Skip to Main Content
Saranga Komanduri
Saranga Komanduri | Principal Software Architect, Civis Analytics

Jenn Cervella
Jenn Cervella | Sr. Business Development Manager, Civis Analytics

Six years after ​​Russian hackers leaked thousands of Democratic National Committee emails ahead of the 2016 presidential election, political campaigns remain firmly in the cybercrime crosshairs. While organizations of all types must be vigilant in the face of escalating digital threats — the number of data breaches publicly reported in the first nine months of 2021 eclipsed the total reported in all of 2020, according to the nonprofit Identity Theft Resource Center — campaigns are especially attractive targets for foreign governments and cybercriminals alike, experts say.  

“Campaigns are squishy, perimeter enterprises,” Michael Kaiser, the president and CEO of nonprofit Defending Digital Campaigns, told The Hill, explaining that campaigns differ from conventional business entities because they encompass so many individuals and organizations susceptible to cyber threats — not only staffers and volunteers, but also the candidate’s family and confidants, as well as third-party vendors and fundraising groups. 

In mid-2020, Google assembled more than 40 thought leaders and experts from across the political landscape, the technology sector, and the academic sphere to identify and address the challenges facing campaign data security. The resulting report, which Google researchers presented at the 2021 USENIX Security Symposium, states that many cyber attacks on campaigns target individuals and their accounts, most often through social engineering tactics like phishing (i.e., fraudulent emails designed to induce recipients to reveal personal information like passwords and credit card numbers). At the same time, however, the fundamental nature of campaign work makes phishing tough to prevent, with Google citing factors including: 

  • The large number of accounts used (both personal and shared, campaign-related accounts) 
  • A dearth of security/IT administration across those accounts
  • The high volume of work happening across domains, platforms, and services 
  • Insufficient cybersecurity training
  • A “fast-paced, hectic, temporary environment where security is not the top priority”

With the 2022 U.S. midterms looming, campaigns must take decisive steps to address these factors and keep their data safe from harm. Read on to explore Google’s campaign cybersecurity recommendations — and to better understand the vital role that Civis Analytics can play in facilitating and augmenting these recommendations for campaigns like yours.   

The cybersecurity measure all campaigns should implement

Although security professionals suggested all sorts of advice for campaign workers, Google admits many recommendations “can be overwhelming to the many people who work on, with, or in support of campaigns,” noting that while these people want to do the right thing, they often view cybersecurity “as being difficult, not high enough priority, and maybe not worth the effort given all the other things they must do.” 

To that point, Google set out to select one top piece of security advice that campaigns, organizations, and influencers could promote to boost chances of adoption — advice that would be relatively easy for campaign workers to follow and understand, but still relevant to the digital attacks they face. 

Turning on the strongest form of Two-Factor Authentication (2FA) for campaign and personal email, social media, and bank accounts is the first, most important thing someone connected to a political campaign can do, Google says. “2FA makes account hijacking more difficult,” Google explains. “It can help limit access to sensitive data in accounts, and since email accounts can be leveraged to access other types of accounts (through password reset links sent via email), it helps to prevent that, too. Securing email accounts also serves as another line of defense — they’re where notifications about suspicious password reset or other account change notifications are sent for a wide variety of accounts.”

Two-Factor Authentication is core to Civis Platform, our cloud-based data science workbench. Platform — which enables teams to collaborate in a secure, centralized environment, complete with network, application, and database-level risk and compliance tools that protect your campaign’s most sensitive data assets — is secure by default: Civis introduced 2FA as a requirement for Platform accounts in 2014, and we support Security Assertion Markup Language (SAML) single sign-on, which enables users to access multiple web applications using one set of login credentials. 

More ways Civis Platform keeps campaign data safe 

Civis Platform directly addresses other key Google campaign security recommendations as well, including: 

  • Developing policies for data handling (e.g., where and how to store which types of data). All data stored in Civis Platform is encrypted and protected by multiple layers of security. A general-purpose computing environment offers campaigns the flexibility to maximize the work done in this safe space: you can run code in any programming language, use Jupyter notebooks and web services, and schedule work to run at any time. In addition, Platform is tightly integrated with Github, where you can version control your code in private repositories.
  • Having a policy/knowing best practices for what to do when someone leaves and/or the campaign ends. Protecting multi-tenant user accounts in environments where staffers routinely come and go poses particular challenges. Because account ownership must be transferred as people join and leave a campaign, use of shared accounts is widespread, which makes 2FA implementation impossible. 

Instead of juggling multiple accounts to do work on your own machines, you can automate this work in Platform, storing credentials via our secure Credentials feature. Workflows can be set up to run under special “robot” accounts, so work can continue as new staffers enter the campaign and others exit. These robot accounts don’t have passwords — you can’t log in directly as a robot — so campaigns don’t have to worry about shared passwords or sharing phones for 2FA. They can assign access to the robot account exclusively to personnel that need it, and breathe easier knowing that users lose access to everything in Platform (including robot accounts) as soon as their account is deactivated.

  • Laying the groundwork for establishing a stronger security culture in the future. Beyond Platform’s signature technology and features, Civis also delivers white-glove consultation and support. We employ dedicated security and DevOps teams to protect both the data and the system, giving all clients the same level of protection; our security team works with security experts from Amazon Web Services, Google, and other top firms to manage Platform according to industry standards, and our client success and solution architect teams help set up organizations to follow these best practices. Moreover, Civis is SOC2-certified guaranteeing we’re held accountable for keeping clients as secure as possible according to the latest guidelines. 

Every 39 seconds, a new cyberattack is launched somewhere on the web. If you fail at cybersecurity, you will almost certainly lose your election, too — not just because bad actors have gained access to your data, but also because of the reputational damage you will suffer. Civis Platform doesn’t just secure your campaign’s data; it secures your campaign’s future, too.  

Campaign door knocker with list talking to a constituent

Boost your chances at the polls by making Civis Analytics your running mate.

Get in touch with us today to learn what Civis Platform can do for you and your campaign staff.

Talk to a Campaign Expert