Posted: 4 Min ReadElection Security

Email, Communications Safety Key to Election Security

It pays to exercise extra caution, particularly when it comes to campaign email and cellphone communications. Here’s what you need to know

I grew up near Eagle Lake, Florida, your typical small American town with fewer than 2,000 people and just one or two traffic lights. Still, it was big enough to invite the attention of political operatives. In 1996, two men broke into the City Manager’s office to plant a bug in the manager’s telephone. One of those men was a candidate for City Council.

Heading into the fall election season, it’s a lesson that everyone - not just highly-paid political operatives - should take to heart.  We’re all potential targets nowadays and so when it comes to online behavior, it pays to exercise extra caution, particularly when it comes to email and cellphone communications.  And for those people working to elect their particular candidates, the warning goes double. No political race is too small or off limits today. Every campaign has information of value. 

Unsecured communications - either due to oversights, user error or just plain disregard of basic cyber security protocols - can cause embarrassment and disruptions to any organization. Here’s what you can do to make sure campaign doesn’t wind up numbering among the victims.

Use Watermarks for Personal Verification

Use watermarks to ensure verification when sending around and opening emails.  Choose something that’s not going to be obvious. Perhaps you and your team can use a symbol or phrase not widely known by the general public to help colleagues know that it’s really you. Without spilling secrets, I regularly add a special symbol to my communications to colleagues, so they know it’s the real Brian Varner when they receive an email, text or social media update from me. If someone spoofs my identity, the watermark is a good way to double check whether an email is indeed from me. The key here is rigor.  Once you start using a watermark, you must use it without fail in every communication.

A VPN is Your Friend When Connecting to Public Wi-Fi

Don’t trust your hotel or favorite coffee shop to protect the integrity of your internet connection. It’s too easy for attackers to hack into public Wi-Fi systems and conduct man-in-the-middle exploits or other spying operations.  Make sure that you’re using a VPN service whenever you’re telecommuting from outside of your office. Otherwise, you’re courting trouble as the garden-variety Wi-Fi access point is a sitting duck. The main issue is that you don’t know if the people who set up the access point turned on things like client separation.  Protect yourself.

Also, take these steps to further protect against attack:

  • Turn off your phone’s Wi-Fi hot spot. Using your phone’s hot spot when you’re on the road sure is convenient, but it beacons out your phone’s SSID. If an attacker knew the SSID or Wi-Fi name of your phone they could use programs to trick your connected devices to connect to their access point instead of your phone.  This is called SSID spoofing. 
    Instead, connect to your phone’s hotspot using a USB cord, which insures that the data transmits from phone to the cable to the carrier’s network and as a bonus, it will also charge your phone.
  • Maintain Separate Work and Personal Phones & Emails:  Don’t mix your work and personal lives when you’re running a campaign.  Make sure you’re running your campaign from a different cell phone and email address than you use with your friends and family. Also, don’t route any candidate email through your personal phone and don’t ever reply to campaign-related email from your personal phone. In practice, that means campaign business only goes on your campaign phone. That way, you can remotely wipe everything if the campaign phone goes missing or gets stolen. 

Pick an Email Provider that Includes TLS Encryption

Hosted email services offering TLS encryption provide an additional layer of security. There’s simply no upside in using your own Exchange server. Google has a solid security track record when it comes to Gmail. Also, they offer the necessary certificates and support 2FA.  Lastly, their security is up to date and you don’t need to invest extra resources to manage a server.

Speaking of spinning up your own system, you may find a lot of supporters with tech chops who are eager to help out your candidate. "Hey, look, I know a lot about computers. I'll set you up an email server and a website. We're gonna host all the stuff for you." My advice? Smile, thank them for the offer and politely decline. Stick with the big, experienced hosted providers who know how to do this. While you may argue that the big providers are not perfect, my experience is that it is better to have a provider with a proven track record and a security operations team managing your communications and not your staff or friend from college. If the event that your site gets breached, they’ll know what to do.

Election Hacking: What Can We Do About It?

Encrypt Your Messages

When it comes to campaign strategy, don’t take any chances. Encrypt as much as you can - comms, texts, voice - and do it end-to-end. It doesn’t cost a lot of money and you can find many affordable alternatives including SafeLite Whisper, Signal and PrivateWave. The latter includes the ZTP protocol created by PGP creator Phil Zimmerman and prevents anyone from listening in on your voice communications.

All of the tips included here are easy to implement into practice. The payoff? You get communication security for your folks, along with messaging security that defends against prying eyes. Best of all, it will mean your campaign team has one less distraction preventing them from dealing with more important matters.

You might also enjoy
Election Security5 Min Read

Why Good Campaign Security Must Start with Secure Social Media

Candidates have discovered social media as a great way to reach voters. It’s also a great way for malicious hackers to wreak havoc

You might also enjoy
Election Security2 Min Read

Elections Security: It’s Not all Doom and Gloom

Advanced technologies can flag phony websites, offering practical help that state and election officials can leverage to improve their security

About the Author

Brian Varner

Special Projects Researcher, Cyber Security Services

Brian Varner is a researcher on the Cyber Security Services team, leading the CyberWar Games and emerging technologies development team. Prior to Symantec, he worked at the National Security Agency as a tactical analyst.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.