STEP 7: Incident Response Planning

It’s just as important to plan for responding to an attack as it is to develop a security strategy to prevent one. How you respond often has more to do with the ultimate outcome of an incident than what was compromised. You should budget some time at strategic retreats or longer senior staff meetings to discuss what will happen if something does go wrong. Here’s a checklist of the steps you should take:

LEGAL

✔ Identify outside counsel you will retain in the event of a cyber incident, and discuss the response process with them at the outset of the campaign. In most cases, this will be the same person who represents your campaign on other matters, but ideally you would have someone who specializes in incident response on call, either pro bono or for a $0 retainer.

✔ Ask your lawyer to explain your legal obligations if data is stolen and what compliance measures you will need to have in place.

✔ Understand your vendors’ legal obligations to notify you or others if they are hacked. Wherever possible, include strict notification requirements in your vendor contracts, since third parties are a frequent source of breaches.

✔ If you believe you’ve been breached, a best practice is for your lawyer to oversee your response under attorney-client privilege.

✔ Talk to your lawyer about the best way to work with law enforcement if a breach occurs. Every campaign will approach this differently.

TECHNICAL:

✔ Determine ahead of time whom you will call for technical assistance if you think you’ve been hacked. Your state caucus or national party committee can usually provide referrals.

✔ Choose someone on the campaign who will interface with technical experts in the event of a breach. This is ideally the same person who is already coordinating IT for the campaign. Managing an incident response can be overwhelming, so you want someone focused on the technical aspects who knows what they are doing. That way you can focus on communicating with stakeholders and the press.

OPERATIONS:

✔ Decide in advance who will be on your Incident Response Team (IRT) and who will participate in incident response meetings. It’s important to include someone from your IT, legal, operations, and communications teams. If you’re a small campaign and don’t have full-time communications, IT, or operations support, plan to include any key staff who oversee campaign operations.

✔ Determine the chain of command for decision-making in the event of a breach, especially regarding communications. In many cases, this will be the campaign manager, but some managers may choose to delegate responsibility to someone else.

✔ Identify what app or technology you will use to communicate if you think your email has been breached (Signal and Wickr are two common options). Communication during a breach is essential, but you don’t want your adversaries to know what you’re saying—or even that you are responding to their actions.

COMMUNICATIONS:

✔ Conduct scenario planning. For many campaigns, this can be part of an existing strategy retreat. For bigger campaigns at higher risk, it may be necessary to have a dedicated meeting. Your scenario planning should include:

✔ Identifying key internal and external stakeholders, like your staff, volunteers, donors, and supporters. Know whom you need to contact if an incident occurs and rank them in order of priority. Develop a contact list and designate who will reach out to them.

✔ Brainstorm the most damaging scenarios and consider how your stakeholders and messaging may change for each one. Different scenarios could include:

Rumors that your campaign has been hacked;

Credit card and contact information for your donors is stolen;

Ransomware and an extortion attempt are lodged against your campaign;

Your systems are wiped and shut down;

Someone’s emails are stolen;

Your adversary steals your administrator’s credentials and every file on your campaign drive.

A malicious actor alters statements on your website or public accounts.

✔Be careful what you say in the present about cyber security policy or cyber incidents. Some victims of cyber crimes have previously made grandiose pronouncements about their own security measures, or have criticized others who have been attacked. The press will hold you accountable for what you said in the past if you fall victim.

✔ Similarly, avoid providing details about the scope of the event in the early phases of the incident (and if you can avoid discussing the scope altogether, even better). Details available at the outset will change as you investigate. A common mistake is to say something that later turns out not to be true (e.g., “they didn’t steal very much,” or “no personal information was taken”). Saying only what you know for sure is the safest course. Statements should focus on the actions you are taking to make the situation right for the affected stakeholders.

✔ Develop some boilerplate language iin advance, so that you can draft statements or talking points quickly if an incident occurs. At a minimum, create a simple Q & A document that you can rapidly revise if you actually need to use it. Creating a Q & A document in advance will help you to think as much about what you won’t say as what you will say. For example, the first question will often be, “What happened?” However, you may not be able to answer that for days or weeks. The fact that you don’t know what kind of breach will take place can actually help you write better boilerplate answers in advance.

Questions to include in your Q & A document are:What happened?

How did it happen?

Who did it?

What was stolen or damaged?

Was anyone’s personal information stolen? What are you doing to protect them?

How did the hackers do it?

Are the hackers out of your system?

How long were they in your system?

What security measures did you have in place? Why weren’t they effective?

Shouldn’t you have known this would happen? Why weren’t your systems better secured?

Are you working with law enforcement? Has law enforcement contacted you?

In a ransomware breach, you’ll be asked: Did you pay the ransom and why or why not?

✔ Stay in touch with your key stakeholders and keep them as informed as you can. You probably won’t be able to say much, but contacting them regularly with what you do know, having a clear statement about your intentions, and providing details about what you are doing to manage the situation are key. Avoid setting an expectation of too frequent updates, because often you won’t have new information and your stakeholders will become frustrated if you continue to return to them without new information. Only speak proactively to the media if you have new information to provide.