Securing our Democracy: The case for robust campaign cybersecurity

Sun Tzu famously said, “all warfare is based on deception.” He could hardly have anticipated how his words would ultimately be substantiated—particularly in the tactics of today’s cybercriminals. Even after 30 years in the trenches, I’m still surprised by their innovative tactics. Sun Tzu reportedly also said, “It’s not an admission of defeat to recognize and respect the strengths of your enemy; rather, it’s a necessary precondition to victory.”

I was perplexed by reports that two-thirds of Democratic presidential candidates, in addition to President Donald Trump, had failed to implement and enforce the basic email security protocol, DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance.” DMARC helps prevent business email compromise (BEC) by verifying the authenticity of a sender’s email in order to reject spoofed emails and prevent the exploitations of an individual’s address for malicious purposes.

While this protocol is important for both public and private sector professionals, it’s absolutely critical for political operatives, candidates and elected officials who will almost certainly face daily cyberattacks. Politicians and their staff are enticing targets because they have access to both sensitive information and VIPs.

Beyond political and policy impacts, the potential for financial fraud is readily apparent. Spoofing campaign email domains in order to fraudulently request campaign donations represents one possible attack vector and — given the swarm of messages sent by campaigns — one with a relatively high chance of going undetected. In one high profile instance, a California man managed to trick aspiring activists out of $250,000 in political donations.

Although the proximity of political actors to information and wealth makes them alluring targets for BEC, it’s their behavior that makes them easy victims. These individuals are often highly ambulant, operating in hectic environments and under constant stress. They’re forced into snap decisions, often made on the run and communicated through smartphones with small interfaces, making minute anomalies difficult to detect. That makes candidates and staff prime targets for socially engineered, “muscle-memory” attacks that exploit our reliance on mindless, routine actions and our inability to effectively multi-task.

It’s worth noting that even the savviest cybersecurity professionals are victimized by BEC attacks. Recently, a colleague of mine nearly completed a wire transfer to a fraudulent party after initially missing a small anomaly in an otherwise legitimate-looking email request. That even the most experienced among us fail to consistently detect these tactics is a nod to cybercriminals, who are cunningly adept at encouraging urgency, mimicking trusted third parties, and otherwise taking advantage of our innate cognitive limits of rationality.

While politicians and staff are skilled in the nuance of policy and the intricacies of stumping for votes, they appear to be woefully uninformed in the most basic segment of cybersecurity: email security. Given that they are targets of both state-sponsored and financially-motivated attacks, it’s imperative they move quickly and decisively to secure such a primary communication method. That starts with the implementation and enforcement of DMARC protocols. But it extends also to MFA and enterprise-grade messaging platforms. Combined, these help prevent unauthorized email access and electronic eavesdropping while encouraging the detection of phishing and other social engineering emails. Most importantly, campaigns should deploy AI-driven predictive threat detection to stay in front of sophisticated cyberattacks from state-sponsored groups.

We can indeed learn much from Sun Tzu. One of his axioms, however, is no longer descriptive of the landscape we currently inhabit — we cannot choose when we’ll have to fight a cyber battle. That’s particularly true for today’s politicians, who must prepare as if under constant attack and move quickly to secure their campaign’s digital activities. Failure in that regard represents a direct threat to the critical inner workings of our democracy.

John McClurg served as Sr. Vice President, CISO and Ambassador-At-Large in BlackBerry's/Cylance’s Office of Security & Trust. McClurg previously was CSO at Dell; Vice President of Global Security at Honeywell International, Lucent Technologies/Bell Laboratories; and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.