WASHINGTON – As the midterm elections draw closer, officials from Google, Facebook and Microsoft urged local, state and federal candidates to take steps to secure their campaigns.
“I have seen this cycle that people are more aware when they get an e-mail that they think somebody might be phishing them and trying to put malware on their system. So I think there’s an education that’s happening out there. It is still not enough,” Lee Dunn, head of international elections outreach at Google, said during a “Protecting Your Campaign Online” discussion on Tuesday evening organized by TheBridge.
“We’ve gone to a number of political events where we’ll say, ‘How many of you have talked about two-step authentication on your Facebook account or your e-mail account, if you’re the candidate?’ And the majority of consultants and campaign managers will say, ‘Well, I talked about it with the candidate and the candidate said they took care of it, but I’m not sure.’ So it’s difficult because it’s sometimes uncomfortable and sometimes people think they know what they need,” she added.
Dunn, former general counsel for late Sen. John McCain (R-Ariz.), urged campaigns to visit Google.com/Elections for security help. Dunn explained that the need to properly secure campaigns extends to the local level as well.
“I think we encounter, a lot, people say, ‘Who would want to hack my campaign? I’m running for state senate in one state and nobody would want to know our plan about where to put yard signs.’ We try to make sure to let these candidates know there are people interested. You have to secure yourself. Everyone is at risk,” she said.
Don Seymour, who conducts politics and government outreach for North America at Facebook, outlined some of the ways to prevent bad actors from gaining access to campaign Facebook accounts.
“Sometimes the simplest thing is just using our product the way it is supposed to be used but people don’t always do that. Similarly, sometimes it’s like basic hygiene, right, if people created a Facebook account 10, 15 years ago, they probably used an e-mail address they may not check anymore,” said Seymour. “Sometimes that is an easy way for someone to gain access to an account is simply by an old address or an old account gets compromised and they’re not checking it. They don’t know someone logged into it because they don’t check into it. So it’s basic hygiene – making sure the accounts are updated and actually using the platforms the way they are supposed to be used.”
Seymour, former deputy communications director for former House Speaker John Boehner (R-Ohio), emphasized that users should follow Facebook’s “real identity policy.”
“I think people want to be secure. They don’t want to be careless with how they handle their information, but I think sometimes they have different ideas about what exactly that means. This might be unique to us, but Facebook has a real identity policy so the account you have on Facebook should represent you and be your real name,” he said.
“What we’ll sometimes see on campaigns and elsewhere is people will create one sort of fake account that they all log into and they all use to manage their presence for their candidate, and that’s probably not the most secure way to actually go about things. You have this fake account. Our system is looking at different people logging in from different locations. It is going to think it is a fake account. It might shut it down,” he added.
Ginny Badanes, strategic adviser for cybersecurity and democracy at Microsoft, elaborated on how securing campaigns has evolved since the 2016 presidential election.
“I would say there certainly is interest, I think, after the 2016 election cycle – you find that people who work in campaigns and elections are aware that they are a target, which is, I think, new from where it was before,” she said. “I think they are aware they should be doing things to be secure. I think what you run into are a couple of obstacles: The first is you are competing for attention with getting out the vote, which is ultimately what they’re there to do.”
Badanes said that a lack of resources for campaigns has posed another obstacle to cybersecurity.
“Campaigns are more like small businesses or startups, really. They have a very small budget to start with. They are dependent on donors for that money,” she said. “They take very careful account of that money and they are going to spend it on the pancake breakfast rather than spend it on additional security features or an IT team in house. Those are just not feasible for most campaigns.”
Dunn cautioned that the employees at companies working with campaigns should have two-step verification turned on for the personal email account they use, “two-step on their Facebook campaign and then whatever you use for enterprise e-mail, whether it’s Google, Microsoft or some other type of vender, make sure that the administrator has two-step and other types of security features turned on – it’s really important.”