August 11, 2020

min read

Q&A: Michael Kaiser on State of Election Campaign Security

Presidential campaigns have embraced the move to mobile as a fast, reliable way to communicate with campaign staffers, potential voters and political organizations. According to Tech for Campaigns, 90% of 2018 digital political campaign ad spend was delivered to mobile devices.

While a compromised mobile device is a far more potent spy than a traditional computer, few campaigns actively prioritize the protection of the mobile devices because their potential to cause damage is not as well understood. In addition, the smaller screen of a mobile device and the design of mobile-specific sites make it more challenging for people to identify phishing attacks.

There are many ways for bad actors to take advantage of mobile devices. As an example, Lookout saw a significant uptick in the use of text messages to target voters at the end of the 2018 midterms. This barrage of text messages creates an opportunity to trick voters by crafting phishing texts posing as legitimate campaigns. Once a text message is clicked or malware is downloaded, the attacker can access everything on the device from passwords to the camera and audio recorder.

All campaigns need to embrace mobile security solutions that keep devices safe from mobile phishing attempts in apps, social media, email and more. Lookout has partnered with Defending Digital Campaigns (DDC), a non-profit with the goal of ensuring the cybersecurity of election campaigns. As part of the partnership, Lookout is providing mobile security solutions for free to help protect personal devices.

Michael Kaiser, president and CEO of DDC, provided perspectives on how the election security landscape has changed from 2016 to now and what presidential campaigns should consider ahead of the 2020 election.

What inspired you to start Defending Digital Campaigns?

DDC was founded by former presidential campaign managers for Hillary Clinton and Mitt Romney, as well as former senior officials at the NSA and DHS, and the tech industry. Their combined expertise gives DDC the ability to curate a comprehensive collection of quality security products and engage effectively with campaigns for both parties.

What is the end goal for the Defending Digital Campaigns organization?

DDC’s mission is to bring free products and reduced-cost cybersecurity products and services to federal election campaigns—House, Senate, and Presidential as well as the DNC, RNC and their campaign committees. Longer term, we hope our efforts lead to higher awareness and faster adoption of cybersecurity solutions by campaigns.

How are cybersecurity threats expected to escalate as we move through the election cycle? How are threats different now from 2016? How are they the same?

I suspect the closer we get to elections the more we will see attempts to disrupt our campaign process. We can expect more vigorous phishing attacks, data theft, ransomware attacks, as well as disinformation and misinformation efforts.

The kinds of attacks that occur will be based on the motivations of the perpetrators. It could be nation states trying to divide us and be disruptive, a person or group in our own country opposed to a particular candidate, or cybercriminals stealing data to be monetized, conducting scams like business executive compromise, or seeking payments through ransomware.

Similar to 2016, phishing remains a major attack vector with the motive of credential theft in order to gain broad access to a campaign’s network. Generating and sending phishing emails is not a heavy lift for cybercriminals.

Ransomware may be more prevalent than in 2016. We have seen increasing numbers of ransomware attacks in the last few years and there is every expectation that campaigns, which may be perceived as being less secure, will be targets. Attacks to steal confidential data will also be a focus of the hackers this election cycle.

Why is it important for campaigns to protect their mobile devices in particular? How has Lookout been able to help DDC’s campaigns do that?

Mobile devices are an essential part of every campaign strategy. Tremendous amounts of vital data rapidly cross through and reside on mobile devices. Campaigns use mobile devices and apps to perform a myriad of campaign functions including document sharing, texting, conducting field operations and collecting data. In addition, most campaigns are ‘bring your own device’ (BYOD) and the devices are used for both campaign and personal activities. It is not a common practice to have these devices configured by the campaigns IT or security staff. Therefore, protecting the mobile devices is critical. Campaigns need to think beyond just paid employees -- including volunteers, consultants, the candidate and his or her family and close confidants -- when determining who needs to be protected.

Lookout was one of DDC’s first partner vendors because of the importance of mobile security to the campaign ecosystem. Lookout fills a critical spot in a comprehensive approach to cybersecurity and we encourage every campaign to pay attention to mobile security. The campaign employee can download the Lookout app from the iOS Store or Google Play for free. The Lookout app notifies the user of the device of a threat and provides instruction on how to remediate it. Lookout performs all of its security functions without inspecting emails, texts, or app content, so it can protect without prying.

What has been the response from the campaigns?

At DDC, we don’t publish the campaigns that have utilized specific products or services. We can share that around 90 eligible entities have made use of DDC offerings.

In the last couple of weeks we have seen the momentum growing. That said, the campaigns we have worked with have been eager to increase their cybersecurity posture. Most have some understanding of the need for the basics like securing credentials and devices. They are open to other ideas and expanding their knowledge of what they should be doing.

Do you believe Presidential candidates understand the cybersecurity vulnerabilities facing their campaigns? Do you think they understand the reality that the health of our democracy is impacted by vulnerabilities in the election system?

The 2020 election probably is the most anticipated event in U.S. history when it comes to digital security. DDC has worked with several presidential campaigns this cycle. They were all underway when DDC was stood up in the early fall of 2019, so when we reached and started working with them these campaigns had taken some steps to be more cybersecure.

My overall impression from the campaigns I spoke with is that cybersecurity is important. All had taken some measures and we are able in most cases to provide them with some additional free or lower cost services. It was very satisfying for DDC to hear that by taking advantage of one of the products we had, we are freeing budget for other efforts. That’s a win for all.

U.S. adversaries are turning their attention away from hardened email security systems and toward softer mobile targets. The sensitive information within a campaign and the opportunity to inform misinformation campaigns makes them prime targets for mobile attacks. Ready to learn more about how Lookout can protect your campaign from harmful mobile attacks? Contact us.

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.