While hundreds of millions of dollars in federal money have been allocated for securing state election infrastructure this year, political campaigns are often cash-strapped operations short on cybersecurity expertise.
“Especially in the early phases of the campaign, it is not staffed by professional IT and certainly not cybersecurity people,” said John Gilligan, the executive chairman of the nonprofit Center for Internet Security (CIS).
When a candidate decides to run, the campaign might acquire a few computers and start building databases without prioritizing cybersecurity, Gilligan said Tuesday at the Center for Strategic and International Studies.
CIS, which runs a center for sharing threat data with state and local officials, is looking to extend its information-sharing initiative to campaigns. The goal is to chip away at the security-resource deficit facing candidates, as numerous tech companies are trying to do by offering free security services to campaigns.
The Elections Infrastructure Information Sharing and Analysis Center that Gilligan is looking to build on offers state and local officials cyberthreat notifications along with technical assistance in addressing those threats.
Gilligan said CIS has begun reaching out to the Democratic and Republican national committees about the prospective information-sharing program. With the midterms just a week away, the project wouldn’t bear fruit until 2020.
“My hope would be by 2020 we’d have begun to have a dialogue with campaigns, we’d [have] begun to show them some value, and most of the campaign organizations are taking advantage of the information that we’ll provide for free,” Gilligan told reporters after a panel discussion at CSIS.
Although the major parties’ Senate candidates tend to have bigger staffs to draw upon, many campaigns across the country operate on tight budgets and their need for cybersecurity support is clear. For example, nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to research presented at DEF CON in August.
The Department of Homeland Security, meanwhile, has been doing its own work with the DNC and RNC on cybersecurity best practices and training. In general, however, the politics of those interactions can be delicate.
“We don’t have an effective structure as a government…to have conversations with campaigns outside of a partisan conversation to elevate the concerns on security,” Robert Kolasky, head of DHS’s National Risk Management Center, said at CSIS.
“Competitors work together on security; they don’t compete on security,” Kolasky told reporters. “I’d like to get to the point where campaigns work together on security, work with the government, and don’t compete on security.”
While campaigns come and go, the DNC and RNC are sustained institutions. But even so, as Kolasky pointed out, senior staff at the committees often change, meaning “we have to…figure out the right sustained infrastructure to work with the political parties.”