The following article is a contribution from Will Caskey and was originally published on Medium.com here. Will Caskey is a corporate and political researcher with over a decade of experience in campaign and client consulting. Follow Will on Twitter
Hey everyone. I do not just berate my fellow Democrats/citizens/white people. I also am an opposition researcher, and I’d like you to give me your money in exchange for useful negative attacks on your opponent and yourself!
There’s just one problem: every time I send my clients a report full of court filings, Social Security numbers and birth dates, I may as well fold that report into paper airplanes and fling them at my client across a football stadium.
That’s how insecure campaign practices are.
No one talks about security practices in campaigns, not even after security breaches dragged our presidential nominee over hot coals and nail beds. It’s half collective action problem- no individual part of a campaign has a huge reason to care about infosec- and half economic- the people who do great infosec charge a lot. A lot a lot. Like, add a zero to my standard report price. Then another zero. Now you’re in the ballpark of a standard training by a corporate security consultant.
Campaign security is necessary, and not just for presidential campaigns. We all saw how Wikileaks and Guccifer 2.0, or just “the Russians,” made Democratic lives miserable in 2016. A DCCC laptop was secured and hacked, and as a result a bunch of donor and candidate info was posted. Cell phones, home addresses and other uncomfortably intimate material was anyone’s for the taking.
This was actually a relatively minor breach; the information flying between campaign operatives with no security considerations whatsoever goes far beyond what leaked out on coincidentally only Democrats last year. Candidates are lucky there wasn’t a full blown identity theft wave and all of them weren’t charged tens of thousands of dollars for “art supplies” in Montenegro or whatever.
And that’s not even the worst part. The fact is that campaign practices, whether it’s assembling fundraising lists with “petitions” or security breaches, disseminate basically instantly in the U.S. Last year’s Russian hijinks are next year’s Standard Operating Procedure.
No, I’m not saying that the DCCC is going to start deploying hackers to break into Republican emails (although both the DCCC and NRCC do have people hunting for each others’ research archives that they post online to get around coordination bans). I’m saying that there is enough infrastructure out there that once something is stolen, it’s going to be immediately disseminated to your opponent, your racist high school friend on Facebook, and Politico.
And it only takes one person to do this.
So you, my fellow Democrats and even interested Republicans, need to think about infosec right fucking now. It’s not effortless or free, but it’s fairly easy and inexpensive. So read on: I’m a researcher, and I’m here to help.
(And no, I am not a specialist in online security. I’m a specialist in knowing how things can go terribly wrong. The following steps are ridiculously trivial to a specialist, and that’s exactly why you need to pay attention to them.)
People experienced in online security bring up the joke about running from an angry bear: You’re not outrunning the bear, you’re outrunning the slowest runner. Same principle: what we think of as “hackers” aren’t laser focused on you specifically. To a large extent they’re not even people: often bots or other algorithms scour various sources for undefended info, and then someone peruses the results for anything interesting. Setting up a few basic practices will put you ahead of the slowest runner. Let’s go through the easiest ones.
To start with, always use two-factor authentication. You don’t want Gmail only asking for your password; you want it asking for a second thing that’s more specific to you. You could use a code texted to your phone. However, phone numbers can be spoofed. It’s better to use app-based authentication, which generates a constantly changing code that’s mathematically impossible to replicate. NOTE: this does mean that if you lose your phone with the authentication app, you’ll lose access to your email. Gmail lets you print backup codes in case this happens, but make no mistake: there’s a risk here. Security comes with a cost to convenience; managing it is part of the process.
Secondly, your campaign emails need to be segregated and temporary. As a campaign, you are a target. You want to turn yourself into many targets standing far away from each other. If your campaign emails are breached, you want your field plan from last week leaked, not your arguments with your significant other. That means getting a separate domain for your campaign emails, and using only that domain for your campaign. It also means putting a shelf life on your email: after a set time period (no more than 30 days), all email received or sent gets deleted. If it’s something important, move it off your inbox to a different service, like Dropbox.
Finally, it has been almost three decades and we need to have this conversation: start using PGP encryption. Look, I get it: I created a key in college 18 years ago, decided it was a pain in the ass and forgot about it. Time has passed, and a lot of stuff has been stolen and leaked, and more importantly it is much easier and less of a pain to use PGP, so you need to start using it.
PGP is weird, but also pretty neat. You create two very large prime numbers or “keys,” a public one and a private one. Someone who wants to send you something private uses your public key to scramble your message. Then it can’t be unscrambled by anything but the private key. You get the gibberish message and decode it. If your email is compromised, the thief sees that you’ve received an encrypted message, and unless the thief is the NSA, that is the end of that. (Note: If the NSA is after you, the bear is going to overtake your entire group and eat you all, and there’s nothing I can do for you. Keep calm and donate to the ACLU.)
This sounds complicated, and annoying for me to, for example, tell my clients that I will only send my reports in encrypted form and someone on their team needs to set up a PGP key. It’s also a really, really effective way to stop breaches, or more accurately to render breaches harmless. Moreover, there have been great strides in integrating PGP into email platforms. There’s a Chrome extension that drops the option right into Gmail. Android and iOS have similar apps that plug into their respective email apps. It takes about ten minutes to give yourself the option to block basically all non-government attacks on your email content. In fact, pause what you’re doing, go set it up and then finish this piece.
Texting is a simpler issue than emails: stop doing it. Seriously, you need to just stop it. Think of texting as writing your messages on a billboard on your house, because that’s how insecure it is. Phones can be lost. Phones can be spoofed. Telecoms can be breached, and more importantly they habitually give away records to anyone who is conceivably “law enforcement” just like that. (If you think you have nothing to worry about from law enforcement, try running a campaign against someone a police union endorsed. Sometimes the bear is an anonymous asshole with a badge.)
So stop texting. Instead, use a messaging platform with end to end encryption, where each message is encrypted before leaving one phone and decrypted by the other. That means the host service has no way to read your messages, and for storage purposes they don’t even keep a copy of them. The one currently in vogue is Signal, which also has the fun ability to delete messages after a set time period (see above concern about emails with a shelf life). WhatsApp is a similar platform. Currently owned by Facebook, the app is criticized for allowing metadata access without a warrant. That is a concern, although bulk metadata analysis is beyond the abilities of most anonymous assholes with badges, and probably means The Government Is Out To Get You, ie metadata is the least of your problems. Google Allo is another end to end platform, and even Facebook Messenger has an end to end mode (don’t use Facebook. You will forget, and click on the blue conversation instead of the black conversation. Account for your own probable user error). Pick one of them, or pick all of them. Just stop sending vanilla SMS text messages. Now.
Email and texting cover the vast majority of your current information vulnerabilities. They’re also not the only thing you should worry about. Yes, direct network attacks are more rare, and thinking about them sounds paranoid. They’re also easy to defend against. Remember: this is not about someone following you and going through your trash. This is about a vulnerability on that Dunkin Donuts free Wi-Fi you used, which appeared there after some other customer visited a sketchy Russian porn site at 2am, and malware jumped onto the hotspot, and no one is checking because no one cares about internet security at a Dunkin Donuts. A few easy steps now, and Dunkin Donuts turns back into place for cheap but serviceable coffee.
To start with: don’t turn off your firewall. These days it’s difficult to turn off system firewalls for great lengths of time. But people still try, usually because some video game you like doesn’t work very well with the firewall. Also, people hear that their home Wi-Fi router is its own firewall, and relax. Don’t do that. Figure out how to play your game with the firewall, or don’t play it. Once you don’t care about your firewall being off, you won’t care at the Dunkin Donuts.
Second, password protect your Wi-Fi router. No, do not leave the default password on. Take the time to read your ISP’s documentation and change the password to something decent. No, this is not foolproof. Your router can still be cracked by brute force. That also requires someone sufficiently determined to get into your router, staying within its range long enough to crack it. This isn’t impossible! Maybe your racist high school Facebook friend was a computer science major. But it’s a lot more difficult than not protecting your router, so do it.
Next, invest in a Virtual Private Network (VPN). This is essentially an easy layer of security for your internet connection: you connect to the VPN, which then connects to whatever you want to do, and the casual hacker/Russian bot/etc sees you connecting to the VPN and nothing else. No, this is not foolproof. Yes, your VPN service is almost certainly compromised by (NSA/first world intelligence service). However, connecting your home router to a VPN will deal with the aforementioned brute force compromise of your router. It will also give you another layer of security at Dunkin Donuts. So connect your router to a VPN (one you pay for; it’s about $30 a year to subscribe to a decent one that won’t slow down your internet), and also put one on your laptop, tablet and phone.
Don’t Get Comfortable
I can’t emphasize this enough: the above steps are very basic, minimal protections. You can do much more. You can, for example, carry around a physical token that generates a two-factor login code instead of an app. You can pay for an email service that sends encrypted, self-destructing messages. You can stop using Slack, and use an end to end encrypted clone of Slack. You can ask your friendly opposition researcher you literally pay to think of worst case scenarios what else to do. (Hint, hint) You can store all of your campaign data in an encrypted external hard drive a single person on the campaign can access, who sends out files based on verbal pass phrases from in person meetings.
You can do all sorts of things with whatever level of inconvenience you can live with. It will also never be enough. Someone is out there who can break through any precaution you come up with. Assessing the precise threat companies and governments face and coming up with appropriate situational defenses are why the experts charge six figures.
You don’t have that sort of money. So instead, listen to me now, and more importantly, don’t assume you are safe. Get in the habit of thinking about every transmission as a weakness, not a convenience. Every time you hit send, no matter what your precautions, you’re taking a risk. Make sure that the convenience of the technology together with the defense you’ve built is appropriate to the risk.
This isn’t paranoia. This is the world in which you’re running for office. Hillary Clinton found this out the hard way. The least you can do is learn from it.