Political campaigns live in a dangerous digital world. Plenty of people (and bots) want what to see what we keep secret, from a donor’s credit card number to those blunt internal emails. But too many campaigns blow off security entirely, in part because as organizations they are ephemeral affairs. Pressed for time and short on staff, they hand out login credentials to volunteers without question, never change passwords and happily use free public wifi for the most sensitive internal tasks. If they get hacked, phished or see their servers go down, they’ll be stranded in a smoking ruin without a clue.
One solution? Big political fundraisers, including the party committees, PACs and high-dollar individual donors, should not give money to campaigns unless they implement basic cybersecurity technology and protocols. That idea comes from Brian Franklin of Campaign Defense, who laid it out at a cybersecurity happy hour discussion sponsored by Campaigns & Elections earlier this week. If the DNC and NRCC hacks haven’t convinced the political world to take security seriously, perhaps a nuclear threat will — and nothing says “serious” like “I will not give you money.”
Campaign hacks are nothing new: the first Epolitics.com article highlighting a possible DDoS attack on a political campaign appeared in 2006. In 2018, campaigns join EVERY online business, nonprofit group and individual internet user as a potential target for hackers. Could a pledge from enough of the significant donors to withhold cash will encourage enough of them to invest in at least basic preventive measures like two-factor authentication and VPNs? Next up: a cybersecurity certification program for campaigns, plus enough security firms to actually serve the potential market. I’ll leave the creation of those as an exercise for the reader.