
Cybersecurity Checklist for Political Campaigns - ohjeez
https://zeltser.com/security-checklist-for-campaigns/
======
tptacek
It remains the case that nobody has done this better than Tech Solidarity. Of
course, they have the benefit of actually having done this with a bunch of
campaigns, an opportunity they got by also raising money for congressional
campaigns during the last cycle.

[https://techsolidarity.org/resources/congressional_howto.htm...](https://techsolidarity.org/resources/congressional_howto.html)

In comparison:

* This is way too long and full of technical jargon. Even relatively major campaigns still aren't staffed with technical experts. Very few do their own application development. The person managing IT probably has 30 other jobs.

* This "checklist" has no coherent notion of the actual threat model campaigns face. It's just a laundry list of security advice of the sort a bank would provide to a downstream business partner.

* It's extremely casual about the two biggest threats campaigns face --- phishing and attachments. Campaigns need clear, actionable advice for dealing with these, and "be careful about links" absolutely doesn't cut it --- your mental model of phishing should be that _it always works_ , and the attack needs to be broken directly (security key authentication has the virtue of actually doing this; "two factor authentication" does not).

* It contains silly advice, like "modern anti-malware" and "install a WAF".

This list would be unimpressive and ineffective even in trying to secure a
small business that actually had an IT team. I don't think it will be helpful
at all to campaigns.

~~~
shereadsthenews
WTF are they saying you can't use Dropbox, you should use Google Drive?

~~~
tristor
Data locality regulations

~~~
tptacek
That's not why TS makes this recommendation. Rather: campaigns are almost
universally dependent on GSuite anyways, Google has a fantastic security team
and while Dropbox's has gotten better in the last few years it's still not
Google, it's much easier to accidentally copy sensitive stuff into a Dropbox
folder than a GDrive folder, Google Drive works especially well with Google's
cloud document viewers, which is important for other reasons, and you might as
well just have one cloud dependency, not several.

~~~
jaden
There's still a non-zero risk of Google arbitrarily locking the account,
leaving you without access to your documents, spreadsheets and presentations
in Google Docs.

~~~
tptacek
When that happens to a major party political campaign, I'm sure people will
update the advice they're giving major party political campaigns.

~~~
cvwright
Cold comfort for the affected campaign(s) though...

~~~
maxerickson
To make this an interesting comment you have to address the trade off between
using PCs and Office software and whatever Larry sets up to store and share
files and Google's stuff, and then make a convincing argument that Larry is
better than Google.

~~~
cvwright
For progressive or moderate candidates, sure.

However, given events like this:
[https://thehill.com/policy/technology/406437-google-execs-
la...](https://thehill.com/policy/technology/406437-google-execs-lament-trump-
win-in-leaked-video)

Any conservative Republicans running in 2020 would have to be morons to trust
their entire communications infrastructure to a company who openly opposes
their policies.

(Cue jokes about how the 2nd half of that last sentence is redundant...)

~~~
maxerickson
I disagree, you still have to make a convincing argument that Google is more
likely to risk ruining a whole bunch of their business than Larry is likely to
screw up.

------
chc4
This checklist is pretty disappointing. It's a lot of pretty empty platitudes,
with no actionable info on what to _actually_ do. Telling politicians to
install updates and enable OS security features (which ones! what OS! is XP
still ok if they just install all the patches?) and revoke API keys (what's an
API? from what?) isn't comprehensive advice.

Contrast with
[https://techsolidarity.org/resources/congressional_howto.htm...](https://techsolidarity.org/resources/congressional_howto.html)
which is a checklist by the person behind The Great Slate, a tech-backed
grassroots Democratic funding push who has actually worked with politicians.
It tells you what phone to buy, what links to click to enable more security
for GMail, what app to install to have secure communications. Most politicans
are about as savvy as your grandmother.

~~~
overkill28
Do you know his rationale for some of the blanket statements like "always use
an iPhone, never an Android device" and "never use Safari on your laptop, but
it's ok to do so on your phone?" Presumably sophisticated opponents are
targeting iPhones and mobile Safari as much as Android and desktop Safari

~~~
tptacek
Sophisticated attackers target everything. Desktop Safari is a _much_ softer
target than Mobile Safari, and, while flagship Android devices can be made
asymptotically as secure as iPhones, the median Android phone held by a
campaign staffer is much less secure than the median iPhone, which is
something you quickly discover when you see the menagerie of devices campaign
staffers use.

The two biggest threats campaigns face are phishing and attachments. There are
two good ways we know of to break attachment attacks: view attachments in
cloud viewers, like Google's PDF viewer, or view them on mobile devices, where
they can't trivially be clicked into monstrously insecure desktop productivity
applications. Of the two approaches, the latter --- sticking to mobile devices
--- is the one that can be deployed with the least amount of end-user
training.

~~~
packet_nerd
> Under no circumstances use the Tor browser (it's okay to use Tor, but do it
> with Chrome, and seek additional training on how to set it up).

I'm not sure I get the rational behind this one? Is it just because they are
already using Chrome, so it's better to reduce the attack avenues?

Also, it seems to me if you need to use Tor, it's probably not a good idea to
do so on your regular Windows desktop. Wouldn't Tails be better advice while
also being more foolproof for less tech savy people?

~~~
tptacek
Tor Browser might be the least safe browser on the entire Internet: it's a
very specific, always-behind version of Firefox (itself not the most hardened
browser) selected preferentially by sensitive targets, who have opted in to
being collapsed down to a single program for exploits to target.

------
x0ner
Campaigns should be finding ways to work with professionals from the
cybersecurity sector, not looking for ways to bolster defenses on their own.
The adversaries these groups face far exceed the norm when it comes to
industry standards––your security admin from off the street is going to be no
match for a well-determined government. You need seasoned professionals who
have background across active incident response, defensive efforts,
intelligence and general best practices to even stand a chance.

People who match the description above don't need to be found as much as they
need a point-of-contact to campaign staff. Many of us are more than willing to
dedicate the time and resources needed to advise those who wish to take
security seriously, free of charge. The issue lies in the shared opaqueness of
the two parties that must come together; neither know quite who to contact and
both are unsure how to engage. We should not let a lack of understanding get
in the way of protecting our (anyones really) election process.

~~~
tptacek
That's a great way for campaigns to get lots of WAFs, intrusion detection
systems, endpoint agents, and vulnerability scans. But what campaigns need is
actionable advice that breaks phishing and attachment attacks. For that: they
should use iPhones and, when they use their desktop computers, Yubikeys. You
don't need professionals from the cybersecurity sector to make that happen
(although I am one of those); you just need someone to buy a bunch of Yubikeys
and spend 15 minutes with the campaign showing how to use them and telling
them to be afraid of their desktop computers.

~~~
x0ner
I agree with your general sentiment, but if it were that easy, we wouldn't
even be having the discussion. Nation states going after a campaign are likely
to succeed, it's limiting the exposure if they do. To your point, there are a
number of no-brainer processes or technologies to make those compromises
difficult or severely limit the damage and many do not require much to put in
place. You do need someone on-staff though constantly monitoring and enforcing
best practices.

~~~
tptacek
Campaigns :clap-emoji: never :clap-emoji: have :clap-emoji: this :clap-emoji:
person :clap-emoji: on :clap-emoji: staff.

You really have to get a sense for how ragtag a political campaign is.
Startups --- themselves pretty ragtag --- are raising funds and building for
an imagined future in which they're big. They _might_ engage professional IT
and security (though many don't). Campaigns aren't like that; every single one
of them will be "out of business" within a year and a half. They have minimal
infrastructure and a mostly volunteer staff, and there are many hundreds of
them every cycle.

At best, you might suggest that the upstream service providers for campaigns,
like NGP VAN, should get better at security. The DNC, for instance, has an
experienced CSO. But that CSO can't do all that much for individual campaigns.

~~~
x0ner
Just to end this out, I do agree. I was not suggesting this resource be paid,
but that they should have someone dedicated, even a volunteer.

------
BinaryBuddha
I'm generally a fan of Zeltser's materials for many things, but I have to echo
the comments from other users here: This seems lacking. In addition to the
TechSolidarity resource, the Cybersecurity Campaign PlayBook from Harvard
Kennedy School's Belfer Center is pretty good:

[https://www.belfercenter.org/CyberPlaybook](https://www.belfercenter.org/CyberPlaybook)

------
moftz
Seems like a good general list for small businesses when there are no other
security requirements to follow (PII, HIPAA, etc). If you aren't tech savvy
enough to handle these rules, then at least bring someone to set these kinds
of things up for you and your employees to follow. Either pay them to write up
guides on how to handle it yourself in the future or have then come in every
so often to check up on things.

