The presidential campaign of former Vice President Joe Biden announced that it had filled the positions of chief information security officer (CISO) and chief technology officer (CTO) in order to address potential cybersecurity threats to the campaign.
According to The Hill, the campaign hired Chris DeRusha to serve as CISO and Jacky Chang as CTO. DeRusha previously served as chief security officer for the state of Michigan, and previously served in the White House and the Department of Homeland Security, along with leading Ford Motor Company’s enterprise vulnerability management program, says the news report.
Chang currently is senior technologist at Schmidt Futures, but is taking unpaid leave to join the campaign. Previously, Chang worked as a senior engineer on the 2016 presidential campaign of former secretary of State Hillary Clinton, and is a former member of the Democratic National Committee’s (DNC) voter protection team during the 2018 midterm elections, notes The Hill.
"Biden for President takes cybersecurity seriously and is proud to have hired high quality personnel with a diverse breadth of experience, knowledge, and expertise to ensure our campaign remains secure,” a Biden campaign spokesperson told The Hill. “Jacky and Chris will be central to strengthening the infrastructure we've built to mitigate cyber threats, bolster our voter protection efforts, and enhance the overall efficiency and security of the entire campaign."
“This is definitely a wise move given the interference that happened in 2016. With the emergence of deep fakes and “fake news” on social media that can drive beliefs and voting choices, all campaigns should have a cyber Czar continuously monitoring not only the systems of the campaigns, but social media," says Terence Jackson, Chief Information Security Officer at Thycotic. Also with unknown variables such as COVID-19 that could affect how we vote in November , it is prudent to ensure our election infrastructure is not tampered with.”
Brandon Hoffman, CISO, Head of Security Strategy at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, notes the importance of having a dedicated focus on cybersecurity for something as important as the upcoming presidential election. "With so much focus on Russia, and other state sponsored cyber activity, much of the lower level activity can be ignored or overlooked. This activity can not only be just as damaging, but the same techniques can be used by those state sponsored adversaries. In today’s world, the attack surface of something, such as a campaign, is almost uncontrollable. This includes volume attacks such as phishing critical staff to mobile threats on the phones of volunteers. Keeping track of what devices join the networks and how to provide access control to critical assets, it appears to be a daunting task."
There are several high focus areas for the cyber team, adds Hoffman. "The most important task is securing the critical data and assets with restrictions on who can access them. Subsequently, ensuring the shared platforms and networks across campaign locations and tiers of staff are appropriately monitored and controlled is also important," he says. "Another focus area would be messaging systems. Any system that can be compromised to send information to the public that is not legitimate will be a high value target for adversaries.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, remarks that this is a critical step in acknowledging the importance that cyberattacks have on an election and a campaign, especially one as important as the presidential election. "All elections and campaigns will experience cyberattacks and it is important to have an experienced and knowledgeable expert providing direction and response when cyberattacks materialize," says Carson. "Unfortunately, most campaign staff are inexperienced when it comes to cybersecurity best practices and are very vulnerable to phishing attacks that attempt to steal their credentials enabling attackers to gain access to emails or even voter registration database which could provide an attacker intelligence on how to best target an election."
"I hope that Chris DeRusha will emphasize the importance of password hygiene and privileged access management (PAM) when it comes to protecting campaign staff’s credentials and access to voters information. PAM is a key cybersecurity strategy when it comes to protecting sensitive voting information and is a must have security to reduce the risks from becoming a cyber victim," adds Carson. "Appointing a cyber czar is the first step in acknowledging the important challenge that cybersecurity has on democracy. This includes upholding the US constitution along with raising the confidence of the citizens with their future government no matter who is the next president. Moving forward, cybersecurity must be a top priority. Citizens must have confidence in their democracy and cybersecurity must be addressed when voting.”