Six years after Russian hackers leaked thousands of Democratic National Committee emails ahead of the 2016 presidential election, political campaigns remain firmly in the cybercrime crosshairs. While organizations of all types must be vigilant in the face of escalating digital threats — the number of data breaches publicly reported in the first nine months of 2021 eclipsed the total reported in all of 2020, according to the nonprofit Identity Theft Resource Center — campaigns are especially attractive targets for foreign governments and cybercriminals alike, experts say.
“Campaigns are squishy, perimeter enterprises,” Michael Kaiser, the president and CEO of nonprofit Defending Digital Campaigns, told The Hill, explaining that campaigns differ from conventional business entities because they encompass so many individuals and organizations susceptible to cyber threats — not only staffers and volunteers, but also the candidate’s family and confidants, as well as third-party vendors and fundraising groups.
In mid-2020, Google assembled more than 40 thought leaders and experts from across the political landscape, the technology sector, and the academic sphere to identify and address the challenges facing campaign data security. The resulting report, which Google researchers presented at the 2021 USENIX Security Symposium, states that many cyber attacks on campaigns target individuals and their accounts, most often through social engineering tactics like phishing (i.e., fraudulent emails designed to induce recipients to reveal personal information like passwords and credit card numbers). At the same time, however, the fundamental nature of campaign work makes phishing tough to prevent, with Google citing factors including:
With the 2022 U.S. midterms looming, campaigns must take decisive steps to address these factors and keep their data safe from harm. Read on to explore Google’s campaign cybersecurity recommendations — and to better understand the vital role that Civis Analytics can play in facilitating and augmenting these recommendations for campaigns like yours.
Although security professionals suggested all sorts of advice for campaign workers, Google admits many recommendations “can be overwhelming to the many people who work on, with, or in support of campaigns,” noting that while these people want to do the right thing, they often view cybersecurity “as being difficult, not high enough priority, and maybe not worth the effort given all the other things they must do.”
To that point, Google set out to select one top piece of security advice that campaigns, organizations, and influencers could promote to boost chances of adoption — advice that would be relatively easy for campaign workers to follow and understand, but still relevant to the digital attacks they face.
Turning on the strongest form of Two-Factor Authentication (2FA) for campaign and personal email, social media, and bank accounts is the first, most important thing someone connected to a political campaign can do, Google says. “2FA makes account hijacking more difficult,” Google explains. “It can help limit access to sensitive data in accounts, and since email accounts can be leveraged to access other types of accounts (through password reset links sent via email), it helps to prevent that, too. Securing email accounts also serves as another line of defense — they’re where notifications about suspicious password reset or other account change notifications are sent for a wide variety of accounts.”
Two-Factor Authentication is core to Civis Platform, our cloud-based data science workbench. Platform — which enables teams to collaborate in a secure, centralized environment, complete with network, application, and database-level risk and compliance tools that protect your campaign’s most sensitive data assets — is secure by default: Civis introduced 2FA as a requirement for Platform accounts in 2014, and we support Security Assertion Markup Language (SAML) single sign-on, which enables users to access multiple web applications using one set of login credentials.
Civis Platform directly addresses other key Google campaign security recommendations as well, including:
Instead of juggling multiple accounts to do work on your own machines, you can automate this work in Platform, storing credentials via our secure Credentials feature. Workflows can be set up to run under special “robot” accounts, so work can continue as new staffers enter the campaign and others exit. These robot accounts don’t have passwords — you can’t log in directly as a robot — so campaigns don’t have to worry about shared passwords or sharing phones for 2FA. They can assign access to the robot account exclusively to personnel that need it, and breathe easier knowing that users lose access to everything in Platform (including robot accounts) as soon as their account is deactivated.
Every 39 seconds, a new cyberattack is launched somewhere on the web. If you fail at cybersecurity, you will almost certainly lose your election, too — not just because bad actors have gained access to your data, but also because of the reputational damage you will suffer. Civis Platform doesn’t just secure your campaign’s data; it secures your campaign’s future, too.