As Washington turns its attention to the 2020 presidential election, the Democratic National Committee on Friday released updated security guidance it says will “dramatically reduce the risk” of hackers breaching candidates’ devices.
The checklist is straightforward security advice driven by an awareness of current threats. The DNC, scarred by the Russian intervention in the 2016 presidential election, has invested in improving Democrats’ cyberdefenses in the last two years. U.S. intelligence officials warn that foreign adversaries will continue to target political organizations ahead of votes being cast in 2020.
“Our adversaries are already at work, whether a candidate has announced or not,” DNC Chief Security Officer Bob Lord said in a statement.
The DNC checklist advises candidates and their staffers to encrypt their laptops in case they are lost or stolen and to use a password manager to make it harder for attackers to crack credentials.
The committee is encouraging everyone from presidential candidates to field staffers to heed the guidance.
Politico was first to report on the checklist.
Lord and other DNC cybersecurity officials also encourage Democrats to use the HTTPS Everywhere browser extension, which ensures an encrypted connection to websites. The checklist also includes a warning for candidates, staff and family members to use Google’s Advanced Protection program, a token-based second factor for logging into Gmail that combats phishing.
“The risk of phishing is high,” the memo says. “Enroll yourself, key staff, and your family members in the Advanced Protection program. Consider it mandatory.”
Had John Podesta, Hillary Clinton’s 2016 campaign manager, been able to use Advanced Protection, “the world might be a very different place,” one technical expert told Reuters when Google released the tool in 2017. Russian operatives hacked Podesta’s Gmail account as part of Moscow’s intervention in the election, U.S. intelligence agencies and independent security searchers have determined.
The DNC encourages party members to comply with two-factor authentication with a second factor that is not a text message, as hackers have proven capable of intercepting SMS messages. The checklist runs candidates down their social media and email accounts, asking if they’ve enabled two-factor authentication for each. “Protect them all,” it says.
The committee also wants politicians and their staff to use encrypted messaging applications like Signal and Wickr, and it suggests they use devices with built-in security features like the Chromebook or iPad.