The Day Obama's Facebook Page Went Down, and Other Campaign Security Lessons From 2012
BY Sonia Roubini | Tuesday, August 5 2014
In Fall 2011, during the Obama 2012 campaign, the Barack Obama Facebook page with 34 million "likes" disappeared. Visitors to Facebook.com/BarackObama were automatically directed back to the Facebook homepage, and online searches for the page came up blank. Recalling the incident, Laura Olin, the campaign’s social media manager recently told techPresident that before it happened, she had considered “the possibility of someone hacking accounts and posting inappropriate things, but not the page disappearing altogether." She added, "Facebook said that the problem was internal, but it wasn't clear if someone had disappeared the page intentionally or if it had been a mistake.”
As we head into the heat of the 2014 midterm elections, and with 2016’s national campaigns beginning to coalesce, the problem of cyber-security for online political campaigns is just simmering beneath the surface. As is the question of how the press will cover the issue. There are real threats out there, and also plenty of room for confusion.
In 2012, the Obama campaign was worried about a wide variety of attacks, campaign insiders told techPresident. These included the fear that state-based actors might attempt to extract key policy documents, which apparently happened in 2008, when hackers backed by the Chinese government reportedly attacked the 2008 Obama and McCain campaign websites. There were also concerns that someone might steal campaign donors’ financial information. And, of course, fear of more run-of-the-mill attacks from political opponents or hackers on the other end of the political divide.
The Obama 2012 campaign experienced a full spectrum of technological attacks. These included spear phishing (scams that target an individual or department within an organization and request information such as login IDs and passwords from a seemingly trustworthy source); denial of service (DDOS) attacks, which try to take down a website or service by flooding it with requests; theft of campaign donors’ financial records; and more general attempts at campaign sabotage.
As Ben Hagen, the director of the Obama 2012 campaign’s information security program, told techPresident, the complexity and variety of these attacks meant that his team couldn’t take any “bullet-proof” preventative measures. Some attacks on the campaign were even “on par with attacks sponsored by nation-states,” he noted. Hagen is now the Engineering Manager for Cloud Security Operations at Netflix. Hagen and his team were also surprised by the level of sophistication of spear phishing attempts targeting specific campaign staffers.
Hagen’s team focused its security strategy on quickly identifying incoming threats, and determining how to respond before the attack made a real impact. This involved a combination of constantly monitoring the campaign's information systems, and ensuring that all campaign staff were trained in implementing basic security precautions and in recognizing phishing attempts.
Laura Olin, the campaign’s social media manager, described the “incredibly paranoid measures” that her team was told to take for protecting the passwords of the campaign’s social media accounts. “All the passwords were 12-character random strings and we didn't connect them to Gmail accounts, which we were told were more easily hackable than our @barackobama.com accounts,” she said.
Campaign staff were told to change these passwords every two weeks. Given that both staffers of political campaigns and politicians themselves tend to use ridiculously easy-to-hack passwords and security questions (such as pet names and zip codes of place of birth), preventing this isn’t a small task. As it is, according to Gawker, in 2012 someone broke into a Hotmail account belonging to presidential candidate Mitt Romney. And in 2013, the Syrian Electronic Army was able to temporarily hack into Organizing for America's @BarackObama Twitter account, according to Quartz.
In order to avoid hacks of this nature, Hagen and his team trained campaign staff with the “Spear Phishing Toolkit,” an open source tool for information security professionals. The toolkit allowed the campaign to run spear phishing campaigns against its own employees. They registered fake Barack Obama affiliated web domains, and sent staff emails that directed them to these pages and asked them to enter their email and password.
Their first attempts at running these tests resulted in a 25% click rate on email attachments, and a 12% rate of people entering their credentials into these fake website. Hagen’s team recorded the people who actually entered their information, and made them take extra security training. This, Hagen says, ended up working: “by the end of the campaign, we had a much lower hit rate on spear phishing.”
Obama 2012 was uniquely positioned to take these anti-hacking measures. As a large and well-financed campaign with an unprecedented commitment to using technology and data, it had the resources necessary to build a digital team with the capacity and capabilities to be proactive about security. Not every campaign is equally capable of making campaign security and privacy a focus. Smaller campaigns may not have the expertise, time, energy or budget to take the requisite measures, allowing digital security to fall by the wayside.
Hopefully, even campaigns without a sizable security budget campaigns are at least taking the most obvious measures to protect themselves from DDOS attacks and spear phishing. Campaigns should also prepare for unexpected surges in site traffic, as sometimes a "hacked" website is actually nothing more than a campaign's own unforced error.
This problem emerged during the 2006 midterms, when the Joe Lieberman Senate campaign website crashed one day prior to the primary election. Lieberman staffers were quick to blame “hackers” connected to his opponent Ned Lamont, the candidate of the Democratic “netroots,” for the problem.
The political press, which had far less familiarity with the Internet back then than it does now, bought the Lieberman line sans evidence. Days after the election, NBC was still quoting Dan Geary, Lieberman's website manager, as saying that the attack "was probably politically motivated." "Is it some guy in Lamont headquarters? No," continued Geary, according to NBC, "but was it an overzealous supporter? Maybe."
Months later, in October 2006, the FBI came to the conclusion that technologists working with the Lamont campaign had argued since the day of the crash: “The server that hosted the joe2006.com Web site failed because it was overutilized and misconfigured." As techPresident reported at the time, there was no evidence of (an) attack.”
This type of preventable website failure is consistent with Hagen’s belief that “investing time and money into something that doesn't directly lead towards the accomplishment of the organization's objective will always be a tough sell.” This is particularly true for campaigns that feel the need to scrape together all of their resources in the hopes of maintaining the possibility of a win.
But as campaigns move their fund-raising, organizing, and vote-building operations online, there’s an increased need to focus energy and resources on digital security. Campaigns that fail to take this into consideration leave themselves susceptible to the increased possibility of a digital attack.
According to Jack Steadman, a director of web and product development for Blue State Digital who worked on the Obama campaign, there hasn’t yet been “a real ‘big event’ in campaign security to scare people into action.” However, he thinks such an event is inevitable.
Steadman is confident that campaign security will become more of an issue during the midterms, which will likely see attacks on smaller campaigns. As he puts it, “those involved in making these technology choices should already have this on their radar as an issue.” Campaigners have begun to understand the extent to which they’re targets, and security is now “a major focus and will continue to be one,” he says.
Looking forward to the 2014 midterms, Steadman pointed out that "it's important for smaller campaigns around the midterms to make sure that their technology choices are good and are safe. There are best practices that can and should be put in place.” The Obama 2012 campaign’s strategy would appear to be a good one to learn from.