Political Campaigns and Cybersecurity Risk

Long before recent reports on the (very probable) Russian intelligence-led hack of the Democratic National Committee and public exposure of internal emails, political campaigns were already faced with cybersecurity threats. This post offers some preliminary thoughts on why political campaigns are at risk, and how that risk compares to the risks faced by the private sector.

In business, cybersecurity technical and legal advisors routinely counsel clients to develop a strategy that focuses on protecting systems, detecting threats, and remediating thefts or disruptions. Businesses weigh their risks based on a variety of factors, including but not limited to: the type of information the company holds; the sensitivity of proprietary data; the amount of money and infrastructure the company has available to devote to cybersecurity; and, the breadth of human and technical access points to data. Legal and regulatory risks can vary based on a company’s size, history of data thefts or leaks, and whether the business is in an industry with heightened regulatory restrictions, such as the financial or health sectors.

Political campaign cybersecurity, from a regulatory perspective, is in somewhat of a no-man’s land. Other than a potential lawsuit from a victim class (which have not been particularly successful to date), no government entity appears to be focusing its work on instituting fines and restrictions on political campaigns based on their cybersecurity posture. Unlike the Federal Trade Commission (FTC) and Securities Exchange Commission (SEC) heightened scrutiny of the private sector for cybersecurity lapses, the Federal Election Commission (FEC) has not appeared to be monitoring the cybersecurity of political campaigns. In fact, in recent years, the FEC’s own cybersecurity practices and preparedness have come under question.

And yet the cybersecurity risks for political campaigns are sky high.

Political campaigns collect and retain a lot of information. With respect to internal information, campaigns retain sensitive communications, such as emails between candidates, advisors and staff. Exposure of this type of information, as we have seen from the DNC email theft, can be damaging to the candidate, the party and individuals involved. Public release of internal information from a campaign can potentially affect the integrity of the political process itself, as we have witnessed this week with the fallout from the DNC hack and email exposure.

Campaigns also retain fundraising information. Campaigns hold the names, personal information and financial stake of large donors, who may or may not want the extent of their support exposed through channels other than mandatory reporting. They also hold the names, personal information and credit card information of small donors – private citizens who might make a modest contribution and, just like transacting any personal business, expect that their payment information will be held according to reasonable security standards. The same harm can befall an individual citizen donor if their payment information is revealed through a campaign security breach as through a retail breach.

From an individual personal privacy perspective, campaigns – from the local to the national level – hold information such as responses to questionnaires and voting preferences of individual households. Voters who answer their door may not even know that through a variety of new digital campaign tools, campaign volunteers may be collecting their views on a candidate or issue to enable the campaign and local political party to gauge voter participation levels and preferences. Individual campaigns as well as local political party organizations should pay more attention to evaluating whether information they collect and hold about members and voters qualifies as personal information, and take appropriate measures to protect it.

From a costs perspective, companies generally operate according to a business plan, with a sound understanding of their own cash flow and financial situation. Start-ups or very small businesses might have a hard time projecting how much money they have available to budget for information security and cybersecurity. But even they should be able to identify cost-effective measures scaled to their business model and industry that provides basic cybersecurity preparedness.

Unlike businesses, however, campaigns generally operate in a less predictable and less stable financial environment. Campaigns have an unpredictable cash flow. While each dollar in a local campaign is particularly precious, even national candidates who lose momentum can see their fundraising efforts and bank accounts dry up quickly. When there is no money left, the campaign is over. Spending money on cybersecurity preparedness may not be a priority in that environment.

When large companies experience a data breach or theft, they can afford to mitigate the business harm by hiring top-shelf cybersecurity, law and public relations firms and advisors. Even so, if a cyberattack results in the loss of intellectual property or disrupts business operations, the consequences can be harmful, and in some cases, dramatic. For small companies, a data breach can cause such reputational harm or remediation costs that the company may never fully recover.

Similarly, one embarrassing email exposure might tank a candidate for public office. Similar to a small business, a local or regional candidate may not be able to weather a cybersecurity incident. A major national candidate, who can rely on national surrogates, the national party and the ability to quickly fundraise may be able to withstand some level of data breach. A data breach or theft involving a lesser known local or regional candidate could mean the end of the campaign.

The categories of cybersecurity threats are not so dissimilar for campaigns as compared to the private sector. Both are at risk from cyberattack from nation states, organized crime and individual hackers. Both are at risk from insider threats, although one might be inclined to think that this risk is somewhat lower for a political campaign, where the primary motivation for a person working or volunteering there is ideological, versus the everyday practical needs of a person who needs their employment to live but might hold a grudge against their employer. Both are at risk for insider vulnerability, such as poor cyber hygiene of employees. On this count, campaigns might be at slightly higher risk, due to the quick stand-up of a campaign, increased turnover of staff, interns and volunteers, and a lack of written policies, training and procedures, as compared to a company. Similarly, campaigns are probably at higher risk than companies when it comes to hardware, software and vendor selection, due to the quick manner in which decisions about supplies and services are made. Decision-making most likely takes place on these issues outside the scope of a cybersecurity preparedness or incident response plan.

Both companies and campaigns are capable of conducting an evaluation or hiring consultants to conduct an inventory of data that is collected and retained, and prioritizing the sensitivity of data. But it seems likely that companies are more sophisticated about conducting these reviews, and then applying an existing framework (such as NIST) to that data. Companies can purchase insurance, and conduct table top exercises and simulations to game-out how their senior leadership and assembled cybersecurity team would react to a cybersecurity incident. Campaigns, on the other hand, have a limited time period of existence, and have likely not prioritized time or money for longer-term cybersecurity preparedness. Yet, once on the receiving end of a cybersecurity problem, there is very little time available for a campaign to catch up on cybersecurity.

Now that the 2016 campaign season has made everyone in the political process aware of the significant risk to political campaigns, we should expect greater attention to these issues in future election cycles. And, these challenges exist not just for U.S. campaigns, but for campaigns anywhere in the world. Cybersecurity planning for political campaigns should be built in at the beginning, with smart choices, and candidate and staff awareness from the start.