Political Campaigns and Data Security

It's no secret that political campaigns are not particularly good at maintaining cybersecurity. From the NGP Van hack earlier this election cycle, back to allegations of Chinese hacks in the 2012 campaign, voter data platforms that campaigns rely on have been known to be vulnerable to security blips.

Mostly, it has been leaks of basic data from actual voter and donor data aggregators, which might make your street address available to anyone who is willing to look through the list. Those breaches can lead to easier phishing for hackers, and maybe even credit card numbers being disseminated, but there may be broader potential consequences of weak campaign data security.

Political campaigns are usually on tight budgets and are much more focused on campaign mechanics than cybersecurity, which to them feels like something outside their realm of expertise, so they spend little time thinking about what's happening to their data. There is a wealth of talent in the technology industry and a raging conversation about encryption and cybersecurity in general, yet campaign data remains vulnerable. Political campaigns may be talking about the Apple/FBI controversy or the vulnerabilities of Hillary Clinton's private server, but they're not paying enough attention to their own data security.

There's a colorful history of voter data leaks. In this election alone, Georgia and Iowa had leaks of voter data that included street addresses and more. The Georgia leak was apparently a clerical error and the Iowa one was apparently human error as well.

The DNC's security issue with NGP Van that originally had the Sanders campaign in hot water brought this conversation about campaign data security into the public eye for a quick moment. At the end of 2015, a dark web stash including the voter data of over 190 million voters was found, which could only have been taken from a major voter-tracking database.

Campaigns often consolidate everything on one platform, with various degrees of segmentation. As we learned with the NGP Van mishap that caused controversy for the Sanders campaign and the DNC in general, having the entire Democratic Party's voter data housed in one place creates some risk. While NationBuilder was quick to critique NGP Van in saying that their platform has more segmentation and would never allow that kind of data flow problem, they were linked to some leaked data from the big dark web stash. It seems that nobody is immune in the campaign software space, and we shouldn't be surprised.

Here's the nightmare scenario: It's two days before election day. One party's entire campaign voter-tracking platform mysteriously shuts down. A third party, whether another country or a non-state group, has hacked and attacked the platform. They decided, for whatever reason, that they don't want that party to win the election. Without access to their voter data, the party will have trouble knowing which potential voters to reach out to, so voter turnout for them will likely be lower in impacted districts. The third party will have access to all the voter data and could send out materials to otherwise interfere in their voting that day. The information doesn't include Social Security Numbers, but it might include credit card numbers or other personal information that would make phishing much easier. A whole group of potential voters suddenly could have their accounts hacked on election day, with a political purpose behind the hacking. Outside forces could significantly interfere in U.S. elections.

That's obviously an unlikely scenario at the margins of what's plausible, but it is still possible. The bad news is that political campaigns have not paid enough attention to cybersecurity. The good news is that if they were to decide to, campaigns could likely make huge strides in protecting their data. NationBuilder and NGP Van are working on data security, and their competitors are too. One of the likely reasons the data has not been made more secure so far is because political campaigns have not committed to spending the time and money. If they did, the industry would respond with the tools to do the job. The cybersecurity industry is in the midst of real growth so it's time to harness that energy into the political campaign sector, which not only handles tons of data about individuals, but also is relied on to oil the gears of the democratic process.

Technology is front and center in political campaigns now, with voter-tracking software, email marketing, and social media all heavily relied on, so let's make sure the back-end isn't ignored.