|« The Stranding of the MV Shokalskiy|
In my previous post, I wrote about my efforts to secure Congressional campaigns in 2018. Obviously, this should be somebody's real job, but figuring out whose is not easy.
I have gathered all of the suspects here in the conservatory, so let's go through them one by one.
(A reminder of what I mean by campaign security: protecting the online lives of people on and around a campaign from intrusion, with a special emphasis on their personal email and social media accounts. I emphasize the personal part because many campaign security efforts start by declaring personal data out of scope, and then solve the easier problem of protecting what's left. This is like putting a lock on your glove compartment to deter car theft.)
So, who should be in charge of securing campaigns?
The campaigns themselves?
This is the status quo, and hopefully my earlier post convinced you that it is a bad state of affairs. Campaigns have small budgets and operate in an unusually hostile environment. Not only are there people whose job it is to attack campaigns, but those people enjoy their work, get a government pension when they retire, and live happy, fulfilled professional lives.
Our current approach of emailing PDFs to campaigns to teach them how to mount a competent defense against state-supported attackers is like sending microbiology textbooks to a plague ship. It doesn't matter how accurate the information is, or how well it is presented. Without in-person training and specific, positive product recommendations, the task is hopeless.
So, what if we gave every campaign the resources to hire their own security expert? Depending on the assumptions you make, it would cost something like $50M-$300M to secure every Federal campaign ① —a large, but not unthinkable sum.
But even if there were 2,500 capable consultants in the country, the same lack of expertise that prevents campaigns from mounting a competent defense would prevent them from choosing the right people.
If we give the campaigns wheelbarrows of cash, it will just get eaten by one of the many species of consultants who parasitize our political system.
The Federal government?
State-backed attackers want to subvert our democracy. But we have our own state—a big one! So why not just use that?
The Federal government is full of security experts, many of whom routinely go up against the kind of adversaries campaigns need to defend against. It has computers and money.
But the Federal government is a heterogeneous place. Which government agency do we turn to? There are experts in information warfare in the armed forces, the CIA, the NSA, the FBI, and, for all we know, the USDA's Grain Inspection, Packers & Stockyards Administration. Which one should be in charge of securing campaigns?
Here are all the plausible agencies I've come up with:
The CIA, NSA, and armed forces have abundant expertise. But putting soldiers and spies on political campaigns still feels a bit banana republic. Let's revisit this one next year.
The FBI is a domestic civilian agency, and had deep expertise fighting the kind of people who are a threat. They are also the group who come in to investigate after a campaign is hacked. But the FBI are cops whose job is to investigate crimes, and the Justice Department (at least before Comey) took scrupulous care to keep them away from the electoral process. We should respect that.
The Secret Service has a weird amalgalm of responsibilities (stop politicians from getting shot; prevent counterfeiting; secure the Super Bowl) that includes protecting 'critical infrastructure'. But because they are literally the secret police, we should not put them on campaigns, either.
The Federal Election Commission is the one Federal agency campaigns already have to interact with. But the FEC's job is to monitor compliance with campaign finance law. Putting them on campaign security is like asking the IRS to be your bodyguard. It would make both sides uncomfortable, and it's not what they're for.
There is an entity called the Election Assistance Commission, which was created under the 2002 Help America Vote Act. As an independent agency, it has a promising organizational structure, but its job as defined by the law is very clearly around voting and elections, not campaigns. The EAC also has a poor track record of avoiding political pressure.
The United States Digital Service is a wonderful, quiet (shh!) corner of the Federal government with good contacts in the tech industry. It could draw on a deep pool of volunteer or paid talent to secure campaigns, and is nimble enough to approach the problem creatively. But organizationally, it reports to the Executive Office of the President, so it would always be unacceptable to half the campaigns in the country.
- That leaves us with the Department of Homeland Security. Oh boy. There is an entity deep within the DHS called the National Cybersecurity and Communications Integration Center that, if you squint at the legislation, kind of has campaign security in their remit.
Culturally, the NCCIC is one of those places that likes to prefix things with cyber- (for example, see their "tips for a cyber safe vacation"!), and is set up for the government equivalent of enterprise sales.
Last year, one of the campaigns I worked with tried contacting the NCCIC for help, to see what would happen. They replied by sending email attachments (!!) offering a weeks-long organizational phishing assessment, along with something called a Validated Architecture & Design Review (VADR) that required a six-month lead time, and a port scan that could start immediately.
Whatever it is the NCCIC does, and whatever a VADR is, they are clearly geared at large government departments rather than three staffers on their cell phones.
But even if the NCCIC were retooled to work with campaigns, it would still be subordinate to the DHS, which is the same highly politicized agency that runs immigration and border control. In our current political climate, it is not advisable to involve DHS in political campaigns.
So none of the existing Federal agencies are a great fit. What if we set up a new one, a Federal Bureau of Campaign Security, and made it an independent agency? We could model it on successful apolitical agencies like the National Transportation Safety Board that combine genuine political independence with deep expertise.
But campaigns, unlike regular train wrecks, are inescapably political. And we live in a moment where even politically neutral legislation around election security that would have passed 100-0 in an earlier Senate is blocked by the party in power.
So realistically, there is no hope for an independent Federal agency even if you think it's a good idea.
And we should think carefully about whether it's a good idea! Having the FEC as the sole point of contact between campaigns and the Federal government is a strength of our democracy. You can run a campaign on a platform of pure insanity, and as long as you do the paperwork and submit your FEC filings on time, you will not get hassled by The Man.
Bringing something that resembles law enforcement so intimately into the campaign process would breach an important democratic firewall.
The national parties?
Since the U.S. runs on a two-party system, we have a pair of large national organizations that are already deeply involved in political campaigns. They have a lot of money and by definition can reach any candidate they want.
So what if we put them in charge of security?
Here it helps to understand how the parties are structured. I will talk here about the Democratic side of things, since it is what I know. I ask Republican readers to please correct me if things work differently on their side.
Like Gaul, the Democratic party is divided into three parts: the Democratic National Committee (DNC), the Democratic Senatorial Campaign Committee (DSCC) and the Democratic Congressional Campaign Committee (DCCC).
Of these three, the DNC is the prestige organization, in charge of the presidential campaign and party convention. The DCCC deals with House races, and the DSCC deals with Senate races.
The top priority for both the DCCC and DSCC is incumbent protection. They are designed to keep people in office once they get in office, and they prioritize around defense. To the extent that the party feels its oats in a given election year, it will also use these organizations to support challengers going after seats held by the other party.
Culturally, the DSCC and DCCC are different. The DSCC is smaller, with only 33 campaigns to worry about in a given election year, compared to the DCCC's 435. The DSCC has people who stay on from year to year, including very talented career computer security professionals.
The DCCC, meanwhile, is strictly an ‘up and out’ organization like McKinsey, where young people sign on for two or four years of suffering and then graduate into a lucrative world of lobbying or political consultancy.
The DCCC is easiest to visualize as Dante's Hell, a series of concentric rings, with the highest-profile campaigns in the center. In the innermost circle, frozen in ice, is the House leadership. Beyond that are high-profile incumbents, followed by regular incumbents, then the prestige ‘Red to Blue’ races where the DCCC thinks it can win and is willing to invest resources.
After that come the less prestigious 'Red to Blue' districts that get no fundraising help, and then a large limbo of 'everybody else' that ranges from genuinely competitive races that the DCCC does not think are winnable, to long-shot campaigns in extremely unfavorable districts.
It's possible to go through an entire campaign, including winning a contested primary, without once hearing from the DCCC, or anybody in the national party, at all. (For example: Ian Todd, in Minnesota's 6th district.)
The DCCC's obsession with fundraising, and its role as a career stepping stone to the consultancy pig trough, leave it ill-equpped to help with campaign security.
The DCCC could be reformed into an effective organization, but it would mean rewiring the way the Democratic Party thinks about campaign money, which essentially means reimagining our political system.
I see your hand shoot up! You want to reimagine our political system! But we're not mathematicians—we can't solve a hard problem by turning it into an even harder problem, and trying to solve that instead. Campaign security is plenty hard enough.
A valid criticism of putting national parties in charge of security is where it leaves independent or third-party candidates. If this is how we address campaign security, then there must be a mechanism where those campaigns can avail themselves of the training on an equal basis by approaching whichever of the two major parties they hate least.
State party committees?
What if we want to run campaign security like we run other aspects of our Federal elections—down at the state level?
Every one of the 50 states has its own party organization, and they are in more intimate contact with Congressional campaigns than the somewhat Olympian DCCC/DSCC.
State party committees are a good potential reservoir for tech expertise that could persist across election cycles. If the national parties got serious about campaign security, organizing an umbrella program nationally and making it available through the state parties (the way the Democrats make the Voter Activation Network available now) would make organizational sense.
The national party could help set standards and harmonize things across the fifty states, while the individual committees could make sure campaigns got the in-person training.
A further benefit of institutionalizing security expertise at the state party level would be extending the training to state races, which include positions like secretary of state and attorney general that are essential to the fair conduct of all elections, both state and Federal.
Unfortunately, in our current dynamic, resources and talent tend to get strip-mined out of state parties to feed national campaigns. Presidential candidates come through every four years like a plague of locusts, and leave the state parties struggling to recover.
Giant tech companies?
Oh man, the giant tech companies are the worst! They are so big and bad, and (depending on your politics) are either actively promoting fascism or censoring the voices of the nice young men trying to keep our bloodlines pure.
But the big tech companies are the ones already guarding all the sensitive data we want to protect, so it's worth it to hold our nose for a minute and think about that.
Apple, Google, Facebook, and Microsoft are exceptionally well placed to help with campaign security. They have the technical know-how, they have (despite their protests) abundant resources, and they already run our campaign infrastructure, as well as candidates' personal devices and accounts. All four companies come under regular attack from the same kind of people who want to subvert political campaigns. They have the best security teams in the world.
But there are a few obstacles to enlisting their help.
The first obstacle is campaign finance law. Companies are not allowed to offer products or services specifically targeted at campaigns. The intent of this is clear—you don't want Apple handing out a gold ‘Apple Watch Campaign Edition’ to every incoming Senator. For similar reasons, companies are not allowed to offer special discounts or services to political campaigns.
There are some things that it would be really useful to have the tech companies do, which should not be prohibited. Specifically:
- providing a special hotline for campaign staff
- flagging campaign-adjacent email addresses and social media accounts for heightened scrutiny (for example, requiring human review of any password reset attempt).
- restricting access to account archives for the duration of a campaign (a change I called for more generally in a different context)
- sending in-person trainers and free equipment to set up campaigns with two-factor authentication
A second, and arguably bigger obstacle to enlisting tech companies' help is their fear of antagonizing the political right. The threat against campaigns is not symmetrical, with the Democratic Party being most at risk. So this theoretically nonpartisan issue (like election security) has become politically charged.
My experience in talking to teams at big tech companies is that they will not touch campaign security with a barge pole, even in the rare areas their legal team gives them a green light.
A third reason to be leery of tech companies is that they are heavily involved in lobbying legislators. Facebook, Microsoft, Amazon and Google all make political donations to Federal campaigns (though Microsoft recently promised to stop).
A fourth reason is that Facebook and Google make a fortune from political advertising. They are not disinterested parties.
Finally, there is the fact that the tech oligopoly already has state-like political power, and bringing them overtly into campaigns is undemocratic and dangerous.
So from a technical point of view, having the tech companies secure campaigns is very appealing. From a civic point of view, it raises a lot of concerns. And campaign finance law makes it almost impossible.
Advocacy groups and nonprofits?
There are a zillion campaign-adjacent advocacy groups and nonprofits. Some of them give money to campaigns, others offer prestigious endorsements; some are non-partisan and focus specifically on technology.
Groups that donate money or offer endorsements have a big advantage in that they can make campaigns jump through any hoop they want. Before you're added to EMILY'S LIST, for example, you've already gone through a grueling process of sharing your fundraising numbers, adding them to a weekly conference call, bringing their visiting representatives coffee just the way they like it, letting EMILY borrow all the books she wants from your personal library, and so on.
That 'whatever else' can easily include security training, and some of the big PACs and advocacy groups do offer this kind of training.
The problem with these groups is they can't reach everyone, they don't want to reach everyone, and they don't necessarily have the expertise to help. End Citizens United is a campaign finance advocacy group, so why on earth should you listen to them give advice on passwords?
It comes back to the same problem campaigns have: how are people at these organizations supposed to evaluate and hire expert help for the very specific problem of campaign security?
That leaves us with those advocacy organizations for whom campaign security is the key issue.
The big kahuna in the 2020 cycle is shaping up to be the Defending Digital Democracy Project, backed by Harvard and the big tech companies.
The D3P recently secured an important FEC advisory opinion allowing them to offer training and software to campaigns, and to set up a hotline, without being in violation of campaign laws. This is an extraordinarily positive decision, but unfortunately it does not address whether the help can extend to candidates' personal devices and accounts.
Another problem is that the D3P is the spiritual successor to efforts by the Belfer Center in 2018, which focused entirely on securing campaign data, and not on personal accounts (if you're wondering why that is a problem, see my previous post).
And then, forgive me for being rude, but these are Harvard and D.C. luminaries. Nobody on this highly decorated planning team wants to spend weeks in the Houston suburbs or go live in Dayton. They want to speak at conferences and go to dinner parties in Palo Alto and Cambridge. The actual work of going out and training campaigns is going to be farmed out to Harvard Kennedy School students instead. I am sure the students are bright and dedicated, but sending students to do this work does not send the message that this is a critical safety issue requiring the candidate's attention.
The other group of interest, one that actually goes and does the work using volunteers who are of drinking age (a key consideration in politics!), are the DigiDems. I like the DigiDems! What sets them apart is a permanent presence on the campaign, in a role that combines security training with work that adds real perceived value, like managing digital ads.
The great thing about working with DigiDems from my perspective in 2018 was that it gave me a point of contact at the campaign over time, and a way to find out what training approaches were effective, and which weren't. So if the campaign suddenly opened a field office, the DigiDem could take care of getting new people set up with security keys, and apply steady pressure over time on behavior like password reuse.
The not-so-good thing about the DigiDems is that they don't embed with everyone, and security is not their focus. How much authority they have to change behavior also depends very much on the campaign. I met DigiDems who were able to be highly effective in improving security, and others who were relegated to nerd Siberia by campaign leadership that just saw them as glorified help desk staff.
Why is this all so hard and boring?
Four factors conspire to make securing campaigns exceptionally difficult:
First, securing any computer system is hard. All of the problems that bedevil campaigns come up routinely in IT settings.
Second, campaigns are up against state-level adversaries who have the time and resources to target people individually. The stakes are extremely high, and threats that you wouldn't normally see at a four-person company (like targeted spearphishing) are very real on a four-person campaign.
Third, campaign finance laws and political institutions impose weird boundaries on defenders (like the distinction between personal, official, and campaign accounts) that attackers are free to ignore.
Fourth, campaigns are interminable, which gives attackers all the time in the world to go after their targets. It's August 2019 and already most Congressional campaigns are in full fundraising mode. The awfulness of campaign fundraising poisons everything around it, but I'll save that rant for a future post.
If after all this you find you still care about campaign security, go talk to the DigiDems! They need volunteers, and this is an excellent time to get involved in Congressional campaigns.
If you'd like to volunteer on a local campaign individually, just remember—don't go in talking about security; start by solving some basic IT problems for them, and figuring out how to run Facebook ads. By the time you're ready to talk security, you will have learned a lot about the setting you're working in, and the campaign will adore you.
If you are reading this and are actually running a campaign, God help you, then take a look at the guidelines my group came up in 2017. It is much easier to start doing this stuff piecewise than to make a big push for it next year, when the primary election is looming. I'll keep these up to date as the campaign season rolls on, in case people find them helpful. And I'm happy to matchmake for any campaign looking for tech volunteer help.
P.S. I know that "CANDIDATE_NAME2020" is your campaign password. Go change it.
① There are 470 Federal offices up for election in 2020 (33 Senate races, 435 House races, and the presidency and vice-presidency). Let's say on average there is one incumbent and a four-way primary for each seat. That's 2,350 people to hire. Pay them each $100K for their trouble and you get $235M. For comparison, the total cost of the 2018 election was $5.7B .
|« The Stranding of the MV Shokalskiy|
brevity is for the weak
Greatest HitsThe Alameda-Weehawken Burrito Tunnel
The story of America's most awesome infrastructure project.
Argentina on Two Steaks A Day
Eating the happiest cows in the world
Scott and Scurvy
Why did 19th century explorers forget the simple cure for scurvy?
No Evidence of Disease
A cancer story with an unfortunate complication.
Controlled Tango Into Terrain
Trying to learn how to dance in Argentina
Dabblers and Blowhards
Calling out Paul Graham for a silly essay about painting
Attacked By Thugs
Warsaw police hijinks
Dating Without Kundera
Practical alternatives to the Slavic Dave Matthews
A Rocket To Nowhere
A Space Shuttle rant
Best Practices For Time Travelers
The story of John Titor, visitor from the future
100 Years Of Turbulence
The Wright Brothers and the harmful effects of patent law
Every Damn Thing
maciej @ ceglowski.com
Please ask permission before reprinting full-text posts or I will crush you.