How can cybersecurity issues bite a political campaign in the tail? Just ask Newt.
In late 2011, as the primaries picked up steam, a Democratic political action committee (PAC) bought the rights to newtgingrich.com and used it to send up a series of cutting spoofs. (The candidate’s real site is newt.org.) The site redirected to high-end jewelry company Tiffany’s (where Gingrich had a $500,000 line of credit), to mortgage lender Freddie Mac (where he had a lucrative consulting contract), and to a range of unflattering articles. The PAC, called American Bridge, even offered to sell the site to the highest bidder, saying it couldn’t give it away for fear of its members being branded socialists.
How did this happen? The Gingrich team simply failed to renew the domain when its license expired, and the PAC snapped it up. The saga of newtgingrich.com highlights an emerging issue on the campaign trail. As candidates rely more on blogs, social media and online campaign contributions, their IT teams are under mounting pressure to ensure that all cyberconnections are locked down.
To understand the digital threats to political campaigns, it first helps to understand what factors come together to make candidates — and their platforms and messages — such tempting targets.
First, there’s the money. Campaigns have become adept at collecting contributions online, a practice that has grown considerably from just a few campaign cycles back. At the same time, IT managers have zealously built up databases of past donors who can potentially be tapped as future needs arise, along with their credit card information.
This combination of more online giving and rich databases full of donor names and financial information makes a tempting target for phishing or direct exploitation of stockpiled credit card data.
Even more enticing than money is power, said Ed Skoudis, SANS Institute senior instructor and cybersecurity expert. “This is how the electorate makes its decisions, how leaders are selected, so if you wanted to sway the electorate or public policy, one way to do that is by manipulating elections,” he said. “I can take small actions to have big effects. I just have to type in a few key strokes. It’s high profile, it has built-in publicity. There are all kinds of press. So if you want to make a splash, this is a great opportunity.”
One more element? How about road rage? Some candidates speak out against hackers, propose new cybersafeguards, or question present practice in Internet usage. They want to change the rules of the road. “And some people don’t want those rules of the road changed. They don’t want any rules of the road,” Skoudis said. Candidates who cross the hacker group Anonymous and similar organizations risk cyberwrath.
With these and other motivations looming, cyberattacks against candidates can come in many forms.
Pick Your Poison
At security provider McAfee, Vice President of Government Relations Tom Gann said the most dangerous attacks can be those that target players within the campaign itself. Called an “advanced persistent threat,” this sort of highly strategic initiative opens a back channel into the inner workings of a campaign.
The attacker typically emails a campaign worker; launches an attack from within the email; and effectively sets up a pipe directly into the campaign through which to collect information on vulnerabilities, messaging and other key elements of the opposing team’s strategy.
Denial of service (DOS) also is a significant peril. “Maybe all you need to do is just shut the systems down in those last days of the campaign,” Gann said. DOS can cut off cash flow or squelch information at critical moments.
“A political campaign is all about messaging, and if you can’t get your message out, that’s it, you’re not really campaigning anymore,” Skoudis said. “If it happens right before the election, it could have really significant consequences.”