For the past eight months, I’ve been traveling the country in a sometimes quixotic attempt to train congressional campaigns about email security. On one recent trip, I asked a Democratic campaign manager how he was keeping track of his personal passwords. When he hung his head, I knew what was coming.
“I use the same password for every site,” he confessed. He told me about a moment of panic when a college friend who shared his password on a sports site logged in to his Gmail account as a joke. Google noticed the out-of-state login and sent him a security alert. In the minutes before the friend admitted to the prank, he saw his career flash before his eyes.
A manager on a different campaign told me he was still using Yahoo for his personal email, even though the company was famously breached in 2014 by hackers linked to Russian intelligence. When I pressed him on this, he said he was aware of the breach but figured Google would now be the bigger target. He fancied himself to be hiding in plain sight.
Anyone who works in IT can tell stories about inventive ways people use and misuse computers. Political campaigns are no different. What truly shocked me after talking to over two dozen campaigns was that no one else was coming to talk to them about security.
I never expected to find myself playing the role of security trainer. My involvement with politics started shortly after the election, when I began visiting rural congressional campaigns to help progressive candidates with fundraising. As a self-employed programmer, I was able to travel and serve as a kind of political truffle pig for tech workers who wanted to donate to candidates but didn’t know where to begin.
Being a nerd, I couldn’t resist asking how the campaigns I visited were defending against the kind of online threats we had seen in 2016. That’s when I discovered just how little information was getting through to the people who needed it most.
Why are campaigns still struggling with basic security after two years of constant news reports about the dangers of political hacking?
One problem is that campaign security isn’t anyone’s job. The Department of Homeland Security offers training through its National Cybersecurity and Communications Information Center(NCCIC) in theory, but it has shown little appetite for the topic in practice. The NCCIC’s audit and assessment services are targeted at large federal agencies, not small groups of people driving around Iowa. Campaigns that reach out to NCCIC get an email outlining options like a “six-week phishing vulnerability assessment” or an “audit of internal network security,” neither of which is much help to a campaign working off personal devices, seven weeks before an election.
The Democratic Congressional Campaign Committee, deeply anxious about campaign security, distributes a nonpartisan tech playbook developed in conjunction with the Harvard Belfer Center. The playbook is meant to be a basic guide that any campaign can follow, and from a technical point of view, it is unimpeachable.
But it focuses almost entirely on protecting campaign data, such as financial reports or opposition research. When it comes to safeguarding staffers’ personal accounts, the handbook only suggests that they “enlist professional input from credentialed IT and cybersecurity professionals as needed.” This is as useful as telling a potential cholera victim to hire a microbiologist.
Read the complete article at washingtonpost.com
Maciej Ceglowski is a security trainer and the founder of Tech Solidarity.