co-authored by Dr. Stephen Bryen, Founder & CTO FortressFone Technologies
Americans are deeply immersed in social media, email, texting and the use of all kinds of APPS either to share information or carry out tasks. Today's political campaigns are also using these tools. Since the presidential race is in full swing, we thought we'd be extra patriotic this Fourth of July and offer free advice as to how the campaigns can protect against cyber breaches and take downs.
Suggestion #1. Do not use web based email, even encrypted web based email. All web based email passes through servers controlled by the companies who offer the service, sometimes for free (like Google and Yahoo) and sometimes for a fee. What really matters is that anything that passes through a third party server is a big risk. Given that folks get pretty spun up over ideological and political issues, even the most security conscious companies can't really control their employees. The insider threat is greatest where sensitive information is exposed. Web based email lives off revenue that is generated by key words that are "read" by machines and the information passed to advertisers or anyone who wants to buy the information. Thus if we plug in the word "Liberal" as a key word, we will automatically know who the "Liberal" folks are on the email system. That's for starters. Then you come to the problem that someone wants to know what a particular campaign is doing, or planning, and plugs in a key word such as a candidate's name, and then harvests the information. From this, one can deduce who are the active supporters and what they are up to. This where the trouble starts.
Instead of web based email, set up your own server and make sure the server is well protected by a firewall and by some form of two step authentication for the users. Every campaign should have its own server for email and should make sure it is under their full control and carefully monitored.
Suggestion #2. Do not use Skype, Hangouts or any other "free" service for conferencing. In fact, don't use any web based conferencing, even if it is paid. Set up your own conferencing and your own server. Listening in on Skype, for example, has been a favorite past time for NSA, but it is also easily hacked by anyone with technological sophistication. There is sure to be a big secondary market in intercepted Skype calls, with all kinds of juicy bits either offered up at no cost or bought by desperate candidates, probably using cutouts. Avoid the problem.
Suggestion #3. Do not use any APP on your cellphone unless you are sure it is clean and safe, and above all, don't use any APPS you get from the Apple Store or Android Play Store. These APPS often steal your information such as your contacts lists or schedule, or report your location. It is astonishing how many "permissions" APPS ask for that have nothing to do with their functionality. This is a tip off that the APP comes with an ulterior motive. To make matters worse, many of the APPS out there are buggered and have malicious code attached to them in the form of malware and spyware. It is very hard to tell what APPS are clean and which are not. Avoid them all. If you have designed a special APP for campaign use, it is very important to test its integrity and make sure it is not leaking vital information. And the APP should not be distributed in a public way.
Suggestion #4. Be careful about cell phone calls, especially if you are in a public area such as an airport, coffee shop, hotel or restaurant. Today there are lots of cheap IMSI catchers around. An IMSI catcher is a tool that pretends to be a cell tower. Your cell phone is built to look for the strongest cell phone signal and connect to it. An IMSI catcher if it is nearby will appear to the phone like a strong signal and it will connect to that "tower." Then the IMSI acts as a man in the middle: it grabs your call and connects you to a legitimate cell tower and then to the person you are connected with through the phone company. Meanwhile the IMSI can record your entire phone conversation.
Suggestion #5. Avoid public WIFi. Public WiFi is very dangerous because it is not encrypted in any way. Whatever you do across a public WIFI connection is easy to intercept. Like the IMSI catcher it is also common these days for snoops to set up what looks like a public WIFI to snare your connection, even on airplanes or trains. This means that you are connected through a snooper to the external network and everything you do or say across the WIFI can be picked off. You are far better off using the data connection from the telephone company than using the data connection of a public WIFI.
Suggestion #6. Consider secure Smartphones for communications at the top levels of a campaign. The best secure phones both encrypt the conversation so that if it is intercepted it can't be listened to, and protect the phone from malware and spyware. Be aware that most secure phones work through servers, and the people who run the servers, if they are third party, may or may not be reliable. Be careful here and consider running your own secure phone server.
Suggestion #7. Train your staff to follow sound cyber security procedures in all their activities. Training is very important for two reasons: it helps reduce the chance of human error which is one of the biggest sources of security compromise and it makes people alert to intrusions and threats. Being ready for various threats is very important. A denial of service attack could close down a campaign because all its messaging and communications could be blocked. Knowing what to do when that happens and having alternatives in place means your campaign will not be shut down.
Suggestion #8. Vet companies you hire to provide cyber services and carefully check who their customers are and whom they employ. The first rule is to ask for a list of a cyber security company's customers and their employees. Then hire a private investigations firm to check them carefully. Outsourcing cyber security support may be very necessary, but it is also risky. One ringer in the bunch and your campaign could be badly compromised.
Suggestion #9. Make sure that all campaign personnel who have social media accounts clean them before they come on board. Set rules on what is allowed or not allowed during the campaign. People today are very careless on what they post on social media. People "tweet" before they think, and Post before they consider the consequences. They also give out too much personal information, location information, even family information that might be used by an adversary. Rules are very important to help mitigate this risk, and monitoring is not only important but probably mandatory.
Suggestion #10. Keep your most strategic documents, membership lists, and other vital data off line on computers that are not connected to the Internet. This is the best way to keep your campaign plans safe. It is also a good idea to encrypt everything, even what is offline. One of the cottage industries in Washington DC is for office cleaning crews to be accompanied by intruders and poachers who download everything they can from office computers. If the material is encrypted, then it has no value to any intruder. Be safe; not sorry.
Suggestion #11. Don't allow cell phones or tablets in any meeting you have. Cells phones and tablets are walking time bombs. Their microphones and cameras can be switched on by spyware and can listen in and record your meetings and conversations. And if there is a computer in the room, unplug it! Even when not having a conversation make sure your webcam is unplugged (if you can) or covered if you can't.
Above all, remember that a political campaign is like any other business or organization in that it must be operated in a responsible way. If your campaign lacks cyber security you are not only hurting your chances for election but you are hurting your cause and bringing potential harm to colleagues and friends. Cyber security is not only very important in political campaigns - you can't succeed without it.