Protected Voices: Incident Response
The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including incident response, to help mitigate the risk of cyber influence operations targeting U.S. elections.
No matter how strong your cyber defenses may be, you cannot block every possible attack on your computer network. How can you prepare for the worst-case scenario—a successful cyber attack on your campaign’s network?
Hello, I’m Hadley, a special agent with the FBI. I’m here to share some recommendations for drafting an incident response plan.
Creating a plan to respond to incidents on your network is just as important as preventing them. If you can design and execute a thoughtful response, you may be able to lessen the damage done, and even avoid damage altogether.
Before you make an incident response plan, identify what’s at risk. What are the most important pieces of your campaign that could be affected by a cyber attack? How could a successful cyber attack impact your campaign? Different functions or different kinds of information in a campaign might be of different urgency or value. Knowing what really matters to your campaign’s ability to function will be critical in designing the best way to respond to an attack.
There are three main components to an incident response plan: technical, legal, and managerial. As part of your plan, designate specific, skilled people who are best positioned to cover those functions. What information does each component need? What should you expect from each component? What’s the chain of command? To whom does the team report? Who has the authority to make judgment calls as to when the campaign’s computer networks will be taken down, quarantined, or put back online?
After identifying your team, find a way for the team members can communicate that does not rely on compromised systems. If your incident response team talks on a channel where the attacker is listening, you’ve created more problems.
Develop a playbook to address the most likely incidents. Various types of incidents might require different kinds of responses, depending on which systems are affected and to what extent. Each response should include these elements: whom to notify in the campaign, what information to collect, when and how to contact law enforcement, how to preserve evidence, whether other potential victims should be warned which facts a decision-maker will use to decide how to treat affected systems.
Your plan should cover these basic steps: Assess the attack and potential damage; contain the attack to prevent additional damage; collect information about the attack to inform decision-makers, law enforcement and other victims; notify your internal command chain and outside partners to address all aspects of the attack, especially to remediate any damage.
As part of your planning process, consider contacting law enforcement and private IT/security partners who may be involved in your incident response. You can ask for guidance from these partners ahead of time to fine-tune your plan.
Ensure your legal, technical, and management experts approve of your incident response plan. And make sure your response team regularly reviews and practices the plan.
Drafting an incident response plan can be intimidating if you’ve never done it. There are several free resources online, including guides published by the Department of Justice and by the U.S. Election Assistance Commission.
Stay a step ahead of attackers by anticipating how you will respond to their attacks. You will save your campaign valuable time in responding to attacks, and your prep work might minimize the damage from a successful attack.
Remember, your voice matters, so protect it.
- 08.12.2020 — Central Records Complex Opens to House FBI Files
- 08.06.2020 — FBI Boston: Vandalism and Arson of a Providence Police Department Cruiser
- 08.05.2020 — FBI Cleveland: CVS Robbery Surveillance Footage
- 07.31.2020 — FBI San Francisco Remarks on Twitter Security Incident Investigation
- 07.22.2020 — Underwater Post-Blast: Boat Engines and Wake
- 07.22.2020 — Underwater Post-Blast: Piecing the Evidence Together
- 07.22.2020 — Underwater Post-Blast: Recovering Evidence in Murky Waters
- 07.22.2020 — Underwater Post-Blast: Examining Evidence
- 07.22.2020 — Underwater Post-Blast: Student on Boat
- 07.22.2020 — Post-Blast Training Boat Wake Loop
- 07.22.2020 — Underwater Post-Blast: Diver Enters Water
- 07.22.2020 — Underwater Post-Blast: In the Classroom
- 07.22.2020 — Underwater Post-Blast: Boats Passing
- 06.30.2020 — FBI Portland: Can We Protect Freedom of Speech While Addressing Fake News and Influence Campaigns Online?
- 06.30.2020 — FBI Portland: What is the FBI Doing to Combat Election Fraud?
- 06.30.2020 — FBI Portland: What is the FBI's Role in Securing the Election?
- 06.30.2020 — FBI Portland: How Does the FBI Work With Others to Ensure the Integrity of Elections?
- 06.30.2020 — FBI Portland: How Can Voters and Campaigns Find Information About Helping to Strengthen Electoral System?
- 06.30.2020 — FBI Portland: What Should an Oregonian Do If They Believe Someone Has Violated Their Voting Rights?
- 06.30.2020 — FBI Portland: Are You Concerned About the Impact That Russia or Other Countries May Have on 2020 Elections?