Campaign Information Security

In Theory and Practice

thaddeus t. grugq
Nov 20, 2017 · 4 min read

A committee of top tier infosec heavy weights (and a half dozen interns) got together and wrote a guide to campaign information security. It’s a fine document produced by a lot of talented people and definitely a good starting point. Indeed, it mirrors much of the advice I put together in August 2016 for political campaigns. I’m sure the authors have considerably more expertise on the details and ground realities of political campaigns than I do. Still, there’s some additional content that I believe is worth sharing, perhaps it will be of use to someone.

Image for post
Image for post
don’t fear the trolls, f#*k with them.

The first and most important thing to keep in mind that your goal is to deny the adversary useful information. Not getting hacked is certainly the first step towards that goal, but it is not the final step.

If the worst case scenario happens and the adversary begins leaking your data, verify that it hasn’t been tampered with or altered. The Soviets preferred a mixture of 9 parts truth to 1 part dezinfomatsiya for their influence operations. When you encounter an alteration or manipulation, you must immediately expose it by showing the original. This robs the adversary of authenticity. Their lost credibility is your gain.

Do not use email for anything that isn’t routine or mundane (“anyone hungry? Let’s get lunch,” is ok, gossip or rumours is not.) Communications are critical and in descending order of preference:

  1. Face to face
  2. Encrypted ephemeral messenger (Signal, Wire, Wickr)
  3. Encrypted messenger (Signal, Threema, Wire, Wickr, WhatsApp)
  4. Mass blast emails to everyone, because anything on email may as well be public

Get a Canary for your office network and configure it as a file or email server. They are ridiculously easy to setup, they’re cheap, they have essentially zero false positives. This means that an alert from the Canary is highly likely to be indicative of malicious activity on your network.

Your team can focus on a limited number of real files while the adversary has to sift through everything that you produce. They cannot skimp on analytic resources because they have a deadline. Use this to your advantage by generating volumes of irrelevant useless content. Ensure there are no patterns (eg, same two interns as authors; naming schemes, locations, etc)…you want to force them to analyze everything.

The major flaw with using Signal is that the numbers are attributable, which means a compromised account can expose all the sensitive information. Firstly, use ephemeral messaging. If there is something important you need to remember, copy it out of the message and put it into a locked note on the iPhone. Secondly, use Wire, registered with disposable email accounts (ProtonMail) and create cover names. You’ll easily remember the few important people you talk with, but figuring out who they are will consume adversarial analytic resources. Consider using Teams, a feature that allows you to setup a dedicated Wire server for your core group.

Trolls do a number of dangerous things, they spread misinformation, they sap the energy and will of the genuinely interested people, and they amplify opinion suggesting it is the majority or consensus view. They must be thwarted by a professional team of paid social media elves, who work to counter the misinformation, to act as a tar pit keeping the trolls away from civilians, and to prevent the trolls’ orchestrated actions from appearing organic.

Memento calc.exe: remember, you will get hacked

The original guides suggestions to have designated people for key roles is good. But in the real world, those people are always in the wrong place when you need them. Consider implementing a PACE system for designated positions. One Primary, an Alternate, a Contingency and an Emergency. At a minimum have an alternate to fall back on if your primary is unavailable.

Basic Security Hygiene

This guide from Tech Solidarity is a good starting point.

Image for post
Image for post

Defeating disinformation campaigns is not impossible, but it’s important to remember that the goal is to disrupt and counteract the exploitation of the collected information. Not getting hacked is a start, but it’s only a start. Be prepared to counter the disinformation campaign, and work to hinder its ability to collect anything useable. After all, this strategy worked for Macron in France. Even with access, there was nothing interesting or salacious to leak. Bland emails make for resilient campaigns.

Support more posts like this.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store