In a bipartisan effort, Harvard University’s Belfer Center for Science and International Affairs is looking to protect elections from cyberattacks and propaganda. The Cybersecurity Campaign Playbook, released today, gives campaign officials simple, actionable information to better secure campaign information from adversaries attempting to use cyberattacks. The effort was led by Robby Mook, a campaign manager for Hillary Clinton in 2016, and Matt Rhoades, a campaign manager for Mitt Romney in 2012.
“We come from different political parties and don’t agree on much when it comes to public policy, but one thing uniting us is the belief that American voters should decide our elections and no one else,” Mook and Rhoades said in the report. “Our increasingly digital way of living and working offers new ways for adversaries to influence our campaigns and elections. While you don’t need to be a cyber expert to run a successful campaign, you do have a responsibility to protect your candidate and organization from adversaries in the digital space.”
Risk is best understood in two parts, explained the report. The first being vulnerabilities, which are weaknesses that make information more susceptible to alteration, theft, or destruction. Vulnerabilities commonly originate in hardware, software, and vigilance of staff. The second are the actual threats to the campaign. Meaning the nation states or hactivists with the capability to exploit those vulnerabilities. “Risk results where threat and vulnerability meet,” the report said.
With that understanding of risk in mind, the authors distill their 27-page report into a five point checklist that, at a bare minimum, every campaign should be following.
- Campaigns need to take cybersecurity seriously. From the get-go, campaigns need to invest in reducing their cyber risk and training their staff. Human error is the number one cause of breaches, the authors write.
- The playbook highly suggested that campaigns use the cloud. “A big, commercial cloud service will be much more secure than anything you can set up,” the report said. In terms of what products to use, the report specifically calls out using a cloud-based office suite such as GSuite or Microsoft365.
- Learning from 2016, the report suggests that two-factor authentication be used on any important account, including the office suite product, other email or storage services, and social media accounts. Additionally, the report suggests use a mobile app of physical key for the second factor, not text messaging.
- In what seems like an obvious suggestion, the report stresses the importance of a long and strong password. If remembering long, unique passwords proves too difficult for campaign staff, a password manager is suggested.
- What’s true on the football field, is true on the political field–the best offense is a good defense. Political campaigns need to have a cyberattack response plan before a cyberattack ever happens. The report points out that an already developed response plan allows for faster, more streamlined communication in the event of an attack.
Outside of the checklist, the report details additional, more advanced steps, that campaigns should also implement, including hiring a dedicated IT pro, contract with a cybersecurity firm for security solutions, and using mobile device management (MDM) software for campaign devices. To read the full report, click here.