7 Questions with Ari Schwartz on Advocacy and Political Campaign Cybersecurity
Ari Schwartz is the former Senior Director for Cybersecurity at the White House and is now the Managing Director for Cybersecurity Services at Venable LLP. Ari was kind enough to answer seven questions on campaign cybersecurity issues.
1. Why should an organization actively think about campaign cybersecurity issues?
Online threats impact all organizations that maintain any online presence in the world today and campaigns and advocacy groups are no exceptions. For all organizations, cybersecurity is really a risk management exercise. Organizations have to be proactive in considering what threats it faces, what information and services it needs to protect, and how it will respond if a hack occurs. Without adequate preparation, organizations are left to react, which can leave them more vulnerable and less likely to recover quickly.
2. Can you prevent your organization or campaign from getting hacked?
The absolute prevention of hacking is difficult, if not impossible. Generally speaking, a well-resourced and dedicated hacker will eventually be successful. However, ensuring that your online presence is as secure as possible raises the cost for a hacker to disrupt it and may cause them to find easier targets elsewhere. It is important to understand your risk and plan accordingly. The key today is how you can limit the impact of the incident and how quickly you can respond once you know you’ve been hacked.
3. Do political and advocacy organizations get hacked?
Absolutely. Politically or socially motivated hackers will find advocacy groups attractive targets for achieving their agenda. Advocacy groups are also highly focused on gaining traction and influence for their issues quickly and effectively, which can result in insufficient attention being paid to security controls. It has been said that President Obama first began considering cybersecurity an existential threat to the country following a briefing he received during the 2008 campaign after his campaign systems and Senator McCain’s systems were both hacked by a nation state.
4. Why are they a likely target?
Nation states and so-called “hacktivists” frequently view advocacy groups as prime targets to influence or disrupt political and social issues in their favor. Impacting political campaigns and corrupting a group's message or image can be high profile ways to gain attention for hackers chosen cause. Some examples include defacing a website or compromising a Twitter account to send false tweets. Criminal actors also seek donor lists or credit card information. Knowing that advocacy groups and campaigns usually do not consider campaign cybersecurity makes them a particularly easy target.
5. What are common mistakes folks make about campaign cybersecurity?
The most common mistakes include:
- Using outdated software, or failing to apply software patches when they become available. This can seem daunting, particularly if understaffed, but not keeping patches up-to-date is one of the most common ways hackers are able to compromise websites and other online services;
- Allowing too many users to have privileged access to key information or services. While this can be expedient, it increases the risk of lost or compromised credentials that can be used by hackers;
- Failure to plan for what happens if a hack occurs. Developing and updating an incident handling and recovery plan is essential. If organizations don’t think through how they will get back online or conduct damage control, the impact of an incident can be far greater than it need be.
6. What are basic steps nonprofits and campaigns should take to prevent a campaign cybersecurity threat?
Wherever possible, enable Multi-Factor Authentication. For likely targets, such as social media accounts and administrative access to key assets such as websites and mail servers and services. Almost all service providers including Google, Microsoft, Yahoo, Twitter, Apple, and Facebook have the ability to turn on one time passwords for accounts along with the username and password. This will make it much harder to potential hackers to compromise these resources and use them to their advantage. Also, you have to understand what software your online presence depends on, the develop and implement a plan to make sure that software stays up-to-date.
7. What should a campaign or nonprofit do if you get hacked?
The first hours can be extremely critical in how you respond to a breach. If you have an incident handling and recovery plan in place, there is no need to panic. This should include details on law enforcement contacts, breach notifications required under law, as well as procedures for restoring all systems and services to an operational state. Even for short term campaigns, you should at least know who from the campaign will be in charge and what forensics and/or legal team you would use in the event of a breach.
Bonus: 8. What are ways to secure your campaign and data for the long term?
First, consider what data you have collected that needs to be protected. In many cases, information regarding individuals, such as Personally Identifiable Information and Personal Health Information, could be covered by state and Federal laws and will need to be actively protected. Understand what your obligations are to maintaining the proper security controls and ensuring they are enforced. Identify ways to reduce the amount of stored data through aggregation; anonymize as much data as possible, and encrypt all sensitive data both at rest and in transit.