By Amy Studdart
In the weeks leading up to the Swedish general election on September 9, Sweden’s Social Democrat’s website was repeatedly flooded with fake traffic, causing it to slow down and ultimately crash for several hours. The majority of the traffic originated in Russia and North Korea. This wasn’t the first time, and it certainly won’t be the last: Russian hackers attack Sweden on a daily basis. Ultimately, the Swedish election was conducted without being significantly derailed by interference, the result of two years of well-resourced preparation.
The governments of Germany, the Netherlands, and the United Kingdom have all taken steps to protect against cyber-enabled election interference from Russia. Ukraine, which has parliamentary and presidential elections next year, has been under constant attack since at least 2014. During the 2017 presidential election, Russia repeatedly hacked then-candidate Emmanuel Macron’s En Marche campaign. Political parties and campaigns across Europe—and those who work with them—should take note: Russia’s fancy bears are coming for them next, if they haven’t already.
Russian attacks on European political campaigns have specific tactical objectives: backing Marine Le Pen to, perhaps, undermine French support for the European Union; distracting from or discouraging debates in Sweden about whether or not to join NATO; encouraging anti-migrant forces in Germany; or fostering a state of perpetual chaos in Ukraine. The strategy is to steer domestic political agendas in a direction that facilitates Russia’s macro goal of undermining Europe, the transatlantic alliance, and democracy writ-large. For campaigns, the stakes are high: not only might a poorly timed document leak or a denial-of-service attack contribute to an election loss, a campaign’s inadequate cybersecurity measures can allow a foreign adversary to hijack a domestic political agenda and undermine democratic systems.
For campaigns, the stakes are high: not only might a poorly timed document leak or a denial-of-service attack contribute to an election loss, a campaign’s inadequate cybersecurity measures can allow a foreign adversary to hijack a domestic political agenda and undermine democratic systems.
While a sophisticated cybersecurity attack could take down even the most well-defended campaign, the vast majority of attacks launched are cheap and easy, which makes them plentiful and indiscriminating. A phishing attack can be launched in minutes, inducing unsuspecting staffers to give up their passwords or install malware—thereby supplying the adversary with access to any document or information the campaign has stored electronically.
So, what is a campaign to do?
Earlier this year, the International Republican Institute, the National Democratic Institute, and the Harvard Belfer Center published “The Cybersecurity Campaign Playbook”, targeted at European campaigns. The playbook includes accessible information about how to create secure systems. The principal recommendation, however, is that effective and efficient campaign cybersecurity is as much about people as it is about technical infrastructure. At a most basic level, all staffers need to be trained and constantly reminded of how to spot a phishing attempt, why to avoid USB sticks of unknown or questionable provenance, and where and how to store documents. More strategically, cybersecurity requires a comprehensive understanding of the campaign’s vulnerabilities, threats, and the consequences of a breach.
As such, an effective approach cannot leave awareness of cybersecurity threats and defense of a campaign to the IT pros alone. Candidates, campaign managers, and all campaign leadership need to be engaged in creating a culture of cyber defense and in planning out responses to a possible breach. Given that cybersecurity breaches can impact campaigns incredibly quickly, campaigns need to plan for a rapid response. Campaign infrastructure should include a clear internal communications system: who needs to be notified about a breach and when, and how should that notification process work? Who needs to be included on an incident response team?
In an age where foreign adversaries exploit the openness of the digital environment to undermine elections, campaigns have no choice but to develop thoughtful approaches to cybersecurity.
On the technical side, those responsible for IT infrastructure need the resources to build a secure system, and the authority necessary to enforce its use. Storing information on the cloud is more secure than, for instance, attempting to maintain and secure individual servers. If the majority of documents are stored in one service (e.g. Google Drive), more sensitive documents should be distributed across other services (e.g. Dropbox). Campaign related documents and data should not be stored on personal devices. Two-factor authentication should be used across the board.
Among the attacks which concern campaigns the most are those in which data is stolen for the purposes of embarrassing or discrediting the campaign. While preventing a breach of that sort is a technical and operational challenge, it becomes a communications challenge once a breach has occurred. The response here will be different for each campaign and each situation. Should they acknowledge and rebut the disinformation? Or should they ignore it in order to avoid drawing greater public attention? Campaigns need to monitor for information operations, including the use of distributed denial-of-service attacks, false or misleading stories, or websites posing as part of the campaign.
Cybersecurity is about as interesting to politicos as accounting or pulling teeth. Staffers are busy thinking up the policies that improve lives and win elections; candidates are focused on connecting with citizens. Unfortunately, in an age where foreign adversaries exploit the openness of the digital environment to undermine elections, campaigns have no choice but to develop thoughtful approaches to cybersecurity.
Amy Studdart is the Senior Advisor for Digital Democracy at the International Republican Institute, founder and CEO of Villager.World, and a fellow at the German Marshall Fund of the United States. Follow her on Twitter @AmyStuddart.
The views expressed in this post represent the opinions and analysis of the author and do not necessarily reflect those of the National Endowment for Democracy or its staff.
Image Credit: eamesBot/Shutterstock