How to secure a Congressional campaign in 60 minutes or less
May 29, 2019 3:25 PM   Subscribe

As part of his work on Tech Solidarity and the Great Slate for the 2018 United States House of Representatives elections, Maciej Ceglowski (previously) flew around the country to brief Congressional campaign teams on good practices to secure themselves against Podesta-style hacks. Here's what he learned on the way.
posted by figurant (16 comments total) 61 users marked this as a favorite
I volunteer sometimes with a nonprofit that does similar campaign security work, and this article is incredibly on point. Our internal Slack had a thread for on where we basically just quoted bits of this and said “yes”.

The points about how busy campaigns are, and making your message simple and actionable, are really important. No one organizing campaign volunteers, or planning fundraisers, has time to seriously think about IT choices. For example, “just use an iPhone” is a much easier recommendation to get across than explaining how to select a secure Android phone and why the others are bad. Coming up with recommendations that are secure, reliable, and easy to adopt all at the same time is both really important and sometimes really hard.

And LOL the candidate being the hardest person to change. I had a friend working in a state legislative race who eventually resorted to “losing” the candidate’s ancient insecure BlackBerry from 200x that hadn’t gotten a software update in years... only to find that the candidate stayed up late and hunted down the exact same phone on eBay.
posted by a device for making your enemy change his mind at 4:23 PM on May 29, 2019 [30 favorites]

This guy is such a hero. Don't fail to click the (previously) link; a lot of it is there. Thanks, figurant!
posted by mississippi at 4:24 PM on May 29, 2019 [1 favorite]

I think a lot of what Maciej says could apply to any small non-technical organization. It's just the stakes with campaigns are so much higher than your local historical society or whatever. Also campaigns are bizarre in that they are ephemeral organizations; most come together and disband in less than a year.

The central DNC has done a lot of work on tech infrastructure since 2016, a lot of it intended to directly help these campaigns. Some details on that in this article, also this one and this one. It seems to be a big part of the support for a campaign boils down to basic advice like "Use two factor authentication. Use Google services. Use Signal." There's some dangers with such simple corporate advice, but it's much more likely an office is going to have secure email using Google than trying to set up their own fancy system.
posted by Nelson at 4:37 PM on May 29, 2019 [5 favorites]

I recall in the recent French Presidential election how the Macron campaign actually seeded their data and emails with demonstrably false information. When it was somehow hacked/leaked by the opposition, the Macron campaign was able to point out the strategy of seeding with misleading data, which pretty much blew a hole in the opposition’s attempt to use it (as well as any legitimate info obtained) against Macron.

That struck me as fairly clever.

Ah, here’s a review of the Macron campaign’s anti-hacking strategy. It was rather more detailed and multimodal than I remembered.
posted by darkstar at 5:00 PM on May 29, 2019 [10 favorites]

Also, having worked on a couple of campaigns, the FPP-linked article is outstanding. From the truth-telling to the humorous insights, it’s brilliant:
“Practical campaign security is a wood chipper for your hopes and dreams. It sits at the intersection of 19 kinds of status quo, each more odious than the last. You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on.

...Trying to secure a modern campaign is like doing surgery with a scalpel made out of anthrax spores.”
posted by darkstar at 5:05 PM on May 29, 2019 [3 favorites]

QFT: The national party was so unhelpful that in the end I had to treat them as part of the threat model.
posted by ryanshepard at 9:33 PM on May 29, 2019 [15 favorites]

this is so good
posted by feckless at 9:50 PM on May 29, 2019 [1 favorite]

Podesta-style hacks

posted by Going To Maine at 10:12 PM on May 29, 2019 [4 favorites]

Ideally, there would be a billing model where the training is free, but the campaign gets charged thousands of dollars for ignoring it.
posted by latkes at 10:55 PM on May 29, 2019 [15 favorites]

Ideally, there would be a billing model where the training is free, but the [audience for said training, often the ones who loudly complained about its absence/demanded it/paid for it] gets charged thousands of dollars for ignoring it.

This, everywhere
posted by I_Love_Bananas at 5:34 AM on May 30, 2019

I think the part about the candidate is probably the most critical. if you don't have management involved and in agreement from the top down it's going to be all but impossible to really secure anything because management will tear down the security.

I see that at my current job. Our CEO does not like security of any sort, we don't even have a swipe in system on our doors because he's opposed to it, and as a result any sort of wide scale user training on security matters is simply not allowed. We do, at most, ad hoc spur of the moment lessons on security with users when and as there's the opportunity.

So far this has cost us in the low six figures of losses just in the few years I've been here due to users being scammed (someone got hit with the old "email claiming to be from the CEO telling them to go buy pre-paid VISA cards and send the numbers to this non-work email address" scam, just for one example).

Any sort of user testing, sending out phishing emails ourselves to see who responds for example, is strictly forbidden. Coupled with the lack of training this means we get users turning over their data to scammers from time to time.

So yeah, a candidate who hates security and wants an antique BlackBerry is going to make securing the campaign as a whole all but impossible because they'll undermine security just by their own attitude.

You'd think after what happened to Clinton the Democrats at least would be a lot more paranoid, but apparently not.
posted by sotonohito at 5:47 AM on May 30, 2019 [6 favorites]

The Democrats are definitely very paranoid. Doubly so since Trump has made it clear that the executive branch is going to do nothing to try to protect the 2020 elections from foreign influence. (For once, the Republicans aren't completely in agreement here although they are still happy to enable.)

A lot of the problem is a variant of Dunning-Kruger, it's hard to believe that you could get hacked. "Well sure, Podesta's password was cheeseburger and everyone knows that's dumb. But mine is ch33s3burg3r and no hacker would ever guess that!" Doubly so for phishing attacks, everyone thinks they're too smart to click on an email attachment right until that new PDF you have to sign arrives. Even most two factor as implemented is really not secure enough, particularly if it relies on an SMS second factor.
posted by Nelson at 7:18 AM on May 30, 2019 [6 favorites]

A lot of the problem is a variant of Dunning-Kruger, it's hard to believe that you could get hacked.

As someone who doesn't work in tech but has to deal with passwords and security issues on a minor level, it's probably some of that, but it's also asking people to conform to technology rather than having the technology conform to them. It's asking people who don't have tech as a concern and don't really want it to have to focus on something alien to their day to day practices. Changing the way people normally do things by adding layers of vaguely understood complexity places a barrier between what one wants to do and actually accomplishing it that is frustrating, sometimes excessively so. The needs of security often run counter to the needs of the people using it when it distracts or disrupts routine.

That isn't to knock those who are working to make things secure and do understand the elements involved. It's important and necessary work. It's just to say there is a considerable distance between those who are comfortable with tech and those who aren't that really comes into play since much of it wasn't designed for ease of use by the ignorant. It's a language of its own that makes those who don't speak it feel uncomfortable and sometimes even angry as it seems like the equipment they use is working against rather than for them.
posted by gusottertrout at 7:49 AM on May 30, 2019 [6 favorites]

We gave money - a fair bit of it - to Maciej's "Great Slate". The slate included our long-shot challenger in NY-23 (for fun, refer back to my hopeful dreams getting crushed in the Megathreads of November), but mostly I donated because I'm just constantly impressed by this guy's thoughtful approach. Thanks for posting this - I'd gone looking for more of his writing a few days ago and come up empty.
The person who is in charge of [NGP VAN] is often the most tech-savvy person on the campaign, and you should make an effort to talk to them. (A good icebreaker with these people is talking about how much you both hate VAN.)
Oh god. So depressing.

I just canvassed for our school board elections and that involved walking the streets with printed sheets of "very likely voters" - what about these other plausible doors we are skipping? Apparently that's "not how it's done". But our write-in candidate won!!!11! so I can't complain.
posted by RedOrGreen at 9:05 AM on May 30, 2019 [5 favorites]

gusottertrout Well, yes. One unfortunate trade off is between security and convenience. The more secure method tends to be at least somewhat less convenient, and to involve at least a step or two more than the less convenient option.

No matter how great your MFA is, it's still **MULTI** and that means $USER has to jump through at least one more hoop. "You means I have to remember a password **AND** use this funky USB thingie?"

And that's certainly one reason why people tend to be resistant to security improvements even for stuff that's really important like your bank info.

You can spend about $7 on a Blizzard branded authenticator to secure your Battle.Net video game account. You can also download a free app for you phone. Using either adds an extra step to the login process.

I literally can't make my bank account as secure as my video game account. My credit union simply does not offer a real authentication option. The absolute best I can do is require them to text me a one time code to be used when I log into the account website. And while that's better than nothing, it's still not as good as even using an app [1].

When even the average person's bank doesn't offer as much security as a video game, it's a weird situation.

Add to that the fact that some of our number one favorite way to send corporate communication, email, is such shit it really should be totally banned by anyone even halfway security conscious except... there's no replacement.

To make an analogy, email is like every house having a second door that can't be locked. It is insecure by design and there is literally no actually practical way to secure it. We desperately need to replace email with something new and better. So naturally the computer industry has produced... zero workable replacements. It's introduced some proprietary stuff that can't intercommunicate, and that doesn't do all the stuff you'd want email to do.

Can you imagine going to anyone, corporate or politics, and saying "hi we'd like to take your email away, and nope we don't actually have a universal replacement that will let anyone who needs to send you a message"? You'd be fired. Out of a canon and into some lava.

Even in the corporate world with a decent sized budget security is hard. Trying it for politicians? The person in the linked article is both brave, dedicated, and fighting a battle that they simply can't win because they don't have the tools to offer that would let them win.

[1] Why? Because text messages can be intercepted more easily. You don't even have to unlock my phone. Just grab it, pop the SIM card and put it into a different phone, bang you've got my text messages. An app at least requires that the phone be unlocked as well as stolen.
posted by sotonohito at 9:39 AM on May 30, 2019 [5 favorites]

Games are much better at incentivising behaviour. Any additional hoop that a bank introduces is another bullshit thing that's stopping me from getting to my money, but a game can offer you a free in-game pet or a skin or something that has no monetary value but does have an intrinsic value.
posted by Merus at 4:24 PM on May 30, 2019

« Older Place-names   |   Remembering La Plaza de los Lagartos, the El Paso... Newer »

This thread has been archived and is closed to new comments