If you’ve wondered whether or not to take campaign cybersecurity and digital trickery seriously, this week should dispel your doubts. Just in the past few days, we’ve found out that:
- Russian hackers targeted Senate staff and conservative think tanks with clever phishing campaigns, creating fake versions of organization websites and sending official-looking emails designed to capture login credentials
- Russia and Iran had both launched new campaigns on Facebook targeting American voters, which the company has now silenced
- Both countries had also set up YouTube accounts (and in Iran’s case, Blogger and Google+ profiles), which are also now dead
- Twitter shut down 284 accounts apparently associated with Iranian propaganda aimed at the US
Of the four episodes, the phishing attacks would be by far the most dangerous, since they could expose inside information to hackers working for the Russian government. Remember, John Podesta’s emails ended up in Russian hands in 2016 because he clicked a link in an email that the Clinton campaign’s IT team said was safe!
The fake Russian and Iranian social media accounts don’t seem to have made much of a splash, with their videos reaching pathetically few people. While Iran’s Facebook pages attracted over 100,000 followers in total, as April Glaser notes, they posted content that wouldn’t appeal to many Americans and didn’t rise far above the amateur.
Still, we can’t forget that these are only the accounts that we know about: groups with malevolent intent may be running campaigns beneath the radar right now, just as the Russians did in 2016. If your campaign or organization isn’t at least thinking about how to respond to fake or slanted content posted online, you may be caught flat-footed. As I put it in the 2018 digital campaigning ebook,
Likewise, any candidate can be on the receiving end of lies spread online, amplified by a bot-net or your crazy uncle, and campaigns should plan for rapid response against a digital smear. Pro tip: mobilize your supporters to speak on your behalf, and be sure not to repeat the lies as you fight them. Looking ahead, if you thought fake news and Facebook data breaches were bad, wait until fake video becomes commonplace.
On the positive side, at least some groups are investing in cybersecurity, though not always with the most elegant execution. Michigan’s Democratic party created a stir this week when the DNC spotted a test phishing website the party’s security consultants had set up to see if their staff training would keep people from clicking a bad link. The DNC didn’t know that it was a test, so they alerted the media, to much embarrassment when the truth came out. Still, I’m glad that the Michigan party ran the test AND that the national party caught it!
We’re only at the beginning of the saga of campaign hacking, of course — as technology evolves, Bad Hombres will find new ways to fool us and to get their hands on political secrets. Unfortunately, we will never be able to relax our guard without risking the consequences. Brave new world, indeed.
– cpd