One project goal is to replicate the kind of information-sharing culture that exists in major industries where cybercrime is a constant concern, one that encourages collaboration in the face of threats and using best practices despite an inherently competitive culture.
“That’s what we’ve got to do in politics, and that’s why Matt and I believed it was so important to take a bipartisan approach,” said Robby Mook, who managed Clinton’s 2016 campaign. Mook will lead the project along with Matt Rhoades, who ran Romney’s 2012 presidential bid.
The idea for the project stemmed from Rosenbach’s experience as the Defense Department’s lead on cybersecurity issues during his time as chief of staff to Defense Secretary Ash Carter from 2015 to January 2017. While U.S. cyber defense efforts do protect the country from many serious threats, the dangers facing political campaigns are continuously evolving and require both vigilance and nimbleness, qualities that organizations outside the federal government may more readily bring to bear, he said. Without the potential stigma of a party affiliation, an independent body might more easily bring together stakeholders on both sides of the aisle, said Rosenbach, who is the Belfer Center’s co-director with Carter.
A collaboration of the Belfer Center, the Institute of Politics and the Shorenstein Center on Media, Politics and Public Policy, the project over the next two years will develop playbooks containing practical, low-cost advice and will work toward proposing technology-based tools, legislative fixes, and foreign policy remedies to encourage deterrence. In November, the project produced a cybersecurity playbook for campaigns. The project will release a playbook this spring that will offer guidance and best practices for mitigating threats.
Top-five checklist
Recommendations from the Cybersecurity Campaign Playbook
-
SET THE TONE
Take cybersecurity seriously. Take responsibility for reducing risk, train your staff, and set the example.
-
USE THE CLOUD
Use a commercial, cloud-based suite for basic office functions and to store info.
-
REQUIRE 2FA
Require two-factor authentication for all key accounts, including email and social media.
-
CREATE STRONG, LONG KEYS
A long string of random words makes a better password than something short with L0t$ 0f $ymB01$.
-
PLAN AND PREPARE
In case of a breach, know who to call for technical help, and understand your legal obligations.
Though political dirty tricks, like cyber intrusions and data theft, are not new to campaign veterans, the 2016 breaches of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee, and the personal email account of John Podesta, Clinton’s campaign chairman, brought a sense of urgency to having top-notch cybersecurity.
Mook noted that while the campaign took great care to protect against sabotage by political opponents or intruders looking for valuable information to use for espionage purposes, “I don’t think anybody was imagining that a foreign country would steal the information and then release it out to the media.”
The Russian cyberattack taught him that “it didn’t just matter how secure our campaign was, it mattered how secure the other organizations we work with are. So, the DNC, John Podesta’s personal email account — they were all good places for adversaries to find ways to hurt us. And so it really opened my eyes to how important it was to have a cybersecurity strategy that covers risk across a number of different surfaces, not just the one you directly control,” said Mook.
Getting campaigns to protect themselves properly won’t be easy, analysts caution. Though there’s plenty of expertise and goodwill among the cyber and tech communities to do their part to safeguard elections, Mook argues, political operatives are at a distinct disadvantage because they’re typically poorly resourced ad hoc organizations going up against sophisticated international intelligence agencies.
“Some of the best hackers in the world are taking on campaigns that are run by people who just learned what the word ‘cybersecurity’ meant a few years ago,” he said. “It’s not a fair fight.”
“One of the things that I’ve found incredibly challenging is the whole nature and structure of these campaigns,” said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, the firm that first identified Russian hackers as behind the DNC email server breach.