The DNC hacks are the tip of the virtual iceberg, and there is only more to come.
For a town that vigorously huffs and puffs about cybersecurity, it was still quite shocking to see the flat-footed reaction of the political establishment after the DNC discovered it had been hacked. It was as if political parties assumed cyber-criminals would never dare steal data from their systems, much less plaster it across the web for anyone and everyone to view.
Clearly the hackers had a different point of view. Whoever those criminals are (Russians, Chinese, North Koreans, angry individuals, who knows really?), they knew what they were doing. And the hackers taught the Washington elite the most painful lesson of cybersecurity: no matter what defenses you buy, if someone wants to break into your system, they will get in.
Worse yet, this mess is far from over. The only certainty is that more information will be leaked, and candidates will suffer the same embarrassment and harm any person or business would sustain if their internal data and communications was released into the wild.
Does this mean that political campaigns should now expect that every email, internal poll, and “donor maintenance” document will soon appear on WikiLeaks?
If things don’t change in electioneering, the answer is a straightforward yes. What do candidates and political parties need to do to change that answer?
First, accept that you will be hacked. The cost of buying malware – much less the cost of hiring mercenary hackers – is so astoundingly low that we now live in a world of “mutually assured access.” That means you should expect unauthorized users to access your networks at any time. Candidates and campaigns need to react accordingly, and that means cybersecurity is a necessary part of any electoral effort, no matter how small.
Politicians are not immune from cybersecurity laws. Despite what you might hear, candidates and campaigns alike are still subject to the various cybersecurity laws and policies addressing cybersecurity. They too must comply with laws requiring notification if “personally identifiable information” is stolen. And in the era of mobile advertising and fundraising, campaign staff should pay attention to more than electioneering laws. Overly broad and imprecise claims about the security offered to website and app users opens campaigns up to possible enforcement actions by a myriad of agencies, like the Federal Trade Commission and the Consumer Financial Protection Bureau amongst others.
Second, data theft could be the least of your worries.
Today’s political campaigns, especially those focused on statewide or national offices, are complex, data-driven operations. Micro-targeting of voters, issue analysis, and incessant fundraising are all core components of the 24/7 election cycle. But what happens if those operations are disrupted for a few hours, much less days or weeks? Chaos for sure, as well as the possible appearance of rampant incompetence. In the age of “ransomware” and other malicious tools that can easily lock up business, campaigns need to be aware of those threats too. Their information security programs need to address such possibilities as well as that of “simple” data theft.
Finally, have a plan. This last point may seem blindingly obvious, but for some reason many businesses—much less campaigns—still have no real plan for protecting their information or responding when a cyber-attack happens. It’s really amazing if you think about it – for all the money spent on “spin doctors” and crisis managers to handle the occasional embarrassing photo or verbal gaffe, I’ve never heard about a politician’s cybersecurity response plan. The 2016 election cycle should mark the last time where cybersecurity was treated as an afterthought in campaigns.
Maybe some good will come out of the great 2016 cyber electoral drama: namely, perhaps lawmakers will better appreciate the need for and challenges associated with cybersecurity. If only that one lesson is learned, then we will all be better off.
Finch is a partner at Pillsbury Winthrop Shaw. Follow him on Twitter @BrianEFinch
The views expressed by Contributors are their own and are not the views of The Hill.