Cybersecurity

For political campaigns, even free cybersecurity is still a tough sell

Attackers are targeting campaigns and political parties more than election infrastructure, according to a recent report from Google.
article cover

Alex Castro

5 min read

Michael Kaiser knows that cybersecurity is often not the top priority of a political campaign—or at the very least, it ranks below winning.

That’s why Kaiser’s nonprofit, Defending Digital Campaigns (DDC), provides free and low-cost defenses like email authentication, hardware keys, and website protection to political teams that have data, credentials, and money at stake.

But free cybersecurity isn’t as easy a sell as it sounds. Understaffed campaigns move quickly, and cyber is one more item on a lengthy agenda.

“You have to make it so easy—which is what we try and do—so that it doesn’t take too much time [away] from winning,” Kaiser, DDC’s president and CEO, told IT Brew.

Who’s in? Founded in 2019 with government cyber-experts and campaign managers from Mitt Romney’s and Hillary Clinton’s teams, DDC works with vendors like cybersecurity company Cloudflare or email-auth automation firm Valimail to provide services to campaigns. The FEC approved DDC’s bipartisan mission in 2019.

The nonprofit’s site shows 11 technology partners—from Google Titan security keys to Doppel, which targets AI-assisted social engineering.

According to numbers Kaiser shared with IT Brew in April 2024:

  • DDC has “memorandum of understandings” (MOUs) with 42 state parties, allowing them to receive products for free.
  • Since the group’s inception, the group has given at least one product to 580 campaigns.
  • DDC is approved to provide services to campaigns in Ohio, Georgia, and Virginia, while working to obtain approval in other states. (Here are federal campaign eligibility requirements.)

Easy targets. Campaigns have what Kaiser calls a “squishy perimeter,” unlike the clearer walls of an enterprise: “You’ve got a staff, a candidate, you’ve got friends of the candidate working on campaigns, volunteers who are working on campaigns, and connections to other organizations in the community that are supporting the candidate,” he said.

State-level or local campaigns often lack IT expertise that can help prevent teams from falling for threats like phishing, according to Joe Cusack, who spoke with IT Brew in April when he was deputy executive director and general counsel for Georgia’s Ethics Commission. The commission had recently approved the use of DDC’s services.

“Their campaigns really aren’t raising more than $40,000 or $50,000. And it’s basically either their spouse or their kids doing their books for them,” Cusack told IT Brew.

For DDC newcomers, Kaiser, the former executive director at the National Cybersecurity Alliance, recommends baseline protections, including email-authentication standards like DMARC.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“If a campaign is doing nothing, then they take security keys, protect their website, and do their DMARC…They’ve done a ton,” Kaiser said.

Why now? A moment that led to a greater push for digital defenses, according to Kaiser, happened in 2016, when phishing emails targeted the Hillary Clinton campaign and compromised the account of then-chairman John Podesta.

“That was the lighthouse in the distance, for this space,” Kaiser said.

In a recent report, Google revealed top threats for election campaigns, including insider threats, denial-of-service, and website defacement.

“Our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news, and social media more frequently than actual election infrastructure,” the report said.

In a statement, Hannah Muldavin, senior spokesperson for the Democratic National Convention (DNC), said, “The DDC has proven an invaluable partner, helping support campaigns and state parties with essential resources needed to strengthen their defenses.”

The DNC believes the Democratic Party has a “robust security infrastructure” (while not elaborating on specifics), according to Muldavin, adding that cybersecurity is “a central priority for the DNC” as it heads into the general election.

During a 2017 Senate Intelligence Committee hearing, Senator Marco Rubio said Russian cyberattackers apparently targeted his campaign team in 2016. Eric Wilson, then-digital director for Rubio’s campaign and current Republican digital strategist and managing partner of Republican tech incubator Startup Caucus, sees cyberattackers targeting campaigns for two reasons: to access a trove of voter files, donor records, and funds, as well as to stir up disorder.

“The goal is not to boost one candidate over another; they just want to have chaos in our system,” Wilson told IT Brew.

New threats. A study of 2,000 registered voters, conducted by the DDC and a participating vendor Yubico, revealed that 52% of respondents have received a phishy email and/or text message appearing to be from a campaign.

In a 2024 survey, cybersecurity company Arctic Wolf found only 50.7% of over 130 surveyed state and local US government leaders said their team received election-specific cybersecurity awareness training.

Kaiser’s goal leading up to Election Day: reach as many “high-risk” campaigns as possible—those involved in races with the most money and potential power shifts at stake.

“There’s much, much more built-in security than there was in the days of yore. However, you still have to get people to do stuff,” Kaiser said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.