Although the 2020 presidential race has become more crowded in recent weeks, Mick Baccio — the chief information security officer for Democratic presidential candidate Pete Buttigieg’s campaign — isn’t concerned.
Baccio may be the only person on the South Bend, Indiana, mayor’s staff that isn’t worried about former Massachusetts Gov. Deval Patrick, Sen. Elizabeth Warren, former Vice President Joe Biden or any of the other candidates. For him, the competition is foreign adversaries trying to hack into Buttigieg’s campaign infrastructure.
“I don’t do politics. I’m just learning how the caucus works,” Baccio said during remarks at CYBERWARCON, a cybersecurity conference held Thursday in Arlington, Virginia. “I don’t care if it’s left or right, I care if it’s Russian or Iranian [intrusions]. That’s who I really [care about], that’s the competitor.”
His ultimate goal is making sure Buttigieg’s campaign doesn’t fall victim to the same intrusions that Hillary Clinton’s presidential campaign or the Democratic National Committee suffered during the 2016 campaign at the hands of Russian-linked APT groups.
“I’m in charge of rolling out the [cybersecurity] program, the vision for it, and what we’re going to do to make sure 2016 doesn’t happen again on this campaign,” Baccio said.
The prominence of Buttigieg’s campaign just got a little bigger in the last several days as he has shot to the top of the latest polls in Iowa and New Hampshire. A rise in Buttigeg’s stature will make his campaign a prime target among adversaries who may seek to interfere in the 2020 election.
Cyber-hygiene, money, and deception
Baccio told Thursday’s crowd that he also makes sure that Buttigieg’s campaign staff is mindful of their cyber-hygiene, including recommending use of encrypted chat applications like Signal. That’s no simple task since Buttigieg’s operation is heavy on mobile operations and spans the country from California to South Carolina.
“My big thing is updating the culture,” he said. “I’m putting something on a place where it’s never ever been before, and we’re moving at 100 miles per hour.”
In addition to having teams devoted to campaign leadership — including Buttigieg, his husband, and the traveling team — Baccio also oversees several other distinct security teams, focused on security for several Buttigieg campaign teams: policy, finance, investment, and data.
But Baccio is abundantly aware that his budget requests may not be met with enthusiasm as the campaign attempts to secure the Democratic nomination for Buttigieg.
“Every dollar we spend on cybersecurity is a dollar we don’t spend on ads in New Hampshire or Iowa,” Baccio said. “I’ve got to convince [the campaign] that I’m telling [them] the right thing to do and it’s going to be cheap, scalable, and secure.”
But it’s not just about basics like two-factor authentication and use of encryption — Baccio and his team are also worried about deception in politics; in particular, deepfakes or videos that may imitate Buttigieg and spread disinformation about his campaign or policy goals.
“If there is that doctored video, we have that vision to kind of combat it,” Baccio said. “One of the problems we’re trying to get in front of is we keep [Buttigieg] in front of a camera pretty much all of his waking hours.”
And although he sees his role as distinct from politics, gamesmanship at times comes into play. Baccio is keeping tabs on spoofed websites that may appear to be a URL connected with a Buttigieg campaign site, but actually redirect to sites affiliated with other candidates, including ones that allow visitors to donate to President Donald Trump’s re-election campaign. In all, there are 525 spoofed Buttigieg domains that could trick voters, according to Baccio.
Generally as CISO, however, Baccio is not focused on influence operations or voting machine security. But whatever his angle may be, Baccio pointed out even with a crowded candidate field, he is still the only full-time CISO employed by a campaign.
“Security is something we can do together,” Baccio said. “We’re all going to make mistakes. All you can do is encourage to report it, get in front of it, and just do the right thing.”