Why Political Campaigns Need Chief Information Security Officers

  • 20 July 2020

On July 10th, Joe Biden’s US presidential campaign announced it was hiring a Chief Information Security Officer (CISO) and a Chief Technology Officer (CTO).

Biden’s campaign team told The Hill that these security professionals would help mitigate cyber threats, bolster… voter protection efforts, and enhance the overall efficiency and security of the entire campaign.

This development confirms what cybersecurity experts have long understood — that, just like businesses, political campaigns require a CISO. We’ll tell you why.

Are political campaigns likely targets of cybercrime?

Rates of cybercrime — and the sophistication of cybercriminals — continue to increase across all sectors. Whether it’s phishing attacks, malware, ransomware, or brute force attacks, incidents are on the rise. 

And, when you consider which industries are the most targeted (Healthcare, Financial Services, Manufacturing) It’s easy to understand why political campaigns are also targets of hackers and scammers:

  • Political campaigns are a cornerstone of the democratic process
  • They process the personal information of thousands of voters 
  • They handle confidential and security-sensitive information

These aren’t anecdotal reasons. Political campaigns have been targeted by cybercriminals before.

For example, in 2016, Hillary Clinton’s campaign manager, John Podesta, received a spear phishing email disguised as a Google security alert. Podesta followed a link, entered his login credentials, and exposed over 50,000 emails to malicious actors. This is a great example of how human error can lead to data breaches and goes to show that anyone can make a mistake. 

That’s why cybersecurity is so important.

Learn how Tessian prevents spear phishing attacks

How can a CISO help a political campaign?

Hiring a CISO — and thus improving the cybersecurity of political campaigns — has three main benefits:

  • Safeguarding the democratic process
  • Protecting voter privacy
  • Maintaining national security

Let’s explore each of these in a bit more detail. You can also check out our CISO Spotlight Series to get a better idea of what role a CISO plays across different sectors. 

Safeguarding the Democratic Process

Whatever your political persuasion, it’s hard to ignore headlines that detail the role cybercriminals played in the 2016 US election, including:

  • Cyberattacks occurred against politicians
  • Electoral meddling undermined voters’ faith in the democratic process
  • Better cybersecurity could have mitigated the impact of electoral cyberattacks

A CISO ensures better coordination of a political campaign’s IT security program. This can involve:

  • Mandating security software on all campaign devices 
  • Setting up DMARC records for domains used in campaigning
  • Assessing risk and responding to threats
  • Increasing staff awareness of good cybersecurity practices

Of course, these functions aren’t specific to political campaigns. A CISO’s job, whether at a big bank or a law firm, is to safeguard systems, data, and devices by implementing policies, procedures, and technology and to help build a positive security culture.

The difference, though, is that while a CISO at your “average” organization helps prevent data breaches and other security incidents, the CISO of a political campaign does all of this while also helping maintain faith in the process among voters. 

Keep reading to find out how.

Protecting voter privacy

Political campaigns must communicate directly with individual voters which means those working on the campaign have access to highly sensitive information. And, we’re not just talking about names and addresses. Even a person’s intention to vote is highly sensitive personal information

While – yes – many people publicly proclaim their ideology and voting intention via social media, those people don’t expect their information to be mined by data-harvesting software, combined with other personal information, and shared with unauthorized third parties. They simply want to share their views with friends, family, and followers.

  • What is data mining?

    Data mining is a process used to extract trends and patterns from large data sets. Depending on what data is being mined, these trends can be used to inform advertising and marketing initiatives, supply chain processes, and other business (or political) functions.

Like hacking, data mining operations can affect the outcome of elections. They also represent a gross invasion of individual privacy. 

How valuable an asset is voter data? A few recent high-profile examples will give you an idea. (Click the links to learn more about each individual incident.)

  • The UK pro-Brexit Vote Leave campaign’s involvement in the Cambridge Analytica scandal
  • Rand Paul and Ted Cruz’s campaigns allegedly selling their voters’ contact information to the Trump campaign
  • Rick Santorum’s campaign selling voters’ data to a “doomsday prepper” firm

These examples prove that voter data can be used to raise funds or create a political advantage. But what are the consequences?

To start, voter trust is lost which – as we’ve discussed – can impact the democratic process. Beyond that, there are also legal ramifications. Under state and federal privacy laws, selling personal information is a legally-regulated activity. Any allegation that a campaign has violated privacy law would be extremely damaging not just reputationally, but financially. 

A CISO can help ensure that a political campaign is less likely to engage in risky behavior with voters’ personal information and assist the campaign to comply with privacy law

But it’s not just personal information that political campaigns handle.

Maintaining National Security

Political campaigns also handle security-sensitive information which must be carefully safeguarded.

Robert Deitz, former senior counselor to the CIA, told Washington Post that a Russian cyberattack on the Trump campaign could reveal information about Trump’s foreign investments and negotiating style. Having access to this data could help Russia understand “where it can get away with foreign adventurism.”

A CISO has overall responsibility for information safeguarding within an organization. They understand: 

  • What types of data exist about the candidate 
  • How and where the information is processed, stored, and transferred
  • Who can access the data

All of this information helps CISOs implement data loss prevention (DLP) strategies in order to keep sensitive information out of the hands of bad actors. 

Why does this matter? 

Data privacy – and therefore cybersecurity – is essential for the modern world. 

In fact, in business, a strong security posture fosters trust with customers and prospects and is therefore considered a competitive edge. Why? Because data is valuable currency. Customers and prospects expect the organizations they interact with to safeguard the information shared with them.

Shouldn’t politicians foster trust with voters in the same way?