One Way or Another, Campaigns Learn About Online Security and the Dangers of the Internet
BY Christian Bourge | Thursday, June 28 2012
When Republican presidential nominee Mitt Romney’s campaign announced earlier this month it was investigating a possible intrusion into the candidate's personal email account, it called into question how American political campaigns secure their data, electronic communications, and online operations.
It's difficult to quantify how often online attacks occur against campaigns. The Federal Election Commission does not track this type of incident and doesn't regulate campaign activity on the Internet outside of traditional areas of interest, like advertising. And overall, U.S. data breach laws are a complex panoply of federal and state requirements. Those who've been hacked are largely left to figure out what to do. But political campaign professionals and online operation experts caution it’s a real threat that political operations often don’t take seriously enough.
“Nobody tends to talk about it or think about it till it happens,” Timothy Nurnberger, head of the production team for the Republican campaign consulting firm Campaign Solutions, told TechPresident. “Very often campaigns are reactionary instead of taking the time to put those (security) measures in place beforehand so that they don’t have to handle a situation that gets them into trouble later.”
Internet-based attacks can take many forms, ranging from tampering with social media messaging to full-on electronic attacks that can shut down online operations. While there's no single compendium of incidents, here are a few notable ones from recent years, ranging from simple pranks to sophisticated schemes:
- David Kernell was sentenced to a year in jail in 2010 for his highly publicized 2008 hacking of then Republican vice presidential candidate Sarah Palin’s personal email.
- Someone posted fake anti-government events on the user generated meet-up calender portion of the Obama campaign website last year.
- After a 2010 attack on Rep. Michelle Bachmann’s campaign website, viruses were transferred to visitors' computers.
- In May, West New York, N.J. Mayor Felix Roque and his son were arrested for hacking a website demanding he be recalled.
Brian Franklin, President of Democratic campaign consulting firm Impact Politics, said that how well campaigns prepare for such problems typically depends on the size of the campaign and their financial resources.
“There are campaigns that have their own networks and their own set of hardware, computers, and services,” said Franklin, who is also vice chairman of the American Association of Political Consultants’ technology committee along with Campaign Solutions President Becki Donatelli. “And there is 99 percent of the rest of them which are essentially loose conglomerates of consultants and staff that work off their own laptops on a shared Wi-Fi.”
Less formal arrangements raise several security issues, Franklin said. Given that campaign servers are likely to contain sensitive internal information such as budgets and strategy materials as well as the personal data of supporters, Franklin advised that common sense should rule when it comes to choosing passwords so they are not easily discerned by hackers. The same recommendation applies to which campaign workers are access to internal computer systems. He noted that commercially available computer network systems usually allow for tiered access levels.
Gerrit Lansing, digital director for the National Republican Congressional Committee, added that most widely available campaign-specific software and online applications provide adequate security for the threats likely faced by small political campaigns.
“If your password is 'password,' that is, obviously, not using common sense,” said Lansing. “(But) I don’t think it is till you are a nationalized congressional campaign or a state level Senate one, certainly a national presidential, that you become a [significant] target.”
Jay Williams, founder of conservative Republican campaign consultancy The Stoneridge Group, told TechPresident that he’s come into contact with campaigns in both local and statewide races that have used the word “password” as their password, or used others based on information about the candidate that's either been published or is easy to guess.
“The problem with a lot of these guys is they do run fast and loose,” Williams said of smaller campaigns' handling of computer and online operations. “Usually they are struggling to find the cheapest way to do stuff. That is what leads them to have gaping holes in security. It’s not like direct mail, you can’t go cheap. It’s a dollar now or $10 later.”
Much of the information campaigns use in strategic planning is already public in one way or another. Contributor data is filed with election regulators and voter data is available through public and commercial databases. In addition, a fairly strict set of rules governs anyone who wants to process credit card transactions online. To stay compliant with those rules, and to avoid security risks, most campaigns look to third-party vendors to handle sensitive financial data and don't store any of it on their own servers.
But this doesn’t mean that campaigns don’t have information that hackers — or even the campaigns themselves — can exploit. In April, former House Speaker Newt Gingrich's ill-fated presidential bid sold its list of donors and activists to a third-party brokerage, and people who had signed up to receive emails from the campaign found themselves getting advertisements for identity theft protection services. The Gingrich campaign had not previously mentioned that it might sell its list, although campaigns of the same stripe from time to time sell or rent contact lists to one another and lead purchases are also common in the private sector.
Campaigns have also begun taking advantage of targeted online advertising based on individual computer user data, raising issues regarding protecting the personal privacy of supporters. Campaigns and political organizations are accruing a larger mix of data about supporters' browsing habits, social media use and consumer history to combine with sensitive but public records such as campaign finance donations and voting history. This creates an increasingly comprehensive look at each potential voter or supporter. This merger of data takes place in a delicate dance, the firms involved assure everyone, that is conducted with a mind to removing personally identifiable information. But were any amalgam of that data to be compromised, security expert Chris Soghoian says, it's unlikely that the voters involved would be notified.
"State data breach laws, and nearly every state has a data breach law at this point, are very specific in the kinds of information that they cover," Soghoian said, "and usually there has to be some kind of Social Security number or account number hook to it.
"If a political campaign loses a mailing list or a supporter list," he said later on in the conversation, "it's going to be unlikely that that's going to trigger state data breach laws."
Neither the Romney nor Obama campaigns responded to interview requests about the issue. But Nurnberger, who was Deputy Director of Online Operations for the 2008 Republican National Convention, said that despite overall lack of understanding by many campaign officials, online campaign security is being taken more seriously than even a year ago.
“It’s a really important issue,” said Nurnberger. “In the grand scheme of things it would likely not be the make or break point for a campaign, but it very well could get to that level if it is a major security breach. A voter could look at it and say if you can’t keep my data secure in your own campaign, can you be trusted in public office? If you want to not think of these possibilities in your campaign it is to your detriment.”
Henry Poole, a founder of progressive online strategy and design consultancy firm CivicActions, predicted that it will take a major debilitating attack before political campaigns across the fold fully the dangers they face.
“There hasn’t been a real public disaster around it, yet,” said Poole. “It’s going to happen. There is going to be something that makes people (take) notice."
Soghoian, the privacy expert, said he had that moment when Romney's Hotmail account was breached.
"The point at which Secret Service takes over security for candidates and provides them with armored buses and 24-hour guards, they should be taking over their digital security too," he suggested.
The Secret Service, he posited, might have steered the campaign clear of the security mistakes that allowed its information to be compromised. Passwords to Romney's Hotmail account and an account on DropBox, the file-sharing service, were both reportedly cracked.
"Mitt Romney shouldn't be using a Hotmail account," Soghoian said. "And to be honest, he shouldn't be using DropBox either."