What I Learned Trying To Secure Congressional Campaigns

You know how it happens. You try to secure one Congressional campaign, and then another, and pretty soon you can't stop. You'll fly across the country just to brief a Green Party candidate in a district the Republicans carried by 60 points. You want more, more, always looking for that next fix.

This is the situation I found myself in from late 2017 to 2018, when I was part of an effort that delivered a basic, hour-long campaign security training to 41 Democratic Congressional campaigns. It was exciting! I traveled the country like Johnny Yubikey, distributing little blue security tokens from a sack. The campaigns ranged from beyond-long-shot candidates running from their den, all the way up to some nationally prominent figures. I took a selfie with Bernie! I wrote an opinion piece in the Washington Post!

I don't believe I accomplished much, but I made so many friends along the way! And I learned a lot about the idiosyncratic world of Congressional campaigns; knowledge that I want to now hand over to you, the next person willing to take a swing at this piñata of futility.

This article is specifically about campaign security, or how to keep candidates and their staff and families safe from people trying to break into social media, read their email, or wire their campaign war chest to Nauru. There are a lot of even more hopeless problems, like election security, but as you will see there is plenty to lose hope about just in this corner of the problem space.

A note to the well, actually crowd

Every time I talk about training campaigns, it devolves into an argument over technology. I fear that by fixating on the technical content of the briefings, we are missing an opportunity for a much richer, more satisfying nerdfight about process.

There are two foundational questions in campaign security:

What do you say to a campaign if you get an hour of their attention? How do you get an hour of their attention?

The second of these is the hard part. Like Mike Tyson says, “everybody has a plan until they're punched in the face.” Everyone has security checklist for campaigns until they try to schedule a meeting. So my plea is, let's not forget to argue about the interesting problem of how to get to campaigns, in addition to whether I'm history's greatest monster for telling people not to use Android.

A note to idealists

Practical campaign security is a wood chipper for your hopes and dreams. It sits at the intersection of 19 kinds of status quo, each more odious than the last. You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on.

Putting aside the urge to fix these broken systems long enough to help people get work done is the great unsolved problem of campaign security. You will start out a descriptivist and end up a zealot, like I did. Trying to secure a modern campaign is like doing surgery with a scalpel made out of anthrax spores. At some point you will throw down the anthrax scalpel and say "this is impossible!", as it disappears in a puff of lethal dust. But the patient still needs you!

I will focus here on Democratic campaigns for Congress, because that is the world I know. If you know the Republican side of this, please tell me stories.

How a Congressional campaign works

To a first approximation, a House campaign is an 18-month fundraising marathon with lawn signs. Over its lifetime it will raise and spend something like two million dollars, and at its peak employ two dozen staffers.

For most of that period, you are dealing with a couple of people trapped in a living hell called call time. Theresa Gasper, who ran for Congress in Ohio's 12th district, describes it well here:

What is call time? Torture. You sit in an office for 4–6 hours(ideally) with a 20-something next to you dialing the phone and handing you a call sheet with info on the person you’re calling to beg for money. […] You have an “ASK” — the amount of money to specifically ask them for, and then you are strongly encouraged to get a credit card number over the phone and complete the transaction before hanging up. If not, it becomes a ‘pledge’ and if it doesn’t come in within two weeks, you’re back on the phone “pledge chasing”. [...] Ideally you’ll be on the phone 30 hours a week, you’ll make 40 calls per hour and connect with about 30% of them. Your call time manager will track the amount of time scheduled, the time you took for any breaks, the actual call time completed, number of calls made, number completed and the results — all of which will be submitted to the DCCC, EMILY’s List or any other group who has “adopted” your campaign.

This soul-crushing telethon is the principal activity of a Congressional campaign. Getting in its way is like getting between a mama bear and her cub. You are just going to find yourself clawed to death by a frantic finance director. Whatever you do to secure a campaign must not be an obstacle to fundraising.

There are two elections that matter to a Congressional campaign. The first is a primary, which in most districts is in May or June. The second is the general election in November. A few weeks before each election, the campaign staffs up, and you have people like field directors and volunteer coordinators come in, in addition to the many volunteers themselves. This is a time when a lot of training is done, and if you are lucky, you can insinuate yourself into it.

After the primary, it's typical for senior staff to reshuffle across campaigns, and the fundraising slog begins afresh. The fundraising calendar is built around quarterly FEC filing deadlines (March, June, September, December), and as every campaign sees the lion's share of donations come in during the last week of fundraising, that is the absolute worst time to try to reach anyone.

From a technology point of view, all a House campaign needs is a spreadsheet and a phone. There is no IT staff, a minimal consulting budget, and no special campaign infrastructure. The bigger campaigns may have a staffer set up G Suite or Microsoft Exchange, or farm the task out to a consultancy, while the smaller ones will just work off of personal devices and accounts.

The biggest piece of technology in the campaign is something called the Voter Activation Network (NGP VAN), a database of registered voters used extensively by field organizers for operations like phone banking and door-to-door canvassing. Campaigns get access to VAN through their state party. VAN is its own universe and outside the scope of this guide, but the person who is in charge of it is often the most tech-savvy person on the campaign, and you should make an effort to talk to them. (A good icebreaker with these people is talking about how much you both hate VAN.)

What is the threat?

There are two big areas of sensitive information around a political campaign. Let's call them 'Bucket A' and 'Bucket B'.

Bucket A is the stuff that is campaign-specific and needs to be kept confidential. This includes fundraising numbers and mailing lists, campaign memos on issue positions, research on opponents, strategy documents, media buys, correspondence with the national party, unflattering photos of the candidate and so on. The training materials the Democratic Party provides to campaigns are meant to keep this stuff safe.

Bucket B is what lives in people's personal accounts. This includes every email they've written, their social media history, complete access (via password reset) to all the online services they've signed up for, their chat history, creepy DMs, sexts to minors, plus all the stuff they've forwarded to their personal accounts from the campaign account, the Dropbox folder they keep their passwords in, and so on.

As an attacker, I would be drawn to bucket B. There is nothing interesting in a campaign's financials or strategy. The strategy is always ‘talk about health care’, and the financials have to be disclosed every quarter by law. Everything juicy lives in the personal accounts, and moving laterally between those accounts will eventually give you access to bucket A anyway, because people are terrible at keeping this stuff separate.

Targeting Bucket B means you can also target more people, like the candidate's spouse and family, who the people defending Bucket A consider out of scope.

In our training, we worked off the assumption that the Podesta hacks were a template for what might happen to campaigns, and that securing campaign-adjacent personal accounts was more important than worrying about campaign data.

There's no law that says this is how every bad actor has to attack campaigns. But you have to pick a threat, and we picked this one! I believe we were the only group in 2018 with an exclusive focus on securing personal accounts.

How do you get a meeting?

A campaign is a high-stress environment. There is no good time to approach them, but many bad times (usually right before a quarterly FEC filing deadline). My main advice in reaching out to campaigns is to, make a specific request, and have someone who can vouch for you.

Offering security training is like being a dentist offering a teeth cleaning. Everyone understands in the abstract that this is something they need. They feel guilty about putting it off. Maybe if you are really persuasive and can talk in scary terms about gum disease, they will agree to do it. But they will not enjoy it, and however much they promise, they are never going to floss. (Also in this analogy the dentist isn't a real dentist, but some guy who runs a bedbug website.)

You should understand that there are a zillion people and groups out there who want to do tech experiments on campaigns, and without someone to vouch for you, you will make no headway. You will fare especially badly if you have written an app to fix politics. Put the app away and never speak of it again.

If you're coming in cold, I suggest you volunteer for an established group like the DigiDems, a local campaign, or your local or state party office. Don't go in with guns blazing about security. Do something helpful related to IT so that you begin to meet people. Tech people who get stuff done are a rare and valuable commodity on any campaign.

One area where everyone needs help is figuring out how to do digital advertising, so if you help people there, you will soon be in a position where many people have warm feelings about you and you can start to ask for introductions.

Campaign security training works just like account hacking: you get better results by starting at the edges and working your way in. Spending time on a campaign will also teach you a lot about your audience, and why the solution you thought you had to the problem won't work.

What do you tell people to do?

As if getting campaigns to meet with you wasn't hard enough, there's also the problem of what to tell them.

The limiting reagent here is people's mental capacity for hassle. You have to take pains not to burn through it. It is possible, with whining, to get a campaign to do one or two things. If you catch them early enough, and can visit them multiple times, maybe they will do a third thing.

It took a lot of back-and-forth with friends in the security community to figure out what information we could convey in an hour, and how to prioritize it. We finally came up with this:

Collect information about what devices people are using, their email provider, whether they have two-factor authentication, how they share documents in the campaign, how they keep track of passwords, and so on. Explain that you are not a Russian spy. Make them do all their overdue software updates in front of you while you start part 2 (10 minutes). Introduce U2F security keys and explain how they prevent the kind of attack that ensnared John Podesta. Demonstrate how to use them and what to do if you lose them. Have everyone open their laptop and walk them through the setup, then demo a trial login, with the key and with a backup method. (30 minutes) Talk about email and attachments. This part is almost like sex education: you preach abstinence, but you know the moment you leave the room, they'll be double-clicking on whatever Excel spreadsheet the DCCC forwarded them that day. Explain high-risk behaviors, low-risk behaviors, and how to open stuff more safely in GDrive. Try to push the campaign towards shared Google Docs and Signal instead of email. (20 minutes)

If additional time is available, talk about devices and password habits.

On the best days, I was able to sit down with the whole campaign staff, who had brought their laptops. One or more people had heard of security keys, the candidate already used a password manager, and there was enough time for questions at the end. There was a fresh box of donuts on the table, right in front of me.

On the worst day, I flew to meet with a campaign manager who truncated our appointment to ten minutes and skimmed through emails as I was talking, and then I got on a plane and flew away.

What I learned doing the training

As far as hardware goes, campaigns are in pretty good shape! Macs, iPhones and chromebooks are in widespread use. Chromebooks are popular with field organizers because they're cheap.

Very few people are aware that there is a big jump in safety between using a laptop and using a phone/iPad.

Most people use Gmail for their personal email, and a significant number have it set up with SMS as the second factor (that is, they get a numeric code texted to them when signing in). Most people also have multiple Gmail accounts.

There are often easy technical problems you can solve that build goodwill. For example, we found out that NGP VAN and Facebook use different data formats, so people around the country were spending time massaging CSV files in order to create Facebook campaigns. A friend wrote a script that did this conversion automatically when you dragged things to a desktop folder, and I would mention this during campaign visits. Suddenly I was no longer the dentist, but Santa Claus come early.

The odds are good that at least one person in the room has used a TOTP app (like Google Authenticator) and has it installed on their phone.

Sometimes the most productive people on a campaign are volunteers with unfixable bad technology habits. There seems to be a relationship between orneriness and output. It's important to give campaign people strategies for reducing the volunteer's technological blast radius while still allowing them to get work done.

There is a certain breed of young person who I came to think of as campaign ronin. They are political junkies in their twenties and thirties who wander between campaigns, or back and forth into the world of political consulting. Their mobile nature (and tendency to gossip) makes these restless souls a good vector for security practices.

Google's Advanced Protection Program is almost comically unusable for campaigns. The expensive dongles break easily, and when the dongle breaks you are locked out of your fundraising spreadsheets until you can reach Google support (if such a thing exists). This breaks the cardinal rule of never getting between a campaign and fundraising. I will leave you to guess whether Google ever field-tested APP on a live campaign.

The first thing that happens when setting people up U2F keys is that 20 identical keys get mixed up. Bring sharpies or colored tape with you!

A useful way to set up a backup U2F key for all staff is to clip it to a hula hoop that hangs the campaign manager's office. This is goofy but effective.

Any training that involves email should budget time for people to go through password recovery, because someone will inevitably forget their password. Also some handy advice to phishers: people who can't remember their Gmail password will sequentially try all of their passwords until one works.

Nobody acts on the DNC/Belfer Center Cybersecurity Campaign Playboook recommendations, because they are too vague. I found it best to treat the Belfer document as a revered holy text that required exegesis to be understood by the faithful.

People had a fairly good sense of what phishing was, and why it posed a threat. They were pleasantly surprised to learn that susceptibility to phishing had nothing to do with tech savvy. In the campaign context, it's important to remember that staff will also be targeted by phone, and that campaign funds may be a more attractive target than data.

Most candidates and staff I met had gone through and scrubbed their Facebook accounts early in the campaign.

Very few people use Twitter.

Things that worked well

Doing this in person . I don't believe any training in this space can be effective unless actual human beings go out and do the work.

. I don't believe any training in this space can be effective unless actual human beings go out and do the work. Giving people one way to do things . A lot of the training materials in this space make a distinction between regular communication and "sensitive data". I found it easiest to tell people to do everything the secure way. This reduces the cognitive overhead of having to evaluate what is sensitive, and eliminates an entire class of mistakes. So for example, rather than treating Signal as a higher-security version of email, I urged campaigns to move all their conversations there.

. A lot of the training materials in this space make a distinction between regular communication and "sensitive data". I found it easiest to tell people to do everything the secure way. This reduces the cognitive overhead of having to evaluate what is sensitive, and eliminates an entire class of mistakes. So for example, rather than treating Signal as a higher-security version of email, I urged campaigns to move all their conversations there. Recommending specific products . We told people to use Signal, iPhones/iPads, Google docs, and to buy the blue Yubikey. If any of that posed a problem, we found other products to recommend. The goal was not to score those sweet affiliate sales, but to remove decision points and cognitive overhead by standardizing on a known good set of products. There are a hundred FIDO keys you can buy, but only one blue Yubikey, and that is the point.

. We told people to use Signal, iPhones/iPads, Google docs, and to buy the blue Yubikey. If any of that posed a problem, we found other products to recommend. The goal was not to score those sweet affiliate sales, but to remove decision points and cognitive overhead by standardizing on a known good set of products. There are a hundred FIDO keys you can buy, but only one blue Yubikey, and that is the point. Talking about degrees of safety , and giving people an incremental path to secure behavior. For example, we told campaigns it was best to have a password manager, okay to have a written list of random passwords, dangerous to have a password pattern you would modify across sites, and unacceptable to re-use a single password across sites . That way people could improve their security incrementally until they got to the recommended configuration, even if they couldn't get all the way there in one step. I preferred that they use their cat's birthday as their Google password and their dog's birthday for Facebook, rather than the dog's birthday for both. We live in a fallen world.

, and giving people an incremental path to secure behavior. For example, we told campaigns it was best to have a password manager, okay to have a written list of random passwords, dangerous to have a password pattern you would modify across sites, and unacceptable to re-use a single password across sites . That way people could improve their security incrementally until they got to the recommended configuration, even if they couldn't get all the way there in one step. I preferred that they use their cat's birthday as their Google password and their dog's birthday for Facebook, rather than the dog's birthday for both. We live in a fallen world. Shame reduction . I tried to emphasize to people that there was an entire security community rooting for them, and that it shouldn't be their job to have to get all these broken technologies right. I learned if you refrain from shaming people, they will eventually confess some horrific sins, and snitch on others.

. I tried to emphasize to people that there was an entire security community rooting for them, and that it shouldn't be their job to have to get all these broken technologies right. I learned if you refrain from shaming people, they will eventually confess some horrific sins, and snitch on others. Spreading the impact over time . I encouraged campaigns to pick one thing a week and do it. For example, in week 1 they might all move from SMS to Signal, and get used to that. In week 2 they could make sure they were set up with security keys. In week 3, switch from attachments to sharing Google docs. This made follow-up conversations less confrontational. Campaigns could talk about what they had done, rather than feeling like they had fallen short.

. I encouraged campaigns to pick one thing a week and do it. For example, in week 1 they might all move from SMS to Signal, and get used to that. In week 2 they could make sure they were set up with security keys. In week 3, switch from attachments to sharing Google docs. This made follow-up conversations less confrontational. Campaigns could talk about what they had done, rather than feeling like they had fallen short. Giving people a contact number . I handed out my phone number to everybody, and told campaigns to pester me with questions, however trivial. I was always delighted to hear from a campaign, because it meant that they were trying to follow some of the security advice. If they asked me their question over Signal, it felt like Christmas.

. I handed out my phone number to everybody, and told campaigns to pester me with questions, however trivial. I was always delighted to hear from a campaign, because it meant that they were trying to follow some of the security advice. If they asked me their question over Signal, it felt like Christmas. Using public health analogies. It was tricky at first to figure out how to convince people the threat was real without scaring them into apathy. The analogy to public health did the job. I told people they were getting the 'wash your hands, boil your water' version of security advice, which communicated several ideas: that the guidelines were practical, that they made people safer, and that they weren't targeted at "tech" people.

Things that went badly

Password managers . I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager. Every night, I dream of a world where people use password managers. But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave.

. I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager. Every night, I dream of a world where people use password managers. In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet. And I'd do it again! Attempts to work with the DNC and DCCC . The national party was so unhelpful that in the end I had to treat them as part of the threat model. Particularly vexing was their addiction to sending email attachments. To cite one small example: on August 22, the DNC had a phishing scare, where they mistook a vulnerability assessment for an actual attack. The next day, DCCC Executive Director Dan Sena sent an email to all campaings with the subject line "Reminder About Cybersecurity". That email included three attachments, including a file evocatively titled "2—20170712—Falcon.docx". I can't think of a more efficient way to compromise every campaign in the country than blasting security alerts with dodgy attachments from the DCCC email account. The DCCC sent out attachments constantly. It drove me nuts. And I was never able to get a meeting with anyone there to slug it out.

. The national party was so unhelpful that in the end I had to treat them as part of the threat model. Particularly vexing was their addiction to sending email attachments. Uneven U2F support . Security keys are still hard to use. The biggest problem is the lack of support for U2F on the iPad or iPhone. Some people noticed that we were giving them contradictory advice: do as much as you can on your iPhone, the one place where you can't use the security key we gave you. It also sucked that the keys didn't work with Safari, Firefox (at the time), or with Microsoft Exchange. Twitter, unfathomably, added U2F support but didn't allow for multiple keys (a necessity for political campaigns, where Twitter logins are shared). Even the sites that support security keys still have abysmal documentation. Someone needs to start mass-producing fun, designy security keys that look cool on a keychain. The day I see a Hello Kitty security key is the day I know that phishing is dead.

The candidate . The candidate was hardest person to secure. They were too busy to come to the training. They didn't want to move off their Lòudòng SB250 phone because it had all their favorite Flash games from the Yahoo store on it. Three different antivirus programs competed for dominion over their Windows 7 laptop. A mulish obstinacy is almost a pre-requisite for running for office (since you spend all of your time deflecting requests from people who want you to do stuff). That, in turn makes it very hard to change a candidate's habits. And without support at the top, it's hard to get everyone else to take the problem seriously.

. The candidate was hardest person to secure. They were too busy to come to the training. They didn't want to move off their Lòudòng SB250 phone because it had all their favorite Flash games from the Yahoo store on it. Three different antivirus programs competed for dominion over their Windows 7 laptop. The tech expert. There is a breed of person who loves locking stuff down and playing secret decoder ring, and will make life a nuisance in the name of security. A particularly challenging case is people whose background is in military or corporate IT. They see personal accounts as a threat to be banned from the campaign, rather than the main thing they needed to be defending.

There is a breed of person who loves locking stuff down and playing secret decoder ring, and will make life a nuisance in the name of security. A particularly challenging case is people whose background is in military or corporate IT. They see personal accounts as a threat to be banned from the campaign, rather than the main thing they needed to be defending. D.C. people. These are characters from Veep come to life. They dress in suits, are very busy, and radiate contempt for the politically unconnected. They can arrive on a campaign either as consultants, or as full-time campaign staff. The problem with them is their email habits. They communicate exclusively by Word attachments sent from their AOL account, and will not use Signal. Having no point of leverage over these people, I couldn't do more than watch them come in to a campaign and blow everything up.

These are characters from come to life. They dress in suits, are very busy, and radiate contempt for the politically unconnected. They can arrive on a campaign either as consultants, or as full-time campaign staff. The problem with them is their email habits. They communicate exclusively by Word attachments sent from their AOL account, and will not use Signal. Having no point of leverage over these people, I couldn't do more than watch them come in to a campaign and blow everything up. Offering the training for free. I wish I had charged campaigns a lot of money for the training, so they would put a proper value on the help they received. Campaigns didn't realize they were being given priority access to some of the best security people in the country. Thanks to this informal network of do-gooders, I was able to escalate stuff arbitrarily high to get help or answers, often in a matter of minutes. But to a campaign, it looked like a stranger begging for scraps of their valuable time. Ideally, there would be a billing model where the training is free, but the campaign gets charged thousands of dollars for ignoring it.

Whose job should this be?

Doing this stuff felt exciting and patriotic. I got platinum frequent flyer status! It fed my sense of self-importance and helped me achieve new heights of procrastination.

But who should actually be doing this stuff for real? And why aren't they? I'll cover that in a future post.