Protected Voices: Incident Response

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including incident response, to help mitigate the risk of cyber influence operations targeting U.S. elections.


Video Transcript

No matter how strong your cyber defenses may be, you cannot block every possible attack on your computer network. How can you prepare for the worst-case scenario—a successful cyber attack on your campaign’s network?

Hello, I’m Hadley, a special agent with the FBI. I’m here to share some recommendations for drafting an incident response plan.

Creating a plan to respond to incidents on your network is just as important as preventing them. If you can design and execute a thoughtful response, you may be able to lessen the damage done, and even avoid damage altogether.

Before you make an incident response plan, identify what’s at risk. What are the most important pieces of your campaign that could be affected by a cyber attack?  How could a successful cyber attack impact your campaign? Different functions or different kinds of information in a campaign might be of different urgency or value. Knowing what really matters to your campaign’s ability to function will be critical in designing the best way to respond to an attack.

There are three main components to an incident response plan: technical, legal, and managerial. As part of your plan, designate specific, skilled people who are best positioned to cover those functions. What information does each component need?  What should you expect from each component? What’s the chain of command? To whom does the team report? Who has the authority to make judgment calls as to when the campaign’s computer networks will be taken down, quarantined, or put back online?  

After identifying your team, find a way for the team members can communicate that does not rely on compromised systems. If your incident response team talks on a channel where the attacker is listening, you’ve created more problems.

Develop a playbook to address the most likely incidents. Various types of incidents might require different kinds of responses, depending on which systems are affected and to what extent. Each response should include these elements: whom to notify in the campaign, what information to collect, when and how to contact law enforcement, how to preserve evidence, whether other potential victims should be warned which facts a decision-maker will use to decide how to treat affected systems.

Your plan should cover these basic steps: Assess the attack and potential damage; contain the attack to prevent additional damage; collect information about the attack to inform decision-makers, law enforcement and other victims; notify your internal command chain and outside partners to address all aspects of the attack, especially to remediate any damage.

As part of your planning process, consider contacting law enforcement and private IT/security partners who may be involved in your incident response. You can ask for guidance from these partners ahead of time to fine-tune your plan.

Ensure your legal, technical, and management experts approve of your incident response plan. And make sure your response team regularly reviews and practices the plan. 

Drafting an incident response plan can be intimidating if you’ve never done it. There are several free resources online, including guides published by the Department of Justice and by the U.S. Election Assistance Commission. 

Stay a step ahead of attackers by anticipating how you will respond to their attacks. You will save your campaign valuable time in responding to attacks, and your prep work might minimize the damage from a successful attack. 

Remember, your voice matters, so protect it.

Video Download