This sets campaign security apart from its corporate counterpart. “If an e-commerce site is offline for a few hours, they can recover, unless it’s right before Christmas,” said Jeremy Epstein, a computer security researcher at SRI International and technical adviser to nonprofit lobbying organization Common Cause. “If a campaign site is offline at critical junctures — right before the election, right before contribution deadlines — the impact could be much worse,” he said.
While a DOS attack can interrupt the information flow, an equally dangerous exploit would be to radically deface information, by invading blogs, for instance, or by infiltrating a Web page.
“Campaigns face the threat of having false messages injected into the media by hackers,” said Lt. Gen. Harry Raduege Jr., chairman of the Deloitte Center for Cyber Innovation and a former director within the U.S. Defense Department. “Before the error is caught, significant damage can occur, which then escalates into valuable time being expended to supply correct messaging across multiple media sources and in trying to reverse negative impressions and perceptions.”
Such false messaging falls under the general heading of hacktivism, a broad term that refers to the use of illicit cyberstrategies to advance political ends. This is perhaps the most dangerous threat when it comes to political campaigns, because hacktivism doesn’t just disrupt money or messaging. It threatens the very system.
“To the degree that actors in a democracy start using cyberattacks to further political ends, it pollutes the kind of civil society we are supposed to be seeking,” said McAfee’s Gann.
Perilous as it may be, hacktivism also is the most visible among the evolving cyberthreats posed to political campaigns.
“Four years ago, we didn’t have nearly as much of this as we have seen in the last year,” Skoudis said. “Anonymous has shown that you can get a lot of press doing these things. You can achieve real goals here.”
Since the last election cycle, campaigns’ growing reliance on online donations has opened a new avenue for those seeking personal gain. Blogs and social media create new opportunities for attacking content, while sophisticated infiltration tools are making it possible for invaders to gain greater access to inside information culled from campaign servers.
As in the corporate world, campaigns also have come to rely more on mobile devices, thus opening up systems to a range of potential threats.
Before considering the options when it comes to prevention and remediation, it’s important to consider one further element that separates a campaign’s cyberneeds from those faced by users in the corporate world.
While no one in the world of IT would choose to dawdle in the face of a cyberbreach, speed is an even greater consideration in the realm of political campaigns. Campaigns happen in real time, unfolding not only in a matter of days but sometimes hours.
Think about candidates like Herman Cain or Rick Santorum, who came from nowhere to become leading candidates in the span of a week or so, Epstein said. “Suddenly their websites became high-profile targets — but without months and an appropriate budget to plan for it.”
Against this backdrop, careful planning and speedy remediation become critical elements of any cyberstrategy.
Building the Bulwarks
Campaign security begins at the level of policy, said Mark Patton, general manager of the security business unit at GFI Software.
Candidates and senior staff “need to set the tone for Web policies in the office and on the road to make it clear that IT and Web security are priorities of running a successful campaign,” Patton said. “Policies need to be created, socialized, approved and supported from the highest levels of the campaign. Make them official and discuss them often for them to hold weight, especially amongst an environment of nonpermanent staff.”