Report - Belfer Center for Science and International Affairs, Harvard Kennedy School

Cybersecurity Campaign Playbook

| November 2017

Welcome

People join campaigns for different reasons: electing a leader they believe in, advancing an agenda, cleaning up government, or experiencing the rush and adrenaline of campaign life. These are some of the reasons we got involved in politics. We certainly didn’t sign up because we wanted to become cyber experts and we’re guessing you didn’t either.

We come from different political parties and don’t agree on much when it comes to public policy, but one thing uniting us is the belief that American voters should decide our elections and no one else. Our increasingly digital way of living and working offers new ways for adversaries to influence our campaigns and elections. While you don’t need to be a cyber expert to run a successful campaign, you do have a responsibility to protect your candidate and organization from adversaries in the digital space. That’s why Defending Digital Democracy, a project of Harvard Kennedy School’s Belfer Center for Science and International Affairs, created this Cybersecurity Campaign Playbook [PDF].

The information assembled here is for any campaign in any party. It was designed to give you simple, actionable information that will make your campaign’s information more secure from adversaries trying to attack your organization—and our democracy.

Good luck.

Robby MookMatt Rhoades

Robby Mook
Hillary Clinton 2016 Campaign Manager

Matt Rhoades
Mitt Romney 2012 Campaign Manager

P.S. Do you see a way to make the Playbook better? Are there new technologies or vulnerabilities we should address? We want your feedback. Please share your ideas, stories, and comments on Twitter @d3p using the hashtag #CyberPlaybook or email us at connect@d3p.org so we can continue to improve this resource as the digital environment changes.


Top Five Checklist

1. Establish a culture of information security awareness:

set toneTake cybersecurity seriously. You are responsible for reducing risk, training your staff, and setting the example. Routinely update and patch all systems. Human error is the number one cause of breaches. Phishing continues to be a leading method of attack. Train your staff to be on guard for suspicious messages.

 

2. Use the cloud:

cloudA big, commercial cloud service will be much more secure than anything you can set up. Use a cloud-based office suite that will provide all your basic office functions and a safe place to store information.

 

3. Use two-factor authentication:

2faRequire 2FA for all important accounts, including your office suite, any other email or storage services, and your social media accounts. Use a mobile app or physical key for your second factor, not text messaging.

For your passwords, using a password manager is the best way to reduce risk. They allow you to generate and store long and random passwords that you don’t have to memorize—the program does that for you. If for some reason you don’t use a password manager then create SOMETHINGREALLYLONGLIKETHISSTRING, not something really short like Th1$. Contrary to popular belief, a long string of random words without symbols is more difficult to break than something short, with L0t$ 0f $ymB01$.

 

4. Use encrypted messaging for sensitive conversations and materials:

long passwordsUsing an encrypted messaging tool for phones like Signal or Wickr for sensitive messages and documents means adversaries can’t get them if they hack into your email.  Encryption scrambles the data, dramatically reducing the likelihood that someone can read your messages, even if they intercept the data.

 

5. Plan and prepare:

plan and prepareHave a plan in case your security is compromised. Know whom to call for technical help, understand your legal obligations, and be ready to communicate internally and externally as rapidly as possible.

 


The Playbook Approach

A bipartisan team of experts in cybersecurity, politics and law wrote this Cybersecurity Campaign Playbook to provide simple, actionable ways of countering the growing cyber threat.

Cyber adversaries don’t discriminate. Campaigns at all levels—not just presidential campaigns—have been hacked. You should assume that you are a target. While the recommendations in this playbook apply universally, it is primarily intended for campaigns that do not have the resources to hire full-time, professional cybersecurity staff. We offer basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement (although we include some suggestions that will require the help of an IT professional).

These are baseline recommendations, not a comprehensive reference to achieve the highest level of security possible. We encourage all campaigns to enlist professional input from credentialed IT and cybersecurity professionals whenever possible.

 

Introduction

Candidates and campaigns face a daunting array of challenges. There are events to organize, volunteers to recruit, funds to raise, and the relentless demands of the modern media cycle. Every staffer must anticipate unfortunate surprises like gaffes or a last-minute attack ad. Cyber attacks now belong on this list as well.

As campaigns have become increasingly digital, adversaries have found new opportunities to meddle, disrupt, and steal. In 2008, Chinese hackers infiltrated the Obama and McCain campaigns, and stole large quantities of information from both. In 2012, the Obama and Romney campaigns each faced hacking attempts against their networks and websites. In 2016, cyber operatives believed to be sponsored by Russia stole and leaked tens of thousands of emails and documents from Democratic campaign staff.

The consequences of a cyber breach can be substantial. News of a breach itself, compounded by a slow-drip release of stolen information, can derail a candidate’s message for months. Attackers overloading a website can lead to lost donations at key moments. The theft of personal donor data can generate significant legal liabilities and make donors reluctant to contribute to a campaign. Destructive attacks aimed at staff computers or critical campaign servers can slow down campaign operations for days or even weeks. Cleaning up the resulting mess will divert precious resources in the heat of a close race, whether it’s for president or city council.

For the foreseeable future, cyber threats will remain a real part of our campaign process. As democracy’s front line, campaign staff must recognize the risk of an attack, develop a strategy to reduce that risk as much as possible, and implement response strategies for that moment when the worst happens. While no campaign can achieve perfect security, taking a few simple steps can make it much harder for malicious actors to do harm. Ironically, the most sophisticated state actors often choose the least sophisticated methods of attack, preying on people and organizations who neglect basic security protocols. That is our primary reason for creating this Cybersecurity Campaign Playbook.

In today’s campaigns, cybersecurity is everyone’s responsibility. Human error has consistently been the root cause of publicized cyber attacks, and it’s up to the candidate and campaign leaders to weave security awareness into the culture of the organization. The decisions humans make are just as important as the software they use. Going forward, the best campaigns will have clear standards for hard work, staying on message, being loyal to the team—and following good security protocol.

Before we get into our recommendations, let’s quickly frame the problem:

  • the environment in which your campaign is operating;
  • the threats your campaign will likely face; and,
  • the importance of cyber risk management.

The Threats Campaigns Face

Unfortunately for campaigns and our country, foreign adversaries may think that harming or helping a particular candidate advances their national interest, whether that means creating chaos and confusion among American voters, or punishing an official who has spoken out against them. This may sound like thriller fiction, but the reality is that a sophisticated foreign intelligence service, cybercriminal or hacktivist with a grudge against a candidate, could decide that you or someone on your campaign is a target.

These are the sorts of threats managers and staffers have to realize are possible.

WHO'S HACKING?

Campaigns face information and cybersecurity threats from a wide array of actors. Lone “black hat” hackers and cybercriminals have tried compromising campaigns for reasons of personal gain, notoriety, or the simple desire to see if they could. Nation-states pose the most dedicated and persistent threat. Russian espionage groups known as “Fancy Bear” (APT 28) and “Cozy Bear” (APT 29) were implicated in the 2016 campaign hacks. The Chinese have focused much more on information gathering. They are believed to have been active in the 2008 and 2012 presidential campaigns, but there is no evidence they released any stolen materials. The North Koreans infamously retaliated against Sony Pictures Entertainment for producing the film, The Interview, by stealing and releasing company emails and wiping their systems. Heightening tensions with the United States could prompt more attacks in the future.

 

Managing Cyber Risk

Risk is best understood in three parts. First, there are vulnerabilities: weaknesses in your campaign that make information susceptible to theft, alteration, or destruction. Vulnerabilities can originate in hardware, software, processes, and in the vigilance level of your staff. Then there are actual threats: the nation-states, hacktivists, and other nonstate groups with the capability to exploit those vulnerabilities. Risk exists where vulnerabilities and threats meet. Lastly, there are consequences—the impact when malicious actors capitalize on unmitigated risk.

There’s little you or your campaign can do to prevent threats themselves—they are the result of larger geopolitical, economic, and social forces. What you can do is substantially reduce the likelihood that your adversaries will succeed by reducing your own vulnerability. Reducing vulnerability reduces risk—it’s up to you to decide which ones are most essential to address based on the possible consequences. For example, you may decide that the most damaging thing a hacker could do is to steal your candidate’s self research report. In response, you devote extra resources for secure cloud-based storage, use two-factor authentication, and restrict access to a small number of people. You may decide to make other documents on the campaign more widely available and less secure, since more people need them to do their jobs and they wouldn’t cause much damage if they were leaked.

There are technical aspects to risk mitigation, but what matters most is that you take a holistic approach. As a campaign leader, you must make fundamental choices, such as who has access to information, what information is kept or discarded, how much time you devote to security training, and how you behave as a role model. As a campaign professional, risk management is your responsibility—both technical and human. It’s up to you to decide what data and systems are most valuable and what resources you commit to protect them.

Securing Your Campaign

Our security recommendations are organized according to three principles:

prepare

1. Prepare: The success of nearly every one of the Playbook’s recommendations depends on the campaign manager creating a culture of security vigilance that minimizes weak links. That means establishing clear ground rules that are enforced from the top down and are embraced from the bottom up.

protect

2. Protect: Protection is critical. When you discover you have a security problem, it is already too late. Building the strongest defenses that time and money allow is key to reducing risk. Internet and data security works best in layers: there is no single, bulletproof technology or product. A few basic measures used in combination can make a campaign’s digital architecture more difficult to breach and more resilient if compromised.

persist

3. Persist: Campaigns now face adversaries with ever-increasing levels of resources and expertise; even the most vigilant culture and the toughest infrastructure may not prevent a security breach. Campaigns need to develop a plan ahead of time to deal with a breach if one occurs.

 

Some campaigns have more time and money for cybersecurity than others. That’s why our recommendations offer two tiers of protection: “good” and “enhanced.” The “good” tier represents everything a campaign must do to have a minimum level of security. Using the “good” recommendations in a piecemeal fashion will leave you vulnerable. You should always aspire to do more as time, money, and people allow, which is why we recommend using the “enhanced” level whenever possible. If you have the resources to get reputable, trained IT support, it’s money well spent. Threats are constantly evolving and professional IT services will help get you beyond what this playbook provides and keep you abreast of the latest threats and solutions.

 

Management
Campaign managers need to take responsibility for their cybersecurity strategy, but most will delegate development and supervision to a deputy or operations director. It’s important that cybersecurity is tightly integrated into HR and IT work, since correctly onboarding staff, provisioning hardware, and controlling permissions will be critical to your strategy. Many small campaigns will rely on volunteer support for IT and cybersecurity. You can use this playbook to guide your discussion with your volunteer support. The key is to carefully vet the volunteers who support you and carefully control access, so that volunteer support doesn’t create new vulnerabilities. You should make sure a campaign staffer is supervising IT work and controlling permission to access different systems. 

When To Start
Whatever support model you have, cybersecurity should start on Day One. What follows is a “top five checklist” of measures that are absolutely vital. Make sure these are in place at the very beginning, even if there are just one or two staff, then complete the other “good” recommendations as soon as possible.    

Cost

A lot of what we recommend here is free or very low cost. In fact, everything on our top five list is free, except getting a cloud-based platform, which will only cost a few dollars per month per employee. High target campaigns will need to budget enough resources for hardware and software to execute a responsible strategy, but this should still be a very small percentage of a multi-million dollar statewide campaign budget. Smaller campaigns will be able to execute the recommendations here for a few hundred to a few thousand dollars depending on how many staff or volunteers work on the campaign.

Any references to vendors and products are intended to help provide examples of common solutions, but do not constitute endorsements. If challenges arise when implementing products or services, we encourage you to reach out directly to the vendors, who can usually provide user-level technical assistance. When it comes to product and service selection, we encourage every campaign to consult with a cybersecurity expert or conduct independent research to find the best product for their needs.


The Vulnerable Campaign Environment

Today’s campaigns are uniquely soft targets. They’re inherently temporary and transient. They don’t have the time or money to develop long-term, well-tested security strategies. Large numbers of new staff are often onboarded quickly without much time for training. They may bring their own hardware from home and the malware lurking on it.  Events move quickly, the stakes are high, and people feel that they don’t have time to care about cybersecurity. There are a lot of opportunities for something to go wrong.

At the same time, campaigns rely more and more on proprietary information about voters, donors, and public opinion. They also store sensitive documents like opposition research, vulnerability studies, personnel vetting documents, first-draft policy papers, and emails on various servers. The risks of a potential attack are increasing and so are the consequences. .

THE DANGER OF AN ATTACK

Picture this: It’s a month before Election Day, and the race is tight. You arrive at headquarters early, fire up the coffee maker, get to your desk, and log into your computer. A black screen pops up, then a gruesome cartoon of your candidate, followed by a message. Your hard drives have been wiped clean. Every digital bit of information you’ve gathered—memos, targeting lists, balance sheets—is gone. Getting it back, you read, will cost a cool million in Bitcoin and the renunciation of a major policy position.

An unidentified group hacked into your computer months ago, and has been quietly stealing emails, strategy memos, donors’ addresses, and staffers’ Social Security numbers. The group has spent weeks combing through the bounty in search of dirty laundry and created an easy-to-use website dedicated solely to distributing the highlights. Prominently featured is a lengthy “self research” book on your candidate. For now, the campaign’s website is down, its social media accounts have been suspended for pushing out lewd images, and there’s not a working computer in sight.


Steps to Securing Your Campaign

human element  STEP 1: The Human Element

 

Cybersecurity is fundamentally a human problem, not a technical one. The best technological solutions in the world will have no effect if they are not implemented properly, or if they are not continuously updated as technology evolves. Successful cybersecurity practices depend on creating a culture of security awareness.

GOOD: What You Need to Do

  1. Establish a strong information security culture that emphasizes security as a standard for a winning campaign. Just as campaign staffers are instructed not to take an illegal donation, employees should know to avoid clicking on links or opening attachments in emails from unknown senders.
    • Onboarding: Provide basic information security training when you onboard new staff. You can distribute the Staff Handout at your training.
    • Trainings: Make security part of all your ongoing staff trainings, such as senior staff retreats or GOTV trainings. Provide additional training for those in sensitive roles, such as the candidate, press staff, senior staff, and anyone with system administrator privileges on your network. Managers should require that the most important people in the campaign—including the candidate—have their security settings checked by whoever runs IT (that may be the manager herself).
    • Set the example: Senior campaign staff and the candidate must take a visible leadership role, advocating for cybersecurity during trainings. Senior staff should provide periodic reinforcement of cybersecurity’s importance to junior staff in meetings and on calls. Don’t just have technical experts conduct trainings. The campaign manager or operations director can be a more powerful messenger precisely because they’re seen as less “technical.”
  2. Train and educate your staff to be on the lookout for phishing.  Phishing attacks against campaigns are on the rise and continue to be a primary method used by malicious actors.  Train your staff to be suspicious of any email asking for information, or claiming they need to click a link to reset their credentials. Sophisticated phishing may attacks may come from spoofed or compromised senders that appear legitimate. Encourage staffers to share anything suspicious with you or your IT staff.  The more people share, the more confident you can be that they’re being vigilant and the more intelligence you will have. The overall rule of thumb should be to “think before you click”, but we’ve included three key points you can remind you staff about when you train and re-train.  Training should emphasize best practices such as ‘hovering’ over a link to identify the actual url, expanding email details to confirm the email address of the sender, and using a different communications channel such as a quick phone call to confirm authenticity of the sender and email contents 2FA is another important way to prevent a spear-phishing attack from leading to an account compromise—just having your username and password will not be enough to access your account. As part of the campaign’s strong security culture, senior staff should recognize and praise anyone who reports suspicious behavior on their system or admits to clicking a potentially malicious link.

    • Phishing can happen on the phone, too!  Staff should never share information, wire money, or give anything else away on the phone if they aren’t certain who the caller is.  Make staff aware of the threat and tell train them to listen to how the caller greets them and to ask questions that outsiders may not be able to answer.  You can easily test your staff on phishing calls—and your friends will enjoy doing it!

  3. Conduct a thorough vetting of staff, volunteers, and interns—anyone requesting access to campaign information—to avoid giving credentials to someone who wants to steal or sabotage your systems. Establish a definition for sensitive information and rules for its use. For example, you could choose to classify all polls, research materials, strategy memos, and related emails as “sensitive.” Prohibit the transfer of sensitive information on communication channels that aren’t managed and secured by the campaign. You can require that it be transferred only through encrypted messaging (see Step 2).
  4. Confirm that consultants and vendors with access to sensitive information have secure email and storage (see Step 2). When in doubt, require vendors and consultants to use an account on your cloud-based office suite (See Step 2).
  5. Control access to important online services, such as the official campaign social media accounts, to prevent use by unauthorized individuals. Make sure that those who leave the campaign can no longer access campaign-related accounts. You can do this easily by using a social media account management tool that acts as a gateway to all your accounts. If someone leaves the campaign, you should immediately disable their account.

"THINK BEFORE YOU CLICK"

PAUSE before you click on a link within an email to check what address the email is coming from and to ask yourself if the email is suspicious.

CONFIRM that a request for information, money, personal information, passwords, documents, etc. is legitimate by following up with the person requesting, ideally in person, or at least by phone.  Never give your password or personal information over a link.

REPORT anything suspicious to your leadership by forwarding any email that’s remotely questionable. Make sure you flag it as “suspicious” (e.g., in the title) so that no one else inadvertently acts on a malicious email.