Session 4- Securing Your Campaign.mp3

[00:00:00] Hello, welcome to ATF Action Campaign Academy.

[00:00:03] We are here today with Robby Mook, who is a veteran of the Clinton campaign and many, many other campaigns. And we're going to talk today a little bit about digital security and how to make sure your campaign is sure thing.

[00:00:17] Well, thank you. And it's a real pleasure to be with you all today. I'm really glad that EDF has taken the time to talk about this as an issue, and hopefully it can be helpful. I want to first make a caveat that I am not a cyber security expert. I'm a campaign person just like you. Typically, my organization defending digital democracy has somebody who is a cyber expert make these sorts of presentations.

[00:00:43] But I actually think this is going to work great today because I'm told the most of you are apart of small campaigns or campaigns that are just getting started.

[00:00:51] And the things that we're going to recommend are either free or very low cost and really simple. And so that's actually a great note to open up the project to. I'm a part of defending digital democracy was set up precisely for campaigns like yours. So coming out of the 2016 election where we obviously had some cybersecurity issues come up, it was apparent to me and to other people that there just weren't good tools or resources for campaigns to protect themselves against cyber incidences and attacks.

[00:01:25] The Defending Digital Democracy Project is a project of Harvard University's Belfer Center. It's code directed by myself. Matt Rhodes, who ran Mitt Romney's campaign for president. And Erick Rosen Bok is a former chief of staff at the Department of Defense under the Obama administration. It is a bipartisan project. So we wanted to provide practical tools to campaigns, but we also wanted to do this in a bipartisan way because we think that both parties are vulnerable and that Americans should decide our elections, not foreign governments or malicious hackers. So above and above everything else, we are patriots and we're here to help all campaigns regardless of parties. We've had technical experts from the private sector, government, national security and campaigns come together to do this project. So let's get right off to the races. I talked a little bit about what we do that's providing practical tools for campaigns like yourselves.

[00:02:30] The most important tool that we have is the campaign cyber security playbook. We just released a new version of it literally a few days ago. You can download it at Belfer Center, dot org slash cyber playbook or you can just Google offer center cyber playbook. It is an PDA. It is online. It is free and it's available to anyone. I really encourage you to print it out or save it as a PDA.

[00:02:56] And just take some time to read it on a weekend or a Friday afternoon or evening when you don't have anything better to do because you're on a campaign, you know, that goes.

[00:03:07] But I think you'll find some stuff in there that we may gloss over in this presentation.

[00:03:12] So just really quickly, it's helpful to understand, you are probably saying to yourself right now, I'm a small congressional race or Senate race or maybe even a local race.

[00:03:24] You know, cybersecurity is not really a big deal for me. I'm a small campaign. Nobody is going to hack into me. And really, the opposite is true. In fact, in 2016, some of the worst attacks that we saw were against candidates for the House of Representatives. Their opposition research books were stolen from the D, triple C and given out to reporters. The other thing is, if you think you're a foreign government, you're trying to be really strategic and manipulate or influence American politics for the long term, you're going to hack into smaller campaigns. Right. Scoop up a bunch of information now and then it's up to you and to use it. So to play safe. Just assume that you're a target, OK? And assume that you personally are a target as a campaign operative. Hopefully you're going to go on and run a presidential campaign or run other really high profile campaigns. Wouldn't be a bad thing for somebody to steal all of your information and release it later. So protect yourself. Checked your campaign, protect your candidate. Everything I talk about today applies to your candidate, their spouse and their kids as well. So just keep that in mind. You should sit with your candidate and their family at some point or someone should go through all their e-mail and social media accounts, make sure that they're locked up tight. So we'll talk about some ways to do that. The one thing to just acknowledge upfront is you are part of a really soft target environment. What do we mean by that? Your campaign, you've got a lot going on. You don't have full time cyber security support. You're doing things on the fly. People are working and have really distributed way. They're all over your district or your state and you're onboarding and off boarding people really frequently. And most importantly, you don't have the resources to invest in fancy cyber security software. You don't have somebody who's been working at your campaign for 10 years and they're. Their specialty is protecting or keeping to your soft target. OK. It's not a reason to panic. But again, know that there are people who wanted to hear you and know that you're soft target, which is why you should do the steps that we're gonna recommend. So let's get to those.

[00:05:27] There. If you download our playbook, there are five things that we recommend.

[00:05:32] So if there is anything you take away from this presentation, I want you to focus on these five things. And even within that, there's some that I'm going to underscore. The first thing is, as a leader on the campaign, you have to set the tone to make cybersecurity part of the culture. OK. You train your staff not to go talk to reporters all you know, willy nilly. You train your staff or somebody sketchy shows up and the campaign starts asking a lot of questions, you know, really know what they're up to. You know, to fly that day with cybersecurity. People should be really careful what they're doing with their passwords. They shouldn't be, you know, opening up there. You know, you're pulling on a computer in a library. They shouldn't be. They should be careful about what they delete and what they keep. They should be careful about what they give people access to. OK. The same way we just talk through your campaigns at Target.

[00:06:20] It's a soft target and you need to take responsibility for protecting it. Got to have that same talk with your staff. OK. Let's talk specifically about some of the things that you can do. First of all, use cloud based storage or cloud based office suite. OK. Probably most of you are already doing this because you don't have servers in your campaign office. OK. It's not like it's not, you know, nineteen ninety five or whatever. So most of you are using G Suite Office 365 if you're using those. Awesome. You're in great shape. If some person is installing a server in your office, that's weird just to begin with. But second of all I wouldn't recommend going that path because then you have to protect that server. If you're using the big cloud based platforms from Google or Microsoft or somebody else is their job to protect it. And you want experts protecting your stuff, not putting that burden on your shoulders. Secondly, on your e-mail or anything else on your Twitter, on your Facebook or any of your accounts, use a second factor authentication. This is probably the most important thing you can do.

[00:07:26] Almost all the problems that were experienced in 2016 and some of the problems we're seeing in 2018 were the result of people not having two factor authentication. OK. What that is, is when you enter your password and you want to have long, strong passwords. OK, but when you enter that password, you're going to get a text message to your phone or your or you're going to use a key.

[00:07:49] I'll show you mine. And that is a second thing that you need to get into your account. So if somebody steals your password, they still can't get into your account because they don't have the second thing. So another way to do is I've got this little USP key. You just put it near your ISP drive. This is safer than getting something on your cell phone. Because if they get into your cell phone, they can intercept that text message that has the code. This is literally a physical kill me keychain. You can't get it much. You steal my keychain. OK, don't stress if you're only using your phone, but it's safer to use this. And it's a unique key. You excuse me. Why you be I if you just search out on Amazon, you can buy one of these. But they cost like 40 bucks. That's too expensive for some campaigns. In that case, use the cell phone. The next piece is if something is important and you don't want it to get stolen, keep it off of e-mail for similar campaigns. That means just printing stuff out and then deleting e-mail. OK. Another way to do it is use wicker or signal. They're encrypted messaging services. You can do calls, you can send messages and documents. They are both free. There's a version of Wicker that some of the campaign committees are making available basically for free. That's a lot more sophisticated than the free version. But either way, they are encrypted. That means if somebody intercepts it and they won't have a special code to unlock it. OK. So polls, strategy memo, sensitive family stuff gets your candidate and their spouse chatting over wicker or signal so the bad guys can't steal that stuff because, you know, it's private family things that I wanted out there. The last thing I'm not going to spend too much time on, but to the degree possible, identify who's the lawyer you're gonna call and who's the cyber security firm you're going to call. If you have a problem, I'm going to leave it at that. That's probably as much as you'll be able to do. But if something happens, just know you're going to reach out to a couple of things that touch on in terms of creating that security culture. First of all, just. Encourage your staff to follow basic security, things like don't leave their phone around, don't leave their computer out where someone can get on it and have a conversation with your staff about fishing. Those are the emails. Will some where a bad guy sends a message to you or someone you are on your campaign and says, hey, your accounts been hacked, click here and enter your credentials. That's not Google sending that. That is a bad person who wants to steal your password and you just gave it up. So just as a baseline, like have that conversation every week or two with your staff. Hey, folks, if you don't click on links, it is coming into your campaign account. Don't click on links. The other thing to talk to your staff about is all the things we talked about, that second factor, authentication. Use it on your campaign email and social media. Use it on your personal. Think about 2016. They didn't break into the campaign. They broke into people's personal accounts. So everything we're talking about for campaign, do it on the personal do with candidate family. One thing I would say is if you're using G Suite or Microsoft 365 and you're storing documents in those. That's good to do that. Be delivered about who can access what. So don't let every campaign staffer access everything. Be really careful about who you're sharing things with. So if some of these email is broken into, the bad guys can't access everything in the whole campaign.

[00:11:12] Devices. OK. This is important. If you are a small new campaign, hey, you got a lot going on, you're going to get everybody to factor. You're going to get everybody really paranoid about phishing. You are also going to mandate that people always update their operating systems on the phones and on their computers. All right. When like I did what I do on my phone, I get an alert. There is an operating system update.

[00:11:39] If you've got like five staff on your campaign, you see the operating system update on your iPhone or Android.

[00:11:45] Tell people in the morning meeting. Update your phones today. Just get it done. You can follow the next day. But this this is literally just like two factor. It's one of the most important things you can do. OK. Next one. And again, all this stuff is in the playbook, so you can spend more time reading it later.

[00:12:03] Really quick thing. If you have Wi-Fi in your office, set up a guest account so that if a get guest or volunteer comes in, they're not getting on the Wi-Fi that the staff are using. Really simple thing could actually make a big difference. And I think we should be done. Oh, information operations. OK. You're a small campaign. You don't have a million staff. And so I'm not going to spend a lot of time on this. But a lot of people been asking, you know, big news, information operations, what do you do to things out? A few things you can do that can potentially help make a difference. The first is try to know what's going on. So if you're a small campaign, one thing you could do is tell all your volunteers if you see something funny or negative on social media, let us know. Just forwarded to us. You could even have social media app in your your you are all address dot com, something like that. Really simple. That's a way for you to just monitor what's going on. If you really want to get sophisticated, you can set up some social media, some Facebook pages that profile the kind of voters you care about and then monitor what's coming in on that. That's getting a little bit more complicated for you as an organization, but set up some system, even just your staff, to monitor what's going on in social media that now matters. And hopefully that way you're going to pick out something really bad is out there. Second, establish contact with the social media companies. If you're a congressional race, talk to your national committee. If you're a state legislative race. Talk to your state party. Find out who's the person you're supposed to connect with at the social media platforms. If you see bad accounts posting false or misleading information, OK. And then the last thing I'll say is information operations are a communications problem. If there's false information out there, it's up to you as a campaign to decide whether you want to weigh in and say something about it. May maybe retweeted say this is false. That's a decision you and your team have to make. OK, just to separate, that is not cybersecurity questions. Communications question, OK. And we're not spending a lot of time on this because it can get really complex. I think as long as you're monitoring the social media environment as best you can, when you see fake information, you're making a decision with your team about whether to respond or not. That's probably the best you can do for right now.

[00:14:21] We're at them. So all the questions. So thank you so much, Poppy. That was super helpful. It's my pleasure responding through. Yes. So here's a question I have. Yes. How scared should we all be of the Russians?

[00:14:36] The answer to this question is you should be scared of bad people trying to hack into your campaign. OK, so we know that the Russians were obviously a problem for the campaign. I managed Hillary Clinton's campaign. But if you're a Republican campaign, you know, maybe the Iranians are going to try to retaliate for President Trump leaving the nuclear arms deal, for example. Right. We just don't know. And then the other thing is, you know, we're here at the Environmental Defense Fund. Maybe there are people who are angry at pro environment candidates right here in the United States, and they just decide to hack in or somebody who wants to show off. We just don't know. The point is, be paranoid. It's your career. It's your candidate's career. And it is our democracy. Frankly, all of you guys are on the frontlines of protecting our democracies. So take those five steps we recommends. Put on that second factor. Educate your staff, make them aware, use encrypted communications for really sensitive stuff and know who to call. If you think something bad happened. If you do those things, you you're reducing your risk by like 90 percent. OK.

[00:15:43] All right. So is there any commonality between the types of groups who are attacks? A. Between the different organizations.

[00:15:52] Yeah, it's a great present. There's not and again, there's so many different people who can attack you that what I've been telling people is don't try. Don't try to be a national security expert and don't try to be a cyber security expert. You're just not going to be you know, we're not going to cyber security. But the steps I just outlined are basically free. I mean, if you're using those office suites like G Suite or Office 365, that's going to cost five bucks a month per staffer. But you're paying that anyway. Almost all campaigns use these technologies now. So aside from that, everything I just said is free and just do those things. Monitor for those updates and you're doing basically everything you can do at that point. You're really relying on Google and Microsoft and our national security professionals to protect you. And that's what we hire them to do.

[00:16:50] Right? OK.

[00:16:52] The groups Project Veritas is that kind of group that has been known to infiltrate organizations like mine and campaigns. Do you have any recommendations for an events manager or the H.R. process bringing any dirty tricks?

[00:17:11] I'm so glad you asked is actually this is such a great question, because to Project Veritas comes in and they hide microphones or cameras and try to trap you. Breaking the law. The same thing can happen with cyber security, right? You can hire an intern who put some malware in your computer or he tries to get access to your documents. Right. So for when I talked about not granting access to everyone for everything, your intern shouldn't have access to your sensitive documents. Right. This is, again, the things you need to think about. So there are two things I would recommend to staff or to campaign leaders on this. And we did both of these things on the Clinton campaign was when I was there, we were very much dealing with Project Veritas. Once again, all underscored, set the culture, make your staff paranoid. It's it's oh, it's good and healthy for your organization. When you're when your staff are really sensitive about their digital security and their digital equipment. OK. Secondly, make them paranoid about sketchy people. All right. You're probably going to make them a little too paranoid. That's a really good thing. If somebody comes in and starts asking questions that just seem like unnecessary, you know, your antenna should go up and you should be really careful about what you say. If someone's asking you to break the law, but like just a little bit and it's not you know, it's not really that bad. Never break the law. Train your staff on this. If somebody says, hey, I'm from Canada and I love your candidate and I'm just so committed to the cause. And like, here's some Canadian money. Like, I just want to do my part. I'm just such a good person. That's illegal. They know it's really easy. They'll try to pressure you. They'll try to guilt you. OK, so just train your like. Have that conversation every two weeks of your stand. I promise it will make a world of difference. We started doing this routinely on the Clinton campaign and we had, you know, very toss try. Probably 50 times more than they succeeded. Right. And it made a big difference if it was all cultural. There's no magic solution. There's no consultant. It's you training your staff to be paranoid.

[00:19:18] However, do you have some questions you involved with?

[00:19:23] Great. Yeah. How do you manage data security on a smaller campaign with a few staff and not necessarily like a massive scale campaign like the Clinton campaign and tweets.

[00:19:35] Yeah, so first of all, the cyber security playbook that we put together, it's free. You can download it and it's written at my level, which is the same issue where you do not have to be an expert to understand that document.

[00:19:49] OK. And if you're really small and I've run these campaigns, you know, you're two people, you're five people, you're 10 people, you personally can implement those top five things. You can sit with your staff and make sure they put in that require that second factor, authentication. You personally consider your candidate, make sure their passwords are strong and they have a second factor authentication. You personally can watch for system updates and tell your staff to. So take responsibility for the problem and don't be intimidated if you use our playbook.

[00:20:23] You're going to use it will it will walk you through the things you need to do. And it's you know, it's 30 pages. There's a lot in there. I, again, would just counsel you follow those top five things. If you're doing those, you're probably going to be OK.

[00:20:37] And the last thing I'll say is. The number one recommendation we have is setting the tone. If you set a culture of being paranoid about these issues, it will make a difference. OK. I cannot tell you enough.

[00:20:51] I don't like.

[00:20:54] Don't downplay cybersecurity and don't and don't project to your staff that, oh, well, I don't know how to do that and it's all crazy and technical, but you should protect your staff is it gets crazy and technical. But the things that we need to hold ourselves responsible for doing are really easy and we're all going to do them just the same way. We don't talk to the press, you know, without thinking about it. We don't do sloppy you know, we don't do a sloppy training with our volunteers. And when somebody sketchy is asking us to do something illegal, we don't do it. OK, this is just like those things. You know how to train your staff on those things. You can train them on these things to.

[00:21:32] And I think I just have one last question, so what would you know, how should you handle or how could how should a campaign handle if like an allied organization or partner was hacked, that might have information about what about you?

[00:21:49] Yeah. So this is again, a really good reason. Let's say you're working with EDF.

[00:21:57] Has you have a political arm, don't you?

[00:22:00] Right. So if you're working with EDF, the political arm and you want to share something sensitive tended through one of those encrypted messaging apps.

[00:22:09] Right. Wicker a signal. OK. So don't even give don't even give those organizations the chance to store something that potentially could be really bad for you if it gets taken a case. That's thing number one. And that goes for everything that goes for getting your candidate and their kids and their spouse, the chat they're having your chats with your can it just get it on an encrypted system and it's chance of getting hacked?

[00:22:30] Goes way, way down. The second is, you know. Call someone who knows how to deal with these things. When I talked about having a lawyer and a cybersecurity firm, just just call someone who knows what they're doing before you choose to weigh in and communicate.

[00:22:54] Let's use a worst case example. Let's say your campaign did an event with the vise president, OK, with the DNC or the RNC. All right. And you collected a bunch of your donors, Social Security numbers and dates of birth. All right. That's a serious legal situation. You there are reporting requirements that organizations have if people's sensitive information got stolen. That's why I like don't don't think you have to solve that problem. Call a lawyer and call a firm that's experienced in this and get real professional help at that point. But again, I will underscore the best way to avoid being somebody has a problem. And that situation is to have kept stuff, hockey and other big BMA.

[00:23:45] All right. I don't think. Final kind of thoughts. Is this going to be our dirty tricks and hacking? Is this going to be standard issue? Is this going to be a thing for campaigns to think about for ever?

[00:23:59] Yeah, 100 percent. You know, back in the day when social media first became a thing, we realized that our staff can't just get on social media and give out the campaign secrets and talk about their personal life. That's probably not a smart idea. So this is just another thing that you as a campaign professional need to think about. I need to take responsibility for. That's the most important thing. And again, I want to underline, I'm not arguing you obsess about it every day. I'm not telling you to prioritize cyber security over, you know, having a campaign message, raising money, doing really good organizing work, doing your politics. Those are the things you're good at and eat and you need to take responsibility for. But there's other little things you have nowadays, like sexual harassment policy. Right. The physical safety of your campaign staff, preventing drunk driving on your campaign. These are just things that you're not an expert at. But there are basic, simple steps you follow to prevent them. And cybersecurity is one of those now. And the the playbook that we've produced, it was written for you was written so that you could understand it. I can understand it. I'm not a cyber security expert. And and if you just take a little bit of time to give this consideration, give consideration to dirty trick groups that are potentially going in with tea, with cameras and microphones, I promise you that you set that culture, you're going to make an enormous difference that things that happen in 2016 could have been prevented. Everything that happened with Project Veritas could have been prevented. And you can prevent these things, too, if you just take responsibility and take a little bit of time.

[00:25:48] Thank you so much for coming. It's my pleasure. Thanks.