Campaign Information Security

In Theory and Practice

A committee of top tier infosec heavy weights (and a half dozen interns) got together and wrote a guide to campaign information security. It’s a fine document produced by a lot of talented people and definitely a good starting point. Indeed, it mirrors much of the advice I put together in August 2016 for political campaigns. I’m sure the authors have considerably more expertise on the details and ground realities of political campaigns than I do. Still, there’s some additional content that I believe is worth sharing, perhaps it will be of use to someone.

don’t fear the trolls, f#*k with them.
Rule #1: your objective is not “don’t get hacked,” your objective is “don’t let the adversary get useable information”

The first and most important thing to keep in mind that your goal is to deny the adversary useful information. Not getting hacked is certainly the first step towards that goal, but it is not the final step.

Rule #2: authenticity is the only thing that people believe

If the worst case scenario happens and the adversary begins leaking your data, verify that it hasn’t been tampered with or altered. The Soviets preferred a mixture of 9 parts truth to 1 part dezinfomatsiya for their influence operations. When you encounter an alteration or manipulation, you must immediately expose it by showing the original. This robs the adversary of authenticity. Their lost credibility is your gain.

Rule #3: the “e” in email stands for evidence

Do not use email for anything that isn’t routine or mundane (“anyone hungry? Let’s get lunch,” is ok, gossip or rumours is not.) Communications are critical and in descending order of preference:

  1. Face to face
  2. Encrypted ephemeral messenger (Signal, Wire, Wickr)
  3. Encrypted messenger (Signal, Threema, Wire, Wickr, WhatsApp)
  4. Mass blast emails to everyone, because anything on email may as well be public
Rule #4: use deception to lure the adversary out

Get a Canary for your office network and configure it as a file or email server. They are ridiculously easy to setup, they’re cheap, they have essentially zero false positives. This means that an alert from the Canary is highly likely to be indicative of malicious activity on your network.

Rule #5: use deception to consume the adversary’s analytic resources (hide your lake in an ocean)

Your team can focus on a limited number of real files while the adversary has to sift through everything that you produce. They cannot skimp on analytic resources because they have a deadline. Use this to your advantage by generating volumes of irrelevant useless content. Ensure there are no patterns (eg, same two interns as authors; naming schemes, locations, etc)…you want to force them to analyze everything.

Rule #6: use deception to mitigate the damage of a penetration

The major flaw with using Signal is that the numbers are attributable, which means a compromised account can expose all the sensitive information. Firstly, use ephemeral messaging. If there is something important you need to remember, copy it out of the message and put it into a locked note on the iPhone. Secondly, use Wire, registered with disposable email accounts (ProtonMail) and create cover names. You’ll easily remember the few important people you talk with, but figuring out who they are will consume adversarial analytic resources. Consider using Teams, a feature that allows you to setup a dedicated Wire server for your core group.

Rule #7: the way to fight trolls is with elves

Trolls do a number of dangerous things, they spread misinformation, they sap the energy and will of the genuinely interested people, and they amplify opinion suggesting it is the majority or consensus view. They must be thwarted by a professional team of paid social media elves, who work to counter the misinformation, to act as a tar pit keeping the trolls away from civilians, and to prevent the trolls’ orchestrated actions from appearing organic.

Memento calc.exe: remember, you will get hacked

The original guides suggestions to have designated people for key roles is good. But in the real world, those people are always in the wrong place when you need them. Consider implementing a PACE system for designated positions. One Primary, an Alternate, a Contingency and an Emergency. At a minimum have an alternate to fall back on if your primary is unavailable.

Basic Security Hygiene

This guide from Tech Solidarity is a good starting point.

Defeating disinformation campaigns is not impossible, but it’s important to remember that the goal is to disrupt and counteract the exploitation of the collected information. Not getting hacked is a start, but it’s only a start. Be prepared to counter the disinformation campaign, and work to hinder its ability to collect anything useable. After all, this strategy worked for Macron in France. Even with access, there was nothing interesting or salacious to leak. Bland emails make for resilient campaigns.

Support more posts like this.