As you read this, hackers all over the world are sharing successful phishing scripts with each other and composing messages that will open the door to the next big breach. One of their main targets? American politics.
Question:
Who is the only presidential candidate who even employs a cybersecurity chief?
Answer: No one (it used to be Pete Buttigieg, but his cybersecurity resigned in January.
Are political candidates asking for trouble by not taking their own cybersecurity seriously?
With primary season ramping up and the November election looming, candidates running for any office would be wise to take a play from people like digital campaign director, Lisa Kaplan, founder of the Alethea Group.
When Kaplan ran Senator Angus King's reelection campaign in 2018, she regularly sent phishing emails to members of her own staff in order to see who would click. This proactive approach beat the hackers at their own game and identified which staff members could use additional training spotting malicious emails.
This year, in addition to email phishing attempts that try and gain access to a candidate's private files (like the successful one that nabbed Hillary Clinton's internal campaign emails) there will probably be an increase in phone SMS phishing attempts as well (similar to the method used to hack Jeff Bezos' phone).
There are several reasons why political campaigns are often easy targets for bad guys.
1. They rely on a volunteer base of BYOD (bring your own device) workers.
2. They organize and grow quickly--leaving little time for thorough security monitoring or cybersecurity training.
3. They often hold troves of sensitive (read: valuable) data on both candidates and their constituents.
As first reported by NPR, 2020 political campaigns have a right to be paranoid when it comes to digital security.
Add this concern to the voting machine vulnerabilities exposed at last year's DEF CON hacking conference, and it's a valid concern for both donors and voters this year.
What Can Be Done to Make The Data Collected By Political Campaigns Safer?
First, the responsibility falls on campaign managers to do everything in their power to secure laptops and mobile devices used by campaign workers who handle sensitive information.
This would include:
A. Enabling MFA (multi-factor authentication) and password managers on all campaign-approved devices.
B. Educating staff with random phishing tests and possibly even requiring them to pass a baseline digital security exam before starting work.
C. Invest in mobile device management (MDM) to quickly bring workers into compliance.
Also, campaign donors and potential voters must push for complete transparency when it comes to where and how candidates are storing their personal info. Candidates are motivated to comply. Data breaches are not just inconvenient and embarrassing--they could even cost someone an election.
