email and other high-value accounts is still not common in campaigns. Participants in the Google study listed a number of barriers to implementing 2FA, including the fear of losing access to the second factor (phone or security key) and the additional time required for the process of connection. But for organizations that are specific targets for high-level attackers, such as foreign intelligence services, 2FA can be a key defense.

“Most people knew it, but if they used it, it was texting or some other weaker form of two-factor authentication,” Consolvo said. “When you’re targeted by sophisticated attackers, the different form factors make the difference.”

Interestingly, despite recent attention from attackers at the state level, Consolvo said some of the study participants said they didn’t think their campaigns would really get that kind of attention.

“They thought it would be narcissistic to think nation states were after them, but nation states are after them,” Consolvo said.