Protected Voices: Supply Chain

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including supply chain, to help mitigate the risk of cyber influence operations targeting U.S. elections.

Video Transcript

We’re all familiar with the expression: “There’s an app for that.”

But what else is the application doing—and is it opening a door for bad actors to exploit your information?

Hello, I’m Pete, a special agent with the FBI. In this video, I’ll offer tips to evaluate the apps, services, and technology—what I’ll call a supply chain—that you choose to run your campaign.

Whether deciding on cloud storage solutions, communications equipment, contracted services, or other products, your campaign will be making a lot of choices. On top of thinking about cost and effectiveness, I urge you to also think about security vulnerabilities. If you take a few simple steps, you can mitigate large chunks of risk.

Here are some specific, actionable things to consider.

First, the parent company: Do you know who’s really providing the service? A company might simply be the “American face” of a foreign vendor or a known bad actor. Or a foreign government could’ve invested heavily into the company, thus creating products with a low price tag but a high security risk.

Consider checking your proposed partners—apps, people, and technology—against credible open-source references such as watch lists compiled by the Department of Commerce, the Better Business Bureau, and records that show the company’s headquarters location.

Once you’re comfortable that you know your potential partner, evaluate whether they are security savvy. This applies to both cyber and physical security.  

On the cyber front, consider using U.S.-owned and controlled businesses. For instance, a major American cloud provider is more likely to comply with industry regulations and best practices than a foreign provider.

On the physical front, check where your potential partner intends to store your data or equipment. A secure location decreases the risk of someone walking off with your hard drive, and employees vetted through a background check are less likely to misuse their access for fraudulent purposes.

Find out if the company has an insider threat mitigation plan. If you’re buying equipment, think about where that equipment is made: Consider the trade-offs of equipment manufactured in the U.S. versus another country.

Finally, know what you’re sharing and with whom. Especially with computer services, it can be hard to tell how much access you’ve granted to a piece of software. For example, when you install an app, it’s not often obvious what else that app is accessing. Plus, many user-facing applications contract out parts of their capabilities to third-party companies and could be sharing your campaign’s sensitive information with those parties. This is true for both computer services and non-digital services. For instance, your app might be renting cloud space from another provider. Or your local communications consulting firm might use a third party to make calls. All these points are now links in your supply chain and merit your scrutiny.

Before investing in a service or an app, consider asking questions to clarify what information you will be sharing and with whom. Some questions you may ask: Who will have access to my campaign’s information? How are those people vetted? Where and how will you be storing my campaign’s sensitive information? Do you plan to use any third-party vendors to support my campaign? If so, can you provide information about them?

When you’re looking at applications, you might ask some extra questions. What information on my computer can your app see? Can your app make changes to my system? Is your app able to extract sensitive information, such as names or email addresses, from my system? If so, what does it do with this data? How will my campaign’s information be stored? Do you contract any parts of your service out to another company?

Only you know what’s best for your campaign. Knowing the parent company, security practices, and subcontractors of your supply chain partners will help you make more informed decisions.

Remember, your voice matters, so protect it.

Video Download

Video Source