Reporters have recently raised alarm bells on the security posture of certain 2020 presidential campaigns. For instance, with just a couple of weeks to go before the Iowa caucuses, two top-polling democratic candidates (Sen. Elizabeth Warren and Bernie Sanders) are still declining to say how they’re protecting their campaigns against hacking.
Meanwhile, we received news that Pete Buttigieg’s Campaign Cybersecurity Chief Mick Baccio has just resigned. What’s particularly alarming about the news is that Buttigieg’s is the sole Democratic presidential campaign known to have a full-time cybersecurity staffer.
It seems that some of the current presidential campaigns haven’t quite internalized the lessons from 2016 when John Podesta’s email was hacked by Russians and used as an entry point into the Demographic National Committee computer network. Cybersecurity experts have warned that what happened to the DNC in 2016 may well happen again.
While the electoral security issues are making headlines at the moment, it is important to remember that it’s not just political campaigns that can be exploited by hackers. At this time, businesses of all stripes have legitimate reasons to take precautionary measures to avoid falling victim to data breaches and other cyber incidents.
In fact, small businesses and political campaigns share more similarities than differences in terms of how they operate. Both types of organizations are often running against the clock and have limited resources and a lean staff, who must perform various duties that fall outside of their core expertise. As a result of all these factors, it is not surprising that small businesses and political campaigns miss certain important operational steps, including putting adequate cybersecurity measures in place.
In this article, we’ll discuss the security lessons we’ve learned from 2020 presidential campaigns and outline the key infosec measures organizations of all types should take to protect themselves from the most common attacks.
Lesson #1: Basic (and free) security measures can go a long way
In September 2019, The Atlantic reported that certain campaigns have not provided their reporters definitive answers on whether they’ve implemented the basic security measures recommended by the Democratic National Committee. Bob Lord, Chief Security Officer for the DNC, has said that these simple measures are the ones that make the most common attacks much harder. They include:
- Laptop disk encryption
- Web encryption. Use the HTTPS Everywhere browser extension, which ensures an encrypted connection to websites.
- Strong password guidelines
- Use password managers such as LastPass and 1Pass to create, store and enter login credentials for you.
- Two-factor authentication
- Enrolling in Google’s Advanced Protection program (for Gmail users)
Many of these security tools are free (or inexpensive), and relatively easy to implement.
The committee also wants politicians and their staff to use encrypted messaging applications like Signal and Wickr, and it suggests they use devices with built-in security features like Chromebook or iPad.
Instead of becoming overwhelmed with all the security measures and tools you could possibly implement, it’s better to focus on the few simple measures that can eliminate the majority of the cybersecurity risks you face. Fortunately, it’s easy to discover what these basic measures are. For instance, you can download the DNC’s checklist of recommended devices and security measures. (you can download the checklist here).
Lesson #2: Attempts to hack emails have become more sophisticated
Because everyone uses email to get work done, email remains the primary point of digital vulnerability for both electoral campaigns and businesses at large.
You may recall that in 2016, John Podesta, the chairman of Hillary Clinton’s presidential campaign, fell for a phishing email — granting Russian hackers, and thereby the world, access to his Gmail account. Since then, the current crop of presidential campaigns has taken steps to fortify their digital operations.
However, according to those who have worked with the campaigns on these efforts, they still remain vulnerable to attack and lack certain cybersecurity best practices. According to Agari, an email security company, hackers have evolved beyond simple phishing attempts where they try to get victims to click on email links and download files that contain malware.
Instead, modern hackers include more frequent spear phishing with no malicious link, attachment, or software, which is difficult for security tools to detect. It’s essentially “a crime of identity deception” and a form of social engineering explained Armen Najarian in an interview with The Atlantic. In that interview, he cited as an example Bill Weld’s campaign manager receiving a personalized email that appears to be from an administrative assistant requesting the password for the campaign’s Box.com account.
Agari has found that only four of the 13 presidential candidates polling at 1 percent or above—Biden, Elizabeth Warren, Cory Booker, and Tulsi Gabbard—have implemented a policy that in its estimation would prevent emails spoofing their campaign-site domains from reaching the inboxes of voters, donors, reporters, or other recipients. As a point of comparison, the Department of Homeland Security now requires all federal agencies to aim for adopting this level of protection against email spoofing.
At this time, it may well be worth your while to evaluate more advanced email security tools beyond the standard suite of security features provided by Google or Microsoft to guard against email breaches.
Lesson #3: Saying “no comment” to security questions from your stakeholders is not an acceptable answer
When The Atlantic contacted representatives of Trump’s campaign and the top 10 Democratic campaigns in September 2019, many officials declined to comment on their approach to digital security on the grounds that revealing the measures would render them less effective. “We take cybersecurity very seriously and we do not comment on our preparations,” Tim Murtaugh, the communications director for the president’s reelection campaign, told The Atlantic.
This type of no-comment response is not acceptable when the stakes are so high. While Russia could interfere again in 2020, they’re not the only potential state aggressor. Based on current events, we know that Iran and North Korea could also try to interfere with these campaigns and the upcoming election.
Similarly, businesses of all types need to have a thoughtful answer when asked about their security measures. As organizations shift more and more of their mission-critical functions to the cloud and rely on SaaS vendors to run their business, B2B buyers will become more vigilant about the security and compliance posture of their vendors and the risks third parties pose. Remember that enterprise buyers are savvy and will not settle for vague answers.
To maintain credibility with customers and other stakeholders, it’s important to 1) develop a robust information security policy, 2) ensure that the policy is upheld internally and 3) create a thoughtful (and thorough) public-facing response on how your organization is ensuring security and protecting customers’ data.
To develop an information security policy, you can start by reviewing the resources and templates from The Sans Institute and familiarizing yourself with the most influential cybersecurity frameworks, which are full of security best practices that companies should follow.
There are many businesses that have published security statements. Here are some examples to check out:
Going beyond the basics
What’s clear from our observations is that our cyber risk environment is a lot more fraught than it used to be, and many of the traditional approaches to security aren’t working any longer. While getting the basics down are important, we also encourage organizations to go beyond the basics to ensure that they’re truly doing enough to keep themselves safe. After all, it can be quite difficult to recover even from a single data breach.
At times, security and technology leaders should consider implementing the following:
1. Choose a cybersecurity framework and go through a compliance process
Going through a thorough compliance process will give you the opportunity to uncover the gaps in your security program. When we talk about a compliance process, we are really talking about going through a process to become certified against a widely accepted cybersecurity framework (e.g. SOC 2, NIST 800-53, ISO 27001). This a journey that involves:
- Researching the various cybersecurity frameworks in the market
- Committing to one framework that is most suited for your business type and risk profile
- Understanding how your internal controls map up against the requirements within the framework
- Developing new controls where necessary
- Testing the controls to gauge their operating effectiveness
- Remediating weaknesses, and finally
- Going through a formal audit or an independent attestation process
When you decide to become compliant with a cybersecurity framework, you will go through a process that forces you to inventory your strengths and weaknesses. You will educate yourself on modern best practices, and the exercise can serve as a springboard to put in place or refine deficient controls and processes.
2. Move towards a Zero Trust security model
To better defend and counter today’s escalating cyber risks, consider moving your operations towards a zero-trust model. Zero Trust is a security concept coined by Forrester; it is centered on the belief that organizations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
The benefits of adopting a zero-trust model are that it will do a better job of preventing data breaches and can increase the productivity of security and engineering teams by simplifying their workflows. Security and technology experts point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able to move through internal systems without much resistance.
Experts also agree that the old way of security –defending against the perimeters and trusting those inside the network — no longer works in modern environments because companies don’t have corporate data centers anymore. Instead, they typically have a variety of users accessing applications from a range of devices from multiple locations.
Practically speaking, implementing Zero Trust means cutting off all access to your network (e.g., IP addresses, machines, etc.) until you know who that user is and whether they’re authorized. It also calls for organizations to segment their network in more granular ways and have granular enforcement based on users, their location, and other data to determine whether to trust a user, machine, or application seeking access to a particular part of the enterprise.
In fact, security-conscious organizations are already moving to a zero-trust model. In the near future, they may choose to do business exclusively with vendors who are operating under a zero trust model internally.
Monthly Newsletter
Get the Latest on Compliance Operations.
