Securing any organization is a challenge, but the task of securing a political campaign is its own special brand of difficult, combining many of the hurdles of enterprise security with the somewhat organized chaos of startup life. While there are plenty of tools and technology available to campaigns, they don’t always take advantage of them, for financial reasons, expediency, or other factors that aren’t always obvious.
In the run-up to the November election, there was an intense focus in both the government and the private sector on securing the election infrastructure, such as electronic voting machines, voter registration databases, and results reporting systems. That work is mainly up to federal, state, and local election officials. But the other side of that coin is the work that goes into securing the campaigns themselves, all of the various devices, accounts, networks, and other systems used by the candidates and their staffs. The teams doing that work are typically ad hoc, comprising consultants and contractors brought on as a campaign spins up, often with a tiny window of time in which to accomplish their tasks. And while the threats to election infrastructure are real, the events of the past few years have shown that the campaigns are just as high on the priority list for foreign attackers and they’re usually working without dedicated security personnel or even IT staff.
“Campaigns are short-lived and they’re resource-constrained. Their short life spans their limited resources make security difficult,” Sunny Consolvo, a researcher at Google, said during a talk on election campaign security at the Enigma conference Monday.
“They have amorphous boundaries and work with people in many different organizations. They’re also chaotically busy and generally have little security knowledge, so they’re unlikely to prioritize security.”
Google researchers conducted a study with more than 25 participants who were directly involved in political campaigns across the political spectrum, including candidates, campaign staff, digital directors, and others, and looked at the tools and techniques they used to protect themselves and their campaigns. While the size and funding level of the campaigns varied, they all faced a common set of challenges. One of the main issues is that campaigns typically ramp up very quickly, so they need to have their networks and devices up and running and sharing resources in a short amount of time. As a result, the priority is making sure things work, so security can take a back seat. Another challenge is the number of accounts that campaign staff use. There are email, social media, storage, cloud, fundraising, and other accounts to consider, some of which are shared or co-owned by several people on the staff. And, it's not uncommon for staff members to use personal email and social media accounts for campaign work, adding more exposure.
“They thought it would be narcissistic to think the nation states would be after them."
“Many campaigns don’t have IT staff, and if they do they can’t protect the personal accounts. Account security is a relatively recent concern,” Consolvo said.
The increased focus on campaign security in 2020 is a direct result of the attacks on the Democratic National Committee in 2016 that had a tangible effect on the results of the election. Even though email account access was a key factor in those attacks, the use of two-factor authentication to protect mail and other high-value accounts is still not common in campaigns. The participants in Google’s study listed a number of obstacles to implementing 2FA, including a fear of losing access to the second factor (phone or security key), and the extra time it takes during the login process. But for organizations that are definite targets for top-tier attackers, such as foreign intelligence services, 2FA can be a key defense.
“Most people knew about it, but if they did use it, it was SMS or some other weaker form of two-factor authentication,” Consolvo said. “When you’re being targeted by sophisticated attackers, the different form factors make a difference.”
Interestingly, despite the recent attention from state-level attackers, Consolvo said that some of the participants in the study said they didn’t believe their campaigns would really attract that kind of attention.
“They thought it would be narcissistic to think the nation states would be after them but the nation states are after them,” Consolvo said.