Cybersecurity – Everyone Needs It
An interview with Michael Kaiser of Defending Digital Campaigns
If there is one thing we’ve all learned over the years, and brought back into sharp focus recently – thank you Signalgate 1, followed promptly by Signalgate 2 – it is that everyone needs to care about the basics of cybersecurity. No one gets a pass on how information is set up, how it’s shared, where it’s vulnerable. Not governments, agencies, campaigns, public officials, electeds, and frankly, not individuals.
That means you – possibly especially you – even if you’re a campaign of exactly one person in a very small town in a very downballot race.
But where to start?
That’s the question we asked Michael Kaiser of Defending Digital Campaigns, in an informative interview, about cybersecurity best practices, and more.
This interview has been edited for clarity.
NDTC: What is your biggest advice on cybersecurity for someone running for office – especially if they’re a small operation where it might frankly just be the candidate?
MK: The truth is, you can implement solid security measures without spending a dime or consuming too much of your precious time. Take advantage of all the free stuff that's already built into the platforms you're using. The biggest thing we tell people and emphasize is to set up two-factor authentication (2FA) everywhere and enroll in Google’s Advanced Protection Program or Microsoft’s AccountGuard, which was specifically designed for high risk users like political campaigns.
For your website, preventing DDoS attacks is critical. DDoS attacks are those nasty attempts to crash your website by flooding it with traffic.
Cloudflare offers free protection for any website that's incredibly easy to set up. Google also has Project Shield, a free service specifically created to protect high risk campaigns, organizations, and advocacy groups. from DDoS attacks.
NDTC: What’s the biggest threat out there that’s not talked about?
MK: The biggest threats to political campaigns start with account security breaches, which can compromise your entire operation. Website attacks, particularly DDOS attacks that flood your site with traffic to crash it, can take you offline at critical moments. Phishing remains a persistent danger, with increasingly sophisticated attempts to steal your credentials.
Also don't forget about straightforward cybercrime – American politics equals money at every level. This makes campaigns attractive targets for financial theft that aren’t necessarily politically motivated. And this risk increases dramatically when campaigns are frantically operating on shoestring budgets in the final stretch, making them vulnerable to scams like fake invoices that "need paid yesterday."
By the way, ransomware attacks that lock down your entire system aren't as common in campaigns, but it's worth noting that there's no reporting requirement for these incidents, so their actual frequency may be underreported.
NDTC: Okay, not gonna lie. After all this we can see a lot of people not wanting to run, or hesitating to throw their hat in the ring. What encouragement would you give them?
MK: Here's my encouragement: reframe cybersecurity in a positive way. If you want to run for office and utilize all the digital tools available, implementing basic security measures actually becomes an enabler, giving you greater peace of mind.
The way I look at it, when you have strong security in place, you can confidently send more emails and communicate more freely, which is essential for your campaign. It's very much like fundraising – look at security as a tool that enables your campaign rather than restricts it. Getting these practices established early helps you scale up smoothly as your campaign grows, setting a solid foundation from the start.
NDTC: Where do campaigns – even the well funded ones – misstep when it comes to cybersecurity?
MK: Well first, they assume it's too technical and think they'll need to hire an expert, which simply isn't true.
Second, some campaigns don't believe they're at risk, especially those in unopposed races – this is a dangerous misconception that leaves them vulnerable.
Campaigns often lack basic knowledge about security tools, frameworks and infrastructure requirements. While many understand concepts like two-factor authentication, they might not realize the importance of properly configuring email settings to prevent spoofing, where attackers send emails that appear to come from your campaign.
Really, every campaign should have core protections for email. Email protection comes in two flavors: DMARC – which is the email authorization standard that helps prevent spoofing or impersonation, and phishing protection that protects inboxes. Most programs, for example Google’s Gmail, screen out virtually all phishing emails. DMARC is critical if a campaign ever has, or at some point will send out more than 5K emails at any time. If you don’t have DMARC, that’s going to be a deliverability issue. DMARC and configuration of the services you use to send emails need to be properly configured.
NDTC: What’s the advice to those who don’t feel tech savvy?
MK: You don’t need to be tech savvy. Basic security is easy to implement. The biggest thing we tell folks is to secure not just their campaign account but their personal accounts, with the strongest multi-factor authentication available for every account.
Remember that email accounts are typically the first target for attackers – not because they want your emails specifically, but because they're after the treasure trove of documents and contacts stored there. All your friends, who are possibly your donors. All the attachments with details that go past you. And yes, all your emails to friends and family. Things that really shouldn’t be publicly available and that you don’t want publicly available.
Also, while large campaigns can scale up their security infrastructure, smaller operations face different challenges. People often access campaign systems from various locations and devices, creating multiple potential entry points. Again, the friends and family layer – where you might be checking your email at the family barbecue off a router that isn’t secure, so now your information is more vulnerable.
Interestingly, when you move to down-ballot races, most candidates aren't running for full-time positions and already understand security concepts from their primary careers, so the idea of implementing good security practices shouldn't feel completely foreign.
NDTC: Say more about things like Titan or Yubi keys.
MK: When it comes to securing campaign accounts, we strongly recommend using security keys like YubiKeys or Titan keys, or passkeys which are digital credentials. Passkeys are a newer form of authentication and are increasingly available. They represent the strongest form of authentication available.
Campaigns and journalists need to recognize that they're considered among the highest-risk users on the internet, making them prime targets for sophisticated attacks. Security keys and passkeys work by storing a piece of encrypted code that allows you to access your accounts without relying solely on passwords. Remember it’s not just the campaign. It’s the people around them. It’s the uncle who's raising money, the aunt providing strategic advice, even the teenage kids playing games on home devices. That's precisely why it's crucial to secure both personal and campaign accounts.
One other thing – many people rely on text message or email verification to receive a code for completing a login, but it's important to understand that these codes are not secure for authentication purposes.
NDTC: Any last words of advice?
MK: Everyone needs cybersecurity. Outside the political space competitors collaborate on cybersecurity because the internet is a shared platform and security risks to one is often a risk to all. Companies work together to share information about threats and distribute information to mitigate them.
There’s less sharing in the political space so campaigns and candidates must have leadership in cybersecurity. They need to understand that they are high risk technology users and that the people around them – family, friends, volunteers – are targets as well. Implementing the basic protections will go a very long way to providing protection.
NDTC: Why is that?
MK: It’s all about risk management and trying to prevent against things that are most likely to happen. It also means keeping your eyes and mind open. It might be hard to believe, if you’re on a town council for example, that a foreign actor might target your campaign for spying. However, if that country is thinking of building a factory in your town, they are going to be very interested in where you really stand on the issue. They may only be able to find out through private documents and communication. And locally people may be angry because of decisions you have made in the past.
Defending Digital Campaigns is a nonpartisan organization that offers a wide variety of resources on how to strengthen cybersecurity for campaigns, candidates, and campaign staff. This includes tools for eligible campaigns, training and knowledge base on how-tos tailored for the political space. Find out more about them at
Links to all of the free above mentioned tools can also be found here: https://defendcampaigns.org/free-tools-for-organizations.
Still have questions? Email DDC at info@defendcampaigns.org
Thank you for reading our latest Substack!
Connect with us everywhere!
Instagram: https://www.instagram.com/traindems/
Facebook: https://www.facebook.com/traindems/
Threads: https://www.threads.net/@traindems
Bluesky: https://bsky.app/profile/traindems.bsky.social
Linkedin: https://www.linkedin.com/company/traindems
Twitter: https://x.com/TrainDems