It’s been almost three years since Russian intelligence operatives reportedly first hacked the Democratic National Committee’s (DNC) servers on July 27, 2015—setting off a chain of events involving the DNC’s own sloppy security measures and lax response, and Wikileaks’ disclosure of embarrassing Hillary Clinton campaign emails, helping propel Donald Trump to victory. This time, the DNC is hoping that the lessons it’s learned from that history will help it avoid a repeat. And the Republican National Committee (RNC), which was fortunate during the 2016 campaign that hackers failed to infiltrate its own semi-secure servers, is praying that it’s not their turn this time.
Looking ahead to the 2018 midterms and the 2020 presidential election, campaign organizations have taken big steps to improve their digital security, and those measures haven’t been limited to installing new firewalls or upgrading security software. “In a post-2016 campaign environment, all campaigns and vendors need to be reflective [on] how they treat data security and make it a operational priority,” writes Scott Tranter, cofounder of 0ptimus, a data and tech company that’s worked with Republican candidates, in an email.
With phishing attacks a fact of life on the modern internet, the political parties have also been aggressively training their employees to keep themselves safe by using security measures like two-factor authentication and, of course, not clicking on suspicious emails. John Podesta, chairman of Clinton’s 2016 campaign, famously had his personal emails hacked and leaked as a result of a phishing attack, and party officials and tech vendors want to make sure nothing like that ever happens again.
“Technical security is important, but physical and administrative security is often overlooked and is essential to overall data security,” writes Emily Schwartz, vice president of organizing at campaign tech company NationBuilder, in an email to Fast Company. “This requires diligence from every member of the staff, not just our engineering team. For example, we do intensive all-staff security trainings that are focused on making sure that every staff member fully owns their personal responsibility in data security.”
“We Phish Our Employees On A Regular Basis”
In January, the DNC announced it was hiring Bob Lord, probably best known for detecting the massive Yahoo security breach after he became chief information security officer at that company, as its new chief security officer. Since then, Lord has boosted DNC employees’ cybersafety senses to the point where they’re even wary of emails pointing them to further security training.
“We phish our employees on a regular basis,” he says. “They suspect that somebody asking them to complete their security training might be a phishing attack, but for me, that’s exactly the right problem to have.”
Deep Root Analytics, an Arlington, Virginia, company that helps campaigns and other organizations target TV advertising to demonstrate that the people they want to reach actually watch, runs similar tests on its staff and has even gone further to test their security acumen.
“We will do things like leave thumb drives in the office lobby to test and make sure that people aren’t taking those thumb drives,” says CEO Brent McGoldrick.
Deep Root dealt with a data breach of its own last year when researchers at security company UpGuard discovered a trove of voter data left publicly accessible on a Deep Root cloud server. Since then, the company has worked internally and with outside consultants to boost its security. Deep Root hopes to work within the political data industry to standardize ways to securely store and transfer data, and to share information on digital threats, McGoldrick says.
“It’s things like creating a forum in which we can all come together, not as competitors, but as people who operate in the space but can share things that have happened, or things that look strange or strange phishing attempts,” he says.
The DNC has also received formal and informal assistance from outside organizations—”We’ve been humbled about the number of people in the outside world who want to help us,” says CTO Raffi Krikorian. It also recently unveiled a digital marketplace, called I Will Run, that points new candidates for office toward vendors offering services from data analytics to secure communications. Lord says also he’s worked to promote good security practices to others in the political ecosystem.
“My goal is to sound a little bit like a broken record, and to focus on some of the basics,” he says. “I’ll repeat those through any mechanism I get.”
Curated Cloud Services + Chromebooks + iPads
Individual political campaigns that ramp up quickly with dozens or hundreds of employees and volunteers have traditionally had a hard time focusing on cybersecurity.
“There are many people involved out of necessity and many moving parts,” an UpGuard spokesperson writes in an email. “Because politicians must spin up and down campaigns very quickly, the data flows rapidly in that kind of environment, and there is insufficient planning in advance to facilitate the appropriate management of that data.”
Ideally, giving campaigns a ready list of secure digital providers and basic good practices will help them avoid hack attacks without having to divert too many resources from their primary goals.
The DNC has, like many companies, taken steps to move digital services to what Lord calls “properly curated cloud services,” where the DNC can build on the security already provided by cloud vendors. It’s also experimenting with using particularly secure devices, like Chromebooks and iPads, to replace potentially less secure equipment employees use to connect to its networks. Lord says since he’s only connected to the internal network using a Chromebook, in part to test how viable those computers are for DNC use. The devices are believed to be hard enough to hack that they’re just not viable targets for most attackers, he says.
“It’s going to be a little bit of a challenge to move any organization 100% to one of these systems, but we’re gonna push on it, and we’re gonna see where we have our wins,” he says.
Keeping Its Security Secrets Close To The Vest
The RNC, and state party organizations on both sides of the aisle, report that they’ve also taken steps to bolster security, though many declined to share specifics.
“The RNC continues to make considerable investments to bolster our security and protect our data information,” says spokeswoman Blair Ellis in an email. “Data security remains a top priority at the RNC, and we will continue to update and protect our system from outside threats.”
In general, experts say, consistently following little steps like choosing secure tools, keeping them updated, and training employees are likely the key to keeping hackers at bay or, at least, sending them looking elsewhere for easier targets.
“One of the most important things that organizations, especially campaigns, can do is take seemingly small but proactive steps like limiting access to data, setting your computer screen to lock quickly, and making sure to log into secure Wi-Fi and having the ability to remote swipe clean computers,” writes Schwartz. “These things may seem small, but they are often the places where organizations are most vulnerable.”