Protected Voices: Supply Chain
The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including supply chain, to help mitigate the risk of cyber influence operations targeting U.S. elections.
We’re all familiar with the expression: “There’s an app for that.”
But what else is the application doing—and is it opening a door for bad actors to exploit your information?
Hello, I’m Pete, a special agent with the FBI. In this video, I’ll offer tips to evaluate the apps, services, and technology—what I’ll call a supply chain—that you choose to run your campaign.
Whether deciding on cloud storage solutions, communications equipment, contracted services, or other products, your campaign will be making a lot of choices. On top of thinking about cost and effectiveness, I urge you to also think about security vulnerabilities. If you take a few simple steps, you can mitigate large chunks of risk.
Here are some specific, actionable things to consider.
First, the parent company: Do you know who’s really providing the service? A company might simply be the “American face” of a foreign vendor or a known bad actor. Or a foreign government could’ve invested heavily into the company, thus creating products with a low price tag but a high security risk.
Consider checking your proposed partners—apps, people, and technology—against credible open-source references such as watch lists compiled by the Department of Commerce, the Better Business Bureau, and records that show the company’s headquarters location.
Once you’re comfortable that you know your potential partner, evaluate whether they are security savvy. This applies to both cyber and physical security.
On the cyber front, consider using U.S.-owned and controlled businesses. For instance, a major American cloud provider is more likely to comply with industry regulations and best practices than a foreign provider.
On the physical front, check where your potential partner intends to store your data or equipment. A secure location decreases the risk of someone walking off with your hard drive, and employees vetted through a background check are less likely to misuse their access for fraudulent purposes.
Find out if the company has an insider threat mitigation plan. If you’re buying equipment, think about where that equipment is made: Consider the trade-offs of equipment manufactured in the U.S. versus another country.
Finally, know what you’re sharing and with whom. Especially with computer services, it can be hard to tell how much access you’ve granted to a piece of software. For example, when you install an app, it’s not often obvious what else that app is accessing. Plus, many user-facing applications contract out parts of their capabilities to third-party companies and could be sharing your campaign’s sensitive information with those parties. This is true for both computer services and non-digital services. For instance, your app might be renting cloud space from another provider. Or your local communications consulting firm might use a third party to make calls. All these points are now links in your supply chain and merit your scrutiny.
Before investing in a service or an app, consider asking questions to clarify what information you will be sharing and with whom. Some questions you may ask: Who will have access to my campaign’s information? How are those people vetted? Where and how will you be storing my campaign’s sensitive information? Do you plan to use any third-party vendors to support my campaign? If so, can you provide information about them?
When you’re looking at applications, you might ask some extra questions. What information on my computer can your app see? Can your app make changes to my system? Is your app able to extract sensitive information, such as names or email addresses, from my system? If so, what does it do with this data? How will my campaign’s information be stored? Do you contract any parts of your service out to another company?
Only you know what’s best for your campaign. Knowing the parent company, security practices, and subcontractors of your supply chain partners will help you make more informed decisions.
Remember, your voice matters, so protect it.
- 06.11.2020 — Help Identify Subject Who Threw Explosive in Uptown Charlotte
- 06.04.2020 — Director Wray’s Remarks Regarding George Floyd’s Death and FBI Role in Current Events
- 06.01.2020 — FBI Pittsburgh Congratulates Penguins Foundation
- 05.28.2020 — Inside the FBI Podcast: IC3 Turns 20
- 05.21.2020 — FBI Phoenix Joins Arizona Law Enforcement Leaders in Honoring the Fallen
- 05.21.2020 — FBI Sacramento SAC Congratulates Fairfield Police Chief
- 05.18.2020 — 2020 Police Week FBI Chicago Candlelight Vigil
- 05.15.2020 — FBI Dallas Honors Fallen Agents in National Police Week Message
- 05.15.2020 — FBI Honolulu COVID-19 Public Service Announcement
- 05.15.2020 — FBI San Diego Honors Fallen Officers During National Police Week
- 05.15.2020 — FBI New Orleans Recognizes Peace Officers Memorial Day
- 05.14.2020 — 2020 FBI Wall of Honor Memorial Service
- 05.14.2020 — Director Wray Honors Law Enforcement Partners During National Police Week
- 05.11.2020 — Minneapolis FBI Honors Fallen Agents in National Police Week Message
- 05.08.2020 — Jacksonville SAC Congratulates High School Graduates
- 05.08.2020 — Seattle FBI Recognizes Fallen Officers in Police Week Message
- 05.04.2020 — FBI Dallas COVID-19 Public Service Announcement
- 04.30.2020 — Inside the FBI Podcast Trailer: FBI Top Ten List Turns 70
- 04.30.2020 — FBI Jacksonville Honors Director's Community Leadership Award Recipient
- 04.29.2020 — FBI Volunteers Assist Families in Philadelphia