Campaign Information Security

In Theory and Practice

thaddeus t. grugq
Nov 20, 2017 · 4 min read

A committee of top tier infosec heavy weights (and a half dozen interns) got together and wrote a guide to campaign information security. It’s a fine document produced by a lot of talented people and definitely a good starting point. Indeed, it mirrors much of the advice I put together in August 2016 for political campaigns. I’m sure the authors have considerably more expertise on the details and ground realities of political campaigns than I do. Still, there’s some additional content that I believe is worth sharing, perhaps it will be of use to someone.

don’t fear the trolls, f#*k with them.

Rule #1: your objective is not “don’t get hacked,” your objective is “don’t let the adversary get useable information”

Rule #2: authenticity is the only thing that people believe

Rule #3: the “e” in email stands for evidence

  1. Face to face
  2. Encrypted ephemeral messenger (Signal, Wire, Wickr)
  3. Encrypted messenger (Signal, Threema, Wire, Wickr, WhatsApp)
  4. Mass blast emails to everyone, because anything on email may as well be public

Rule #4: use deception to lure the adversary out

Rule #5: use deception to consume the adversary’s analytic resources (hide your lake in an ocean)

Rule #6: use deception to mitigate the damage of a penetration

Rule #7: the way to fight trolls is with elves

Memento calc.exe: remember, you will get hacked

The original guides suggestions to have designated people for key roles is good. But in the real world, those people are always in the wrong place when you need them. Consider implementing a PACE system for designated positions. One Primary, an Alternate, a Contingency and an Emergency. At a minimum have an alternate to fall back on if your primary is unavailable.

Basic Security Hygiene

This guide from Tech Solidarity is a good starting point.

Defeating disinformation campaigns is not impossible, but it’s important to remember that the goal is to disrupt and counteract the exploitation of the collected information. Not getting hacked is a start, but it’s only a start. Be prepared to counter the disinformation campaign, and work to hinder its ability to collect anything useable. After all, this strategy worked for Macron in France. Even with access, there was nothing interesting or salacious to leak. Bland emails make for resilient campaigns.

Support more posts like this.

thaddeus t. grugq

Written by

Information Security Researcher :: keybase.io/grugq :: https://www.patreon.com/grugq