Such policies should address the fundamentals of security: acceptable use, Internet access, email and communications, and network security. Of special concern is the emerging realm of BYOD, or bring your own device, with risks including patching, operating system vulnerabilities and lack of local protection. “In many cases with personal devices, the employee or volunteer can walk out the door with it because it’s their device, and it may contain sensitive or proprietary information that is not adequately protected,” Patton said.
At Solera Networks Research Labs, Director of Threat Research Andrew Brandt takes this one step further. Beyond policies limiting or governing BYOD, he recommends that campaigns ban all forms of small removable media drives. “They are too easily lost, capable of holding large amounts of data, and the temptation to put sensitive information on them can be great at times,” he said.
Brandt also advises full-disk encryption on all campaign laptop hard drives, in addition to recommending that IT makes a secure, patched baseline image for all campaign computers, and then reimages those computers at least every couple of weeks. “It might be a hardship, especially because it will require campaigns to update the drive images frequently to account for software and operating system updates, but this is an easy way to prevent malware infections from persisting on a campaign computer,” he said. This rule is doubly necessary for the candidate and for his or her family’s personal laptops.
In an even more direct defensive action, Brandt said it makes sense to take campaign assets out of the most obvious line of fire. Most attacks today are directed at Windows systems, generally because of the ubiquity of these systems. To minimize the risk, put everyone on Linux or Mac. That’s one whole front shut down.
Candidates also can take a cue from the corporate world by protecting their online reputation through strategic domain acquisition. (Just ask Gingrich.) Beyond the dot-com, dot-org and dot-net options, it makes sense to snap up not just BobSmith but also BobSmithforPresident and related domains. And a little defense goes a long way. Consider disney-sucks.com, allstateinsurancesucks.com and oreilly-sucks.com. Bob Smith might do well to buy dot-suck pre-emptively.
When it comes to safeguarding critical campaign information in the cybersphere, the safest approach may be simply to keep it out of the cybersphere altogether. “There may be some documents you don’t want to put in digital format,” Gann said. “You might not want to put your most recent internal poll results in digital format, or maybe you have other key strategy documents. These are judgment calls, but that’s where being aware of the threat landscape becomes so important.”
In spite of safeguards, breaches will occur. When it comes to remediation, the expert consensus is clear: Come clean quickly and thoroughly.
“The first step if faced with some sort of cyberattack is to call in IT security pros to make sure that the hole is closed,” Patton said. “The second step should be to notify whoever has been breached — whether they be donors, agencies, supporters. Be apologetic and forthright, and explain how the issue is being remediated. Time and again, breached organizations wait too long to notify affected customers and stakeholders. Inform anyone who may be impacted immediately. It’s the right thing to do.”
Meanwhile, there’s former candidate Gingrich and his newtgingrich.com problem.
Gingrich had options. He could have filed a domain name complaint based on the Uniform Domain-Name Dispute Resolution Policy, but victory was by no means assured. He’d have had to prove that the PAC was using the name in bad faith, while the PAC could have claimed it was broadcasting legitimate political satire. All that would have taken time.
Instead, the candidate let things stand. As the campaign wound up, the website was still redirecting to shouldnewtgingrichdropout.com, which delivered a great big “Yes” midscreen along with Facebook, Twitter and email buttons for those wanting to share that sentiment.
Gingrich lost. Did the domain grab sway voters? There’s no easy way to tell. But it’s a fair bet the spoof did not help.