Protected Voices: Safer Campaign Communications

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including safer campaign communications, to help mitigate the risk of cyber influence operations targeting U.S. elections.

Video Transcript

Hi, I’m Erica, a computer scientist with the FBI. In this video, we'll talk about how a few proactive communication practices can effectively enhance your campaign's overall cybersecurity.

Given the importance of communications to a campaign, both in managing its operations as well as connecting with voters, it's no surprise that communications also represent a significant potential vulnerability. Communications can include personal and official email, messaging apps, and social media.

Each of these forms of communication may be essential to running a successful campaign, but you should be aware of the potential dangers of cyber attacks through these various channels. 

Your campaign should use the most secure methods of communication to reduce the likelihood of intrusion. 

Keep in mind, most secure does not always mean practical. Security and convenience often work on a continuum—with the most convenient practices tending to be the least secure. Use your best judgment for what makes sense for your campaign.

A common method used for securing communication is encryption.

Encryption encodes information, making it unreadable to anyone but those who have a key to decode the encrypted data.

This method can be very effective in ensuring your information remains safe from attackers. 

There are numerous ways to implement encryption so that even if an attacker gains access to your information, he or she will be unable to use it without a lot of effort.

Look for trusted vendors of encrypted communication services for texting, email and voice; there are several solutions available, and some are free.

To help prevent attackers from stealing information, don't keep more than you need.

You can do this by disabling the “archive” and “save old messages” features on your communication devices and applications; these are typically defaulted to automatically save. Disabling this feature is the electronic equivalent of shredding documents.

Depriving attackers of opportunities to attack can greatly improve your defenses. 

Ensuring only devices with a need to connect are granted connectivity to your systems will reduce the resources needed to monitor and defend networks. One way of doing this is to create access control lists. 

Access control lists typically consist of ‘white lists’ or ‘black lists.’

Whitelisting is a method of restricting access to only pre-approved devices or connections. 

Blacklisting involves denying access to devices which are presumed or known to be not trustworthy.

Blacklisting and whitelisting are often based on device characteristics, such as a unique identifier, or the ways in which devices are trying to connect, such as a source IP address.

Whitelisting, while more restrictive and secure, is often not practical for networks that need to respond to unknown users, like the constituents a campaign may be trying to reach.

Blacklisting regions of the world that don’t have an approved or anticipated relationship with your campaign can greatly decrease the amount of threats your campaign faces.

Communications infrastructure shouldn't be left on overnight when no one is in the office. When you leave for the day, turn off devices and, where possible, turn off your office Wi-Fi networks, which can offer adversaries a potential route into your operations.

Ideally, personal devices wouldn't be used for campaign activities, but sometimes this can’t be helped, as campaigns often rely on personal devices for business. If your campaign uses personal devices, establish a written bring your own device policy, or BYOD. 

BYOD provisions should include installing special safeguards on personal devices to ensure protection against malware; full disk encryption—meaning all data on the device is encrypted; remote wiping of the device, in case it gets lost or stolen; and the ability to implement the timeliest updates. 

Devices should include lockout features for excessive incorrect login attempts, and default passwords and usernames should be changed.

Another way to keep your campaign communications private is to use an encrypted app for secure messaging. You can easily find reputable, secure group messaging apps with a little research. If you use a secure messaging app to harden your communications, encourage all of your staff to also use that same app.

BYOD provisions are often called ‘endpoint protections’ because they’re designed to protect the devices furthest outside of a network—the endpoints. We encourage your campaign to research reputable endpoint protection vendors. A great endpoint solution will also have the ability to monitor whether devices are remaining compliant. When finding an endpoint solution, look for one which will make sense for your campaign.

Finally, create an incident response plan in case any of these protections fail—and review our video on incident response for some tips on drafting a plan.

Having a plan and resources in place beforehand can be critical to minimizing or preventing harm when a crisis does hit. 

Remember, your voice matters, so protect it.

Video Download

Video Source