Cybersecurity Recommendations for Campaigns and Organizations in 2018
With a country-wide renewed focus on cybersecurity after the events of the 2016 cycle, it can be difficult for those who are not technology professionals to make sense of the enormous volume of information over how to secure organizations and campaigns. There are many great resources already available such as the Campaign Cybersecurity Playbook from the Belfer Center at Harvard (https://www.belfercenter.org/cyberplaybook) that outline some vital basics. In this memo, I am going to outline some basic and next steps that are important for all campaigns, vendors, practitioners, activists, and politicos to take. For those folks who have more specific questions, please feel free to shoot me an email (firstname.lastname@example.org).
Within this memo I will offer a quick explanation of why I am making a recommendation, followed by direct links to the service or product.
Enable Two-Factor Authentication on Every Service Available and Use Security Keys as the Method of Authentication
EDIT February 2019: You can read more in depth two-factor suggestions here: https://medium.com/@msager/breaking-down-the-flavors-of-two-factor-12bf9f13ff3c
Two-Factor Authentication adds a second layer of protection to access an account. In addition to something you know (your password), a second factor is something you have (your phone or a security key). More and more, passwords are phished or stolen in data breaches from online services providers, making this second step absolutely vital to protecting all accounts you use. And many accounts often contain specific useful information about the account holder, even if the account itself is somewhat unimportant; for example, your Netflix account has your name, email, and credit card information, all of which can be used by a malicious actor to confirm your identity with your cellphone provider.
All major web-based applications now offer some form of Two-Factor Authentication: Google, Facebook, Dropbox, Outlook.com, Twitter, etc. Most support Google Authenticator, an app which runs on your phone and algorithmically generates a unique one-time password (OTP) that is known only to the phone and the site to which you’re connecting. Some sites are now supporting security keys under the U2F standard, which are functionally un-phishable as of this writing. I strongly encourage everyone to lock every account they use on all sites with Two-Factor Authentication, and to use Security Keys when possible. If Security Keys are not an option, I strongly recommend using Google Authenticator for generation of one-time passwords.
Each user who is using security keys will need at least two keys, one of which is mobile compatible. One key serves as the primary and is kept with the user at all times. The second is a backup stored in a safe place such as at home. These keys should be thought of as the key to the user’s digital life, and they should be treated the same as the user treats their house key and car key.
List of sites that support Two-Factor Authentication with Instructions: https://www.twofactorauth.org
YubiKey 4 (Works with LastPass): https://www.amazon.com/Yubico-YUBIKEY4-YubiKey-4/dp/B018Y1Q71M/ref=sr_1_3?ie=UTF8&qid=1524773167&sr=8-3&keywords=Yubikey+4
Feitian Multipass (Mobile Compatible): https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/dp/B01LYV6TQM/ref=sr_1_3?s=electronics&ie=UTF8&qid=1524773312&sr=1-3&keywords=feitian+multipass+fido+security+key
FIDO U2F Yubikey (Does NOT work with LastPass): https://www.amazon.com/FIDO-U2F-Security-Key-co-creator/dp/B00NLKA0D8/ref=sr_1_3?s=electronics&ie=UTF8&qid=1524773335&sr=1-3&keywords=Yubikey+U2F
Google Authenticator on Apple App Store: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
Google Smartlock on Apple App Store (used with mobile security key): https://itunes.apple.com/us/app/google-smart-lock/id1152066360?mt=8
Google Authenticator and Google Smartlock are automatically included with Android devices.
Remove Text Message Two-Factor and Account Recovery When Other Options are Available
Unencrypted text messages are especially vulnerable to interception and carry multiple risks. Recent AP reports indicate most US cities have multiple unauthorized Stingray cell-site simulators that intercept phone traffic and can be used to compromise a targeted campaign account’s two-factor text message. Additionally, clever hackers have socially engineered phone takeover and redirection by calling cellphone providers and asking them to move the SIM card on a phone number to a new account, thereby receiving a sent two-factor code.
It is worth noting that text message based two-factor is still better than no two-factor at all, but as soon as more secure options are available from a given site the option to receive text messages, whether as a primary or a backup, should be removed as quickly as possible.
Use G Suite for Email (But Office 365 is Good Too)
Using cloud-based email from either Google or Microsoft as the underlying email system for your campaign is vitally important. Both of these services take advantage of their respective corporate security teams and are constantly patched and updated to protect against threat. In contrast, basic email systems from domain registrars, hosting providers, or self-hosted systems do not have this capability. This is one of the most important changes a campaign can make to secure themselves, and it should be done as soon as possible.
As of the date of this writing (April 2018), G Suite offers the most comprehensive security options for authentication including security keys. Therefore, I recommend using G Suite. Users who strongly prefer Outlook environments can still use G Suite with some additional configuration, although it’s not a native configuration and therefore there are some quirks and features that don’t translate. For those who wish to maintain a Microsoft environment completely, Exchange on Office 365 is an okay option but doesn’t have the same two-factor choices and anti-malware features that Google has. If you are already using Exchange on Office 365, I do not necessarily recommend moving off at this point, but if you’re deciding between the two, as of now I recommend Google. When Microsoft adds additional two-factor options, I will recommend both services equally.
G Suite Signup: https://gsuite.google.com/
Pricing: Most campaigns should be able to use the “Basic” tier, which is $5 per month per user. Some campaigns or vendors may need features offered at higher tiers.
Transmit Sensitive Documents and Communications with Wickr
Even with the most secure system, email itself is still inherently insecure. It’s usually unencrypted and once a message leaves your system you have no further ability to control how it’s used. This becomes a major concern when either dealing with sensitive documents such as research books and polling memos, or with sensitive communications. It’s often said, “don’t write anything you don’t want to see on the front page of the New York Times,” and while that mantra is still true often times we treat chat and text more like a phone call than an email. Therefore, I strongly encourage all campaigns to adopt Wickr for secure communication for sensitive information and conversations.
Wickr is an encrypted distributed ephemeral communication tool, meaning messages are always encrypted, only sent directly between sender and recipients (not through a central server), and expire within a set period of time. Furthermore, compromising access to a Wickr account does not provide access to old messages, just new ones. Campaigns should sign up for Wickr and use Wickr to send any and all file attachments that are sensitive in nature, whether communicating with staff or consultants.
Both Wickr Me and Wickr Pro are interoperable, but Wickr Pro offers additional administrative controls that Wickr Me does not.
Pricing: Wickr has offered special pricing for political campaigns and committees. I’m happy to help connect to the Wickr team if interested.
Use Signal as a Replacement for Texting
Text messages is an extremely insecure technology, despite its convenience. It is completely unencrypted and is easily intercepted by anyone nearby with a phone. While Apple specifically has made the much more secure iMessage the default with iPhone to iPhone communication, this is not interoperable with Android and other mobile devices. If you are only communicating with others using iPhones, you can use iMessage, but if not I strongly recommend using Signal.
Signal is encrypted and distributed (similar to Wickr) and interoperable with other Signal users on iOS and Android, as well as Desktop. The user interface is very similar to a text message, and it has seen wide adoption.
Signal is free on the Apple App Store and the Google Play Store.
Use Unique Passwords for Every Site You Have an Account With, and Use a Password Manager to Manage them
Passwords are the primary key to unlock our accounts. In the same way it would be bad security practice to use a single key to unlock every door in your life, using the same password to unlock every digital door leaves you extremely vulnerable. However, with the number of sites on the internet, trying to personally invent and then remember unique passwords for every single site is an impossible task. Fortunately, there is software that allows you to do this with minimal effort.
LastPass is my current recommendation for password manager, as it has good multi-factor options and works with most browsers, mobile, and is cross-platform. There are solutions such as Dashlane and 1Password that are also good, though I have less knowledge of the specific features available. There are native solutions from Google and Apple but those only work with their specific products so while secure, they are much more limited.
LastPass signup: https://www.lastpass.com/
Costs vary by product and feature level.
Enable Google Advanced Threat Protection on Personal Gmail Accounts and Configure on G Suite
In response to multiple attacks by foreign governments in recent years including the Russian interference in 2016, Google has rolled out the Advanced Threat Protection program for high risk clients which includes political campaigns and their staff. This service limits API access to the account, requires security keys for all logins, creates a more robust account recovery process (that takes several days to complete), and scans attachments in a more robust fashion. All of these are to help prevent more targeted malicious actions, as opposed to the more generalized protections that come with the regular configuration of Gmail.
Advanced Protection is currently only available as an easy configuration for personal Gmail accounts, but users can configure their G Suite environment to have matching protections. As of this writing (April 2018), Advanced Protection does not support Apple Mail, Calendar, or Contacts on iOS but they are expected to be supported very soon. I strongly encourage candidates, family, campaign staff, and volunteers to enable Advanced Protection on personal Gmail accounts and to configure organizational accounts as outlined below.
For G Suite Configuration: https://docs.google.com/document/d/1dSDkcfMFtpXAfmDKkpLrPc2uYNoonY9v61CZluoDhLE/preview
Create a Document Retention Policy and On-Boarding/Off-Boarding Processes, and Adhere to Them
The enemy of malfeasance is a followed process.
Document retention policies allow the organization to set specific parameters about how documents, emails, and communications are kept. Email systems can be configured to automatically purge messages after a certain number of days in compliance with the policy, and in the event of a legal issue having a written policy is a significant legal protection. Additionally, regular purging of old communications serves as protection should a user’s account be compromised, preventing older communications from falling into the hands of a malicious actor.
Having robust internal processes allow you to know who has access to what, and what to do in the event of a compromise. This means having checklists of accounts and configuration for on-boarding, and ensuring the same checklist is used when an employee is off-boarded.
Run Next-Generation Anti-Virus and Anti-Malware Software on All Computers
While protecting against phishing and social engineering attacks is the highest thing on our radar, users must also be aware of more run of the mill cybersecurity issues that aren’t specifically targeted. Ransomware attacks have increased dramatically the last few years and are only going to continue. Next generation anti-virus and anti-malware software looks at application behavior, not just signature, and isolated processes and programs that present threats. In the event your network is compromised, running this software on all campaign systems will help contain the attack.
There are consumer-grade endpoint protection software products such as BitDefender and Norton that will work well for most users if not in a managed environment. For those organizations providing devices, a Symantec license at minimum is required, and using a professional system such as CrowdStrike Falcon is preferred.
Please note, at no time should any user run any product from Kaspersky Labs on their computer.
Additional anti-malware options include Malware Bytes which have free scanners, and paid versions with active detection.
Crowdstrike Falcon: https://www.crowdstrike.com/products/
Malware Bytes: https://www.malwarebytes.com/
Mike Sager is the Chief Technology Officer for EMILY’s List, overseeing technology infrastructure as well as guiding data and software development. Most recently, Mike led analytics software development at Burson-Marsteller. Previously, Mike had served as the Political Technology Director at the AFL-CIO during the 2012 election cycle, designed Digital products at NGP VAN, and administered the DNC national voter file software during the 2008 cycle. Mike lives in Alexandria, VA with his wife, daughter, and 2 small dogs. Mike is an amateur chef, jangle pop guitarist, and a diehard fan of both the Washington Nationals and the band The National.