1 of 35

Usenix Security 2021 ✱

“Why wouldn’t someone think of � democracy as a target?”

Security practices & challenges of people involved with U.S. political campaigns

Sunny Consolvo

Google

Patrick Gage Kelley

Google

Tara Matthews

Google

August 2021

Kurt Thomas

Google

Lee Dunn

Google

Elie Bursztein

Google

Security, Privacy, and Anti-Abuse Research

2 of 35

How John Podesta’s email got hacked, and how to not let it happen to you

How the Russians hacked the DNC and passed its emails to WikiLeaks

Macron Leaks: �The anatomy of a hack

Oct. 2016

July 2018

May 2017

Security, Privacy, and Anti-Abuse Research

3 of 35

3

- A study participant [emphasis added]

Security and politics should be separate... �If you’re a candidate, you should win or lose on your best day, based on who you are. Not because your email got popped and posted online by a [nation-state cybersecurity team].”

Security, Privacy, and Anti-Abuse Research

4 of 35

4

Research

Security, Privacy, and Anti-Abuse Research

5 of 35

5

28 people involved with political campaigns in the U.S.

Organizations

political campaigns
party committees (nat’l, state)
super PACs
campaign-specific service �/ support providers
academia

Roles

candidates
campaign managers
digital directors
research, strategy
security / IT staff

Qualitative research

Security, Privacy, and Anti-Abuse Research

6 of 35

2 main security factors

Work

culture

Tech practices and vulnerabilities

Security, Privacy, and Anti-Abuse Research

7 of 35

7

[Campaigns are] totally transient, �and almost everybody gets hired in �the 3 months prior to the election…

There’s really very few incentives for �any kind of [security] rigor.

Because you’re up against the clock, and �faced with the ticking clock, everything pales.”

— A study participant [emphasis added]

Security, Privacy, and Anti-Abuse Research

8 of 35

8

Different culture

They are� resourced constrained

They are� short-lived

They have�amorphous boundaries

They are� chaotically busy

Security, Privacy, and Anti-Abuse Research

Campaign culture is different from other organizations

For one thing, campaigns are short-lived. Participants described campaigns as being similar to start ups with a quick ramp up, no existing security infrastructure, and an abrupt ending.
Campaigns typically have only enough money to survive a hectic cycle of campaigning with minimal staff (depending on the race size or competitiveness, of course). These constraints can make investments in security a hard sell - especially at the beginning of the campaign, which is often also when processes and habits are established that can be difficult to change later in the cycle, even if security expertise is eventually brought on.
Their short life span and limited financial resources also make campaigns chaotically busy. Intense time pressure can lead to the perception that there’s little to no time for extra security.
Finally, campaigns have amorphous boundaries. Campaigns work with people from many different external organizations (including consultants, committee staff, and volunteers). These organizations range from having no IT or security expertise to actually having pretty good IT & security expertise.

Another boundary issue is about when the campaign officially begins. There are likely to be many communications about a potential run for office that precede any formal organization or infrastructure that will eventually be put in place.

The end result of this long-established culture is that campaigns usually have little security knowledge and are unlikely to prioritize security.

So with that quick overview of campaign culture, how are people who support campaigns using technology

9 of 35

9

Account use

MANY accounts are used for campaign work

workplace system(s)
communication tools(s)
social media
video / phone conferencing
personal communications accounts
and so on...

Some accounts are hyper-shared or hyper-owned

Security, Privacy, and Anti-Abuse Research

People involved with political campaigns likely use many different accounts for their campaign-related work.

Like a workplace system, G Suite or M365
a messaging app like a Slack, Wickr, or Signal.
A few social media accounts
They may use Zoom or FaceTime,
AND They probably do some sort of campaign-related communications across their personal texting and phone

There are also campaign-related accounts that are hyper-shared or hyper-owned. These might be accounts for press, fundraising, hiring, and so on. Many workers need to access them, and ownership may change from cycle to cycle (or sometimes even within cycle as the campaign grows or if there are staff changes).

-------

People involved with political campaigns likely use many different accounts for their campaign-related work.

E.g., the campaign might provide an account from a workplace system like G Suite or M365 - and maybe also something like DropBox
People involved with campaigns might also use a communication tool like a Slack, Wickr, or Signal.
There’s probably a social media presence across various providers like Twitter, Instagram, Facebook, and maybe YouTube and TikTok too.
They may use Zoom, FaceTime, Meet, Teams, Skype, or some other video or phone conference provider.
They probably do some sort of campaign-related communications across their personal SMS, phone, and maybe -- or really probably -- their personal email and social media accounts too.
There’s a good chance that they updated their LinkedIn profile to mention their involvement with the campaign. And then there are the accounts for fundraising like an ActBlue or WinRed. And the list goes on.

There are also campaign-related accounts that are hyper-shared or hyper-owned. These might be accounts for press, fundraising, hiring, and so on. Many workers need to access them, and ownership may change from cycle to cycle (or sometimes even within cycle as the campaign grows or if there are staff changes).

10 of 35

10

Accounts not used for campaign-related �work are also targeted

Anything that can derail, embarrass, �or otherwise disrupt could be a target

Not just campaign accounts

Security, Privacy, and Anti-Abuse Research

11 of 35

11

Some important aspects

It’s unusual for campaigns to have IT staff

Only the individual can access all accounts

This means they need to...

understand that there’s a real risk
do something about it
know what to do about it
prioritize doing something about it

Security, Privacy, and Anti-Abuse Research

12 of 35

12

[What are nation-states after?] �“Emails, communications, anything that could compromise the campaign, make it look bad... Anything that makes the campaign or the staff look bad...”

— A study participant [emphasis added]

Security, Privacy, and Anti-Abuse Research

13 of 35

13

2FA practices

Heard of and probably have used 2FA

2FA is under-utilized on targeted accounts

Weaker 2nd factors are often used

Security, Privacy, and Anti-Abuse Research

14 of 35

14

Common 2FA concerns

Too much time & effort

Fear of account lockout

Hyper-shared & hyper-owned accounts

Security, Privacy, and Anti-Abuse Research

15 of 35

15

Different factors

Different factors = different levels of security

don’t know or �can’t explain why

aren’t aware that they should use it to protect most of their accounts

They know 2FA is important, BUT�. . .

Security, Privacy, and Anti-Abuse Research

16 of 35

16

Risk & outcomes

Campaigns face an outsized risk of being attacked

The outcomes can be outsized too

Security, Privacy, and Anti-Abuse Research

17 of 35

17

Conclusion

Security, Privacy, and Anti-Abuse Research

18 of 35

18

44 experts

Expert roundtable

from 28 organizations

Security, Privacy, and Anti-Abuse Research

In the summer of 2020 we assembled an expert roundtable of 44 experts from 28 organizations to confirm and also respond to our findings,

For the expert roundtable, 44 people attended overall, not including the 3 of us who organized the event - 13 attendees were from the Republican party, 12 from the Democratic party, 10 from tech companies, and 9 from academia or non-partisan political nonprofits.

28 organizations in total were represented at the roundtable

:::::

Roundtable attendance:

43 attended a kick-off
29 completed a work packet
36 attended one of 9 small group discussions

Organizations represented were:

America Rising Corporation
Axiom Strategies
CGCN
dayONE Cyber
D3P (Defending Digital Democracy Project)
DCCC (Democratic Congressional Campaign Committee)
DDC (Defending Digital Campaigns)
DigiDems
DNC (Democratic National Committee)
Dropbox
DSCC (Democratic Senatorial Campaign Committee)
EMILY's List
Facebook
Google
Harvard Kennedy School’s Belfer Center for Science & International Affairs
Higher Ground Labs
Johns Hopkins University
Microsoft’s Defending Democracy Program
NRCC (National Republican Congressional Committee)
NRSC (National Republican Senatorial Committee)
NYU (New York University) School of Law’s Brennan Center for Justice
Princeton University
Rice University
RNC (Republican National Committee)
RNC Convention
Slack
TAG Strategies
USC (University of Southern California) Dornsife Center for the Political Future & Viterbi School of Engineering

19 of 35

19

Expert roundtable’s focus

Improve security practices on political campaigns

Single, consistent piece of top advice for 2020

Feedback on our research findings

Security, Privacy, and Anti-Abuse Research

20 of 35

20

Tailored advice & education

Security advice & education that is tailored to their �needs and context

Consistent �message

Exactly �what to do & why

Prioritize! �Not everything can be critical

Security, Privacy, and Anti-Abuse Research

21 of 35

21

More research

From deep, foundational research �to tactical usability studies

Around the world

Across various types of campaigns

& campaign workers

Security, Privacy, and Anti-Abuse Research

22 of 35

22

Improved protections

Very robust, very usable security protections

Default settings

Standardization of offerings & experience

(Perceived) �time & effort

Security, Privacy, and Anti-Abuse Research

23 of 35

23

— A study participant [emphasis added]

“What is 100% true... is that foreign adversaries want information… The faster we all realize that, the better off we’re going to be…

to see politics and campaigns at all levels as a fundamental piece of democracy that needs to be protected . . .

For sure foreign adversaries are trying to attack our systems… Why wouldn’t someone think of democracy as a target?”

Security, Privacy, and Anti-Abuse Research

24 of 35

24

A big thank you

Our research participants

Our roundtable attendees

The many people at Google who helped make the research & roundtable happen

Security, Privacy, and Anti-Abuse Research

25 of 35

ARCHIVED

Everything beyond this point to be removed.

25

Security, Privacy, and Anti-Abuse Research

26 of 35

In today’s talk . . .

26

Understanding Campaigns

Security Challenges

Conclusion

Research

Security, Privacy, and Anti-Abuse Research

27 of 35

27

Imagine . . .

Security, Privacy, and Anti-Abuse Research

To get started, I’d like to ask you to imagine something: what if your personal email account getting hacked could launch conspiracy theories that could lead to years of online and offline harassment of those you’d communicated with, contribute to foreign interference in what are supposed to be free and fair elections, as well as meaningfully disrupt democracy?

As some of you may remember from 2016 here in the U.S., these are real risks for the population we’re going to be talking about today - i.e., people who are involved with political campaigns.

Now what if to help do your part to prevent that from happening, you have to fundamentally change your professional and personal technology-related habits and the habits of those you work with? And don’t forget that you don’t work in tech, you didn’t study computer science, and your digital security knowledge is limited.

Of course, this starts with your needing to understand that you really are a target and that the risk is very real, which you may not fully appreciate because this is all relatively new in the political campaign space, and you already have too much to do.

You also need to have a reasonable understanding of the new threats you face and what to do about them -- all while working in a fast-paced, hectic, temporary environment where winning the election is the top priority and anything that doesn’t clearly contribute to that is perceived to be a waste of time and effort, and may even be considered by some to be an irresponsible use of your time.

28 of 35

28

But not all hacks are �going to lead to an �outsized outcome like that, are they?

Security, Privacy, and Anti-Abuse Research

29 of 35

29

Recognized threats

Targeted attacks

Nation-states

Phishing

Security, Privacy, and Anti-Abuse Research

30 of 35

30

““It was like I was standing out there naked” �said [a Congressional candidate] who lost [their] primary race after secret campaign documents �were made public.

“I just can’t describe it any other way. �Our entire internal strategy plan was made public, and suddenly all this material was �out there and could be used against me.”

- The NY Times [emphasis added]

E. Lipton & S. Shane, Democratic House Candidates Were Also �Targets of Russian Hacking, The NY Times, Dec 13, 2016.

Security, Privacy, and Anti-Abuse Research

31 of 35

31

Providers & purposes

Accounts span multiple providers

Mix of accounts that were created . . .

by the campaign �for the individual

by the individual �for the campaign

by the individual �for other purposes

Security, Privacy, and Anti-Abuse Research

32 of 35

32

Additional considerations

Account security is a somewhat recent concern

Main goal: �WIN the election!!!

Lack of standardization

Security, Privacy, and Anti-Abuse Research

33 of 35

33

Evolving threat landscape
Elections around the world
2020 did have some hacks...

No . . .

Security, Privacy, and Anti-Abuse Research

34 of 35

34

2020 �seemed okay . . .

- Elections Infrastructure Govt Coordinating Council & Election Infrastructure Sector Coordinating Exec Committees

Nov 12, 2020 [Emphasis added]

The November 3rd election was the most secure in American history.”

Security, Privacy, and Anti-Abuse Research

35 of 35

35

Questions?

Sunny Consolvo

Google

Patrick Gage Kelley

Google

Tara Matthews

Google

Elie Bursztein

Google

Kurt Thomas

Google

Lee Dunn

Google

Security, Privacy, and Anti-Abuse Research