Digital Safety Measures for Local Political Campaigns
Originally Published on LinkedIn (11/9/2019)
“We’re Americans! Do you know what that means? It means our forefathers were kicked out of every decent country in the world.” — William James Murray
Safety is a measurement of time. One of the highest grades of certification a safe or personal vault can receive is the Burglary Classification TL-30 from Underwriters Laboratories. For a safe or vault to earn the highly coveted TL-30 rating it must be among the most secure containers available for use, able to withstand at least 30 minutes of a professional-level attack and attempted access. The top safe makers in the world will only guarantee valuables for 30 minutes if a determined and resourced opponent is trying to gain access.
Over the years, safe makers have developed shield improvements to defend containers against the latest burglar tools, more sophisticated locks that can identify who is trying to gain entry, and monitoring systems that alert clients of changes to the ordinary. These improvements made client assets measurably safer by making intrusions more complex to perform with a higher likelihood of detection. Similar measures can be leveraged to upgrade the level of digital safety for local political campaigns.
While no system can be 100% secure, the more labor it takes to gain access to a system, the more chances an organization may have to identify and dissuade an attempted breach. Digital safety is about disrupting and delaying adversarial opportunities for unauthorized access to systems and information. With the primary responsibility of any political campaign being to open communities to new ideas and collaborations, it can be challenging to know where to start maintaining safe access, here are some recommendations of where to explore those topics as a team:
Talk about digital safety
Imagine having to break the news to one of the team members that they made a simple error that put a political future at risk. Imagine being that team member. Teams that have an established dialog about how to stay safe online are better prepared when confronting adversarial unauthorized access. Regularly talk together about how to maintain good digital hygiene, what methods to employ to prevent a breach, and what steps to take in the event one happens help teams feel empowered to keep a campaign secure at all levels.
Keep your brand safe
Every campaign needs a website, but how does an organization keep it safe? One place to start is by adopting the maxim of “embracing the cloud.” Similar to how Google Drive and Microsoft Online function, platforms like Wordpress.Com and Squarespace offer “cloud” services that store and run your website across multiple computers, providing much more effective safety and security options than a single-server setup.
It is vital to signal to others that websites are safe for use. Communicating what information a website will and will not collect from an audience helps build trust and empowers supporters to flag any suspicious requests. Installing an SSL certificate transforms the website address from an “http://” to “https://." The certificate signals to search engines that a site has been authenticated as “not bogus,” certifying your use of standard encryptions to keep visitor information secure. Search engines prefer sending their users to sites that are less likely to be a scam. Google, Bing, and others tend to uprank websites that are measurably more secure, giving them an edge in competitive online search rankings.
Keep your accounts safe
Weak passwords and phishing campaigns are among the easiest and most common ways systems are compromised. When it comes to passwords, a strong one is a long one. It is much better to have a long passphrase with a remembered rhythm than a short password with forgettable strokes. Often experts recommend change passwords on accounts every seven weeks. Throughout a campaign, it can be challenging to maintain a memory of multiple passwords across multiple accounts. At times it may be appropriate to use an online password manager to help manage individual access.
Phishing attempts consist of the attacker tricking a user into providing them with access or information; this trick usually comes in the form of an email or text message appearing from a familiar source. It is crucial to encourage teams always to avoid clicking on unsolicited links and attachments as a best practice to prevent a successful phishing attack. Phishing is one of the methods of attack Russian state-sponsored hackers “Cozy Bear” and “Fancy Bear” used to gain access to John Podesta’s and the DNC’s emails. Attacks grow more sophisticated every day, one possible way to counter phishing attack is by using 2FA or multi-factor identification. Multi-factor identification multiplies the number of devices and labor involved in accessing a network, giving teams more opportunities to identify adversarial access attempts.
Keep your communications safe
Earlier this year, the Global Cyber Alliance revealed 10 out of the 14 Democratic campaigns for President failed to employ an essential domain safety measure called DMARC. The absence of that digital safety measure left the campaigns vulnerable to email spoofing. When another user can spoof or impersonate your email address, they can virtually masquerade as you anywhere, leaving your good name susceptible to misuse and fraud. Digital safety measures also apply to interoperational campaign communications like chats and text messages. Apps like Signal not only provide a safe and private place to communicate but also often offer an extra layer of security with easy to use encryption settings.
Keep your devices safe
Hardware and software updates are critical to maintaining digital safety for any organization. In May 2017, the “Wannacry” datatheft and ransomware attack inflicted hundreds of millions of dollars of damage across 150 countries. Wannacry’s effect on the National Health Service may lead it to be among the first cyberattacks with an attributable mortality rate. Those losses and damages were mostly avoidable. An after attack report noted how all of the organizations affected by “Wannacry” could have protected themselves by accepting and installing a March 2017 Windows update.
Professional security suites like Norton and McAfee can also help keep systems clean and alert users to any potential vulnerabilities on devices and networks. Employing separate devices for home and professional use decreases the chance of attacks crossing that boundary. It is also a good rule of thumb to keep devices up-to-date and avoid connecting sensitive devices to public wifi. Public wifi and other unsecured networks provide opportunities for adversaries to eavesdrop and listen in to the information devices are transmitting.
Datatheft, ransomware, and spoofing can be unfamiliar and intimidating terms to engage at first. However, just as there are adversarial elements online, there are also allies. The global digital community fills itself with leaders and resources ready to tackle this challenge and make the online world safe and secure for all. If you are interested in learning more about cybersecurity and digital safety, check out the following resources:
- Cybersecurity Campaign Playbook — The Romney 2012 and Clinton 2016 campaign managers teamed up to provide an accessible guide on what measures to take to keep campaigns safe. #CyberPlaybook (https://www.belfercenter.org/CyberPlaybook)
- Last Week Tonight Interview with Edward Snowden: John Oliver and Edward Snowden breakdown how to find a secure password that works for you. #LastWeekTonight (https://www.youtube.com/watch?v=yzGzB-yYKcc)
- Stop. Think. Connect — The Department of Homeland Security’s public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. #StopThinkConnect (https://www.dhs.gov/stopthinkconnect)