🌐 Cloudflare Partnership with Defending Digital Campaigns
Presented by: Jocelyn Woolbright, Michael Kaiser
Originally aired on January 17, 2022 @ 11:30 PM - 12:00 AM EST
Protecting political campaigns, the heart of democratic political system, is a critical cybersecurity priority. In this Cloudflare TV segment, Jocelyn Woolbright, Program Manager at Cloudflare, interviews Michael Kaiser, President and CEO of Defending Digital Campaigns as they discuss the challenges political campaigns face online, ongoing efforts of DDC to provide resources to these groups, and expanding these protections to state parties in the United States.
Read the blog post:
Visit the Impact Week Hub for every announcement and CFTV episode — check back all week for more!
English
Impact Week
Transcript (Beta)
Great. Hi, everybody. My name is Jocelyn. I am a program manager on Cloudflare's public policy team, and I'm really excited to have Michael Kaiser here, the president and CEO of Defending Digital Campaigns, and we're going to discuss all things political campaigns, so challenges they face online, the ongoing efforts of DDC to provide resources to these groups, and also kind of expanding this toolkit to state parties in the United States.
I kind of want to preface this with kind of some background of Cloudflare and how we kind of got into this space, because DDC has been such an essential partner in providing services to political campaigns.
So in January 2020, we announced our partnership with Defending Digital Campaigns to provide a suite of cybersecurity products to eligible federal campaigns.
So we reported a lot before on the regulatory challenges of providing free or discounted services to political campaigns in the past, and we'll definitely dive in a little bit deeper of what those campaign finance regulations are in the U.S.
and how it was a difficult environment to go to, but that's why we partnered with DDC, who has been a really, really awesome organization, and specifically granted permission by the Federal Elections Commission to provide these services to federal campaigns.
So, Michael, I'm super happy to have you on Cloudflare TV.
Do you mind doing an introduction of yourself and a little bit of a background?
Sure. Well, first of all, Jocelyn, thank you so much for having us in.
We really appreciate the opportunity to have this discussion and talk about all the great work that we've done together and the great work to come.
Yeah, so I've been in cybersecurity since 2008.
That's a long time in cybersecurity. Back when I started as the Executive Director of the National Cybersecurity Alliance, I'm not sure that word, even cybersecurity, was well known outside of the beltway.
When I became the Executive Director of NCSA, I wasn't sure I even knew what that word meant.
So that's how early on it was. But my background before that had been a lot of work with crime victims and victim services and victims' rights, which involved a lot of outreach and a lot of educational awareness, which this job does as well, and my NCSA job did as well.
And it really involved a lot of sort of getting to people and helping them understand more about the world around them and how that was impacting them and how things could change, and a lot of efforts to reach more broadly, and also a lot of efforts around safety and security.
At NCSA, we were the folks, they still are when I was there, but the folks behind National Cybersecurity Awareness Month, which was really a broad-based effort now, international, to encourage people to use this technology more safely and securely.
And I came into DDC after that experience at NCSA with a real opportunity here to focus in on one sector.
Over there, when at NCSA, it was the whole world, right? Everybody has to be safe.
We used to call the 600 million eyeball problem in the United States, right?
That's how we defined it. But here, it's very focused in this very important, critical sector that's really pivotal to our whole society, and so that's been really exciting to be here.
Yeah, it's interesting because political campaigns are kind of the first line of defense in the election security conversations, but oftentimes they're the ones that don't have access to the types of resources that they need to be able to protect themselves online.
So, do you mind giving a little bit of a description of defending digital campaigns?
How large is the organization? What types of partners do you have? And how do you provide these types of cybersecurity protections to political campaigns?
Sure. So, DDC has only been around since the fall of 2019 operationally.
I know we're going to talk about the FECAO, I think, a little bit later, but that was a pivotal piece that got us going.
DDC, we're a small but mighty organization.
That's how I like to think of us. We're four, maybe soon to be five, six people, right?
The kinds of things that we do are, we provide through DDC and through the process that we have with the FEC, direct assistance in cybersecurity products and services to federal campaigns.
And federal campaigns are really, we define those as obviously House races, Senate races, presidential races are all federal campaigns.
I think what most people think of, but this also includes the campaign, I'm sorry, the committees, right?
And the committees are what people more generically refer to as folks like the Republican National Committee, right?
Or the Democratic Congressional Campaign Committee, the DCCC, or the DNC, or the DSCC, or the NRCC, right?
These are all committees that are eligible for services from DDC.
And now state parties, which I'll know we'll talk about a little bit in a little bit.
And the services that we provide are really around fundamentals in cybersecurity, especially for the campaign space, right?
Really around securing logins, right? Using security keys, those kinds of things, really hardening that part of it.
Really getting people to use things like encrypted communications, making sure that they're using channels that are appropriate for the kinds of information that they're sharing.
Using password managers when a security key is not usable in that space.
And of course, websites.
You know, we see websites as really an incredibly critical part of campaign, you know, intellectual property, for lack of a better word, in some regards, right?
It is the public facing part of the campaign, right? It's where the, you know, the candidate has their bio and where money gets raised and where they communicate with the community and all those kinds of things.
It's an incredibly valuable and important resource.
And that makes it both important to protect, but it makes it a target as well, right?
And so getting campaigns to protect their website, including all these other things, is really very critical to what we talk about when we talk to campaigns.
And preparedness for when it comes to election.
It's interesting on the website side, because for a campaign, it's where they accept donations.
It's where they put information about their policies that they're advocating for, and they do so much outreach through their website.
But it's a really, it's a really, you know, it's a great place for a hacker to be able to go in and change or deface the website.
I think probably the most, I think we can all agree, the most important part of elections is trust.
And it's so easy to lose that trust.
So if you're, you know, trying to figure out who you're going to vote for, and saying that that website has been defaced with information, you lose a little bit of trust in that system.
So it's always a really important on the website side, but also like so many other internal types of tools.
So making sure political campaigns are using encryption and when they're messaging with each other, but there's so much more in terms of what technology campaigns use and what needs to be secure, which is always a very difficult attack, a difficult kind of item to address.
Well, yeah, you know, I think you're hitting on a really interesting point here.
I think, you know, campaigns are highly technology dependent, right? They're highly data driven, right?
And they use a lot of technology. And yet they're very small, most of them, right?
And they don't have the kinds of resources to apply to tech, you know, to cybersecurity.
And I think you're absolutely right about the websites.
I mean, I think you think about the website, it's, you know, if it gets defaced, that's going to be a news article, right?
In your local jurisdiction, wherever you're running or, you know, in your state or in your county or, you know, your congressional district, it's going to hit the news, right?
Pretty hard, where other things may be a little softer. And it's also in on the trust factor, right?
If your community resident, you go to the website of a candidate you're looking to learn about or, and you can't get in because there's a DDoS attack going on, that could, it might change your opinion about that candidate.
Yeah, yeah, exactly. And it's interesting that I think there's like so many different degrees of preparedness and resources and sophistication, but it's like very daunting when it comes to campaigns, because you have presidential, you have senate, you have house campaigns, and like some of them are even like working out of their like kitchens or like their living rooms or something.
So thinking about the evolution of defending digital campaigns, like why did it take an FEC ruling to set up, you know, this organization, set up these types of resources and kind of what motivated you all to get to get this started?
Yeah, well, so the short answer is campaign finance law, right? But let's back up from there a little bit and think about how this all came about.
You know, after 2016, which we all know there was some, you know, pretty serious, you know, cybersecurity issues following that, you know, in that presidential race, a bunch of folks got together at Harvard at the Belfer Center, and that they did some work around some of these issues on both election security and campaign security.
And you made a really good difference between those two.
They really are very different.
Sometimes they get combined in people's minds, but campaigns are very different than the election infrastructure.
And they wrote some playbooks, we're not affiliated with Harvard, but they wrote some playbooks around cybersecurity campaign, cybersecurity for election officials.
And coming out of that, there were some folks involved with that, like Robbie Mook, who had been Hillary's campaign manager, and Matt Rhodes had been Mitt Romney's campaign manager, some former federal officials.
And but really, the campaign folks are like, well, this is great.
You know, we're telling people, go get products, you know, secure yourself, great message, right?
Everybody should do this. But they, the campaign people are like, yeah, people aren't going to pay for this stuff, right?
They're just not. And it's some of it's, you know, not cheap. And so they're not going to pay for it.
We know they have to have it, they have to be protected, because they're so essential to our democracy.
So they went in a bipartisan way.
And that's really critical to DDC and who we are. We are bipartisan or nonpartisan, we are non aligned, right?
We are for everyone, we are protecting this really critical part of the democracy, who went to the FEC and basically said, Look, this is a crisis, right?
And look what's happening. You know, we need to have a method for getting these products into campaigns hands.
And the FEC agreed, took a long time to get that opinion.
But they basically said that DDC could be stayed up and DDC could be the intermediary between the campaigns and the companies, right, who want to donate.
And when those donations are made through DDC, the campaigns do not have to count them as in kind contributions.
And that is the critical sort of, you know, finance piece, right?
Because otherwise, there are limits to how much a company could contribute to a campaign.
And in some cases, companies may not be willing to at all because of the politics of it.
So it comes through us, right?
We don't say what campaign took what we aggregate the value of those donations on our website.
And that's the process, right? So we see partners like Cloudflare.
And then we also work with the campaigns to try to get them to implement it.
I think probably I think you can agree like transparency is so important when you're working in a space that is can be very just daunting at times and dealing with many different types of actors.
It's always good to go about it in a transparent way.
And DDC and the FSC have really done a great job. You all have done a great job about providing these types of tools to any camp any federal campaign that is eligible for these these tools.
I'm curious as to what you think the the greatest risk to cook political campaigns are and what do you think campaigns should really be worrying about?
Yeah, I mean, I come from a world where I don't believe a lot in fear, uncertainty and doubt, right?
And I think, you know, we don't I want campaigns to focus on not everything that could happen, which is how a lot of cybersecurity gets sold, right?
You know, this can be hacked, there's a vulnerability here, watch out for your baby monitor over there, right?
There's a lot of what we call that haze of threat, and that fear, uncertainty and doubt.
So we try to get them focused on the things that we think are really the biggest risks to them.
And I think they really fall into a couple of areas. One is, which we all face as computer users, credential, threat, theft, or, you know, hacking of credentials, right, getting into an account in or associated or around the campaign, right, where you could do damage, do damage to that campaign, do damage up, you know, into the political space or down wherever that account is.
And that is really, I think, one of the top risks, right?
I think the other piece is, you know, you can call it the exfiltration of data, that's certainly if account gets hacked, but it's, it's the escape of sensitive information, right?
It's, you know, something that just gets out that's not supposed to, a sensitive communication, internal polling document, something where it's really kind of like core to the campaign, but it belongs in the campaign, it doesn't belong out there.
And that can be escaped, that can get out in a lot of different ways, either through a hack or by mistake, or by using something like, you know, a regular email and forwarding it, you know, to someone outside of the organization, and then it gets moved on.
And then, of course, I think really the website, I mean, I think the website is one of the biggest risks.
I mean, I think, again, for some of the things we've talked about the external exposure, you know, the trust that people engender when they go visit a website, and learn about a candidate, where they, where there may be information that the candidate is giving to the community about, you know, what time the polls are open, or where the polling locations actually are, or, you know, if you need a ride to the polls, you know, all the kinds of stuff that, you know, are really important to people getting out and voting.
So protecting that is really important. And those are the things we focus on the risks.
I think, you know, if you want to look at it and flip it and look at from the more cybersecurity traditional point of view, would be like, who's coming after you?
Right? Like, who comes after a campaign, right? So obviously, we have nation states who don't like what America does or like to disrupt us.
We have cyber criminals who want to steal and monetize the data, right, ransomware, you know, put ransomware in a campaign, it could be to hurt the campaign, it could be just try to make money, right?
Like, you know, that's what they're up to.
I think campaigns face a couple specific risks that are beyond that, though.
And one is activism, right? Because you're in a campaign, because you're promoting a point of view, because you're promoting a policy, perhaps you've made choices in the past, which people disagree with, you could be more of a target from people who aren't necessarily cyber criminals, or aligned in a state operation, right?
They could be just aligned around a common purpose or an idea.
And then I think we just have to say this, quite frankly, to anybody who works in this space, if you work in a campaign, if you work in an organization in the political space, you are at higher risk as a person, because individuals are often the gateway.
And if I can get into a campaign by getting into your personal email, that I can get in, then I can own your campaign email as well.
Yeah, it's like the human part of cybersecurity.
I always, whenever I was in school, a lot of people said, like, cybersecurity is basically kind of like a psychology, you know, field, because it's like, the people are the ones that using the technology, and we are typically the ones that are at fault if there's some type of hack.
But it's also like, knowing about the tools that are available to you, and also how to use those tools in a safe and reliable way, is really important.
I'm actually curious, in so you talk about the threats, and definitely, I think people are tired of talking about COVID.
But like, specifically, like the political organizing space, like COVID, I think is probably one of the most, like specifically to campaigns is probably what hit them the most.
Because, you know, typically campaigns, you go door to door to try and get your policies out or go to get people to vote.
But also you do town halls. So like, what did that look like in the cybersecurity political campaign space, whenever people had to go working remotely from home, and like, you know, the statewide, the statewide shutdowns?
Yeah, I mean, I, you know, I mean, COVID couldn't have come at a worse time for everyone.
But it certainly came at a bad time for campaigns. You know, if you think about, you know, February of 2020, and everybody gearing up for the, you know, for the election, right, that's when actually, I mean, presidential campaigns were also obviously already well underway, right at that time, and they start much earlier, but you know, Senate campaigns a little bit earlier, but House races are really gearing up.
And I'll tell you, just, you know, I talked to more than one campaign manager, who hadn't even been to the state where their candidate was, right, they've been hired to be the campaign manager, but they haven't left yet, because everything was closed.
Right. So I mean, that that's, you know, you know, so I think people think of a campaign, especially like a house race or something, you know, as being in a storefront in the community, you know, people in there coming in and out all day long.
And I think that has a real impact, right, on the way these campaigns, so they had to do the work from home thing that everyone does.
And that we all know that that changes some of the risk factor. I think they all did move to things like zoom, and other kinds of video conferencing, we saw some issues with that, you know, people coming in, you know, people being hacked, right?
How do you create an open community environment, you know, online, when there are people out there who aren't, you know, physically in the audience, like they might normally be sure and then, you know, campaigns get protesters all the time sitting in the audience and yelling out something, but it's kind of our organized chaos of democracy, right?
It's not a cyber threat in the way.
So I think we should do see that. And I think you raised some really interesting points that are even not COVID relations, always, campaigns are very diffuse, right?
They don't happen in one place, right? They move around a lot, people are knocking on doors, data is moving between mobile devices to headquarters, things getting updated, people are volunteers, 99% is bring your own device.
These are all different complex attack surfaces that have to be addressed.
Yeah, definitely. And thinking about the different threats that need to be addressed, I want to talk about the state party expansion, and some of the trainings that you are doing for state parties.
So do you mind kind of elaborating on how you started getting into the space and kind of what you're most excited for in the state party aspect of that?
Yeah, so just a little framing here, you know, when you think about, let's just say, the House of Representatives, the 2022 midterms, right?
There'll be 435 seats. I think that's the right number.
If you think about how many campaigns that represents, it's quite a few, right?
Because there's going to be at least two, probably in most and some three.
And there'll be primaries where there'll be multiple candidates before there's even the candidates.
So you always think there's somewhere north, certainly well north of 1000 campaigns that would be eligible for DDC, right?
And my goal is to reach as many of those campaigns as possible.
And to do that, not every campaign, I think people think, you know, traditionally, oh, you know, the national party, well, they just know everybody who's running, and they're connected to all these campaigns.
It just doesn't work that way, right? Not every campaign is connected to their national party.
They're just not, right? They're not always, you know, look, there'll be, I think, maybe 40 campaigns next cycle that are where the balance of power will be for the House, right?
About 14 in the Senate, that's where a lot of the national energy is going to go into that.
And there'll be a lot of races out there.
And so state parties, though, are connected, because these are, you know, the House races in your state are the House races in your state, the party has a relationship to those are supporting those.
And we really look at working with state parties as a way of expanding our reach further down into the ecosystem, right?
I'm trying to reach as many campaigns as possible. And some of those campaigns that we want to reach are the campaigns that are not as well funded, right?
They're just, you know, they're smaller, they're even smaller, fewer people, you know, there are some very brave people who are running in districts, where they know they're not going to win, right, where the other side is always one.
And they need our help just as much as anybody else, right? We're not about picking winners or losers.
We're about protecting the whole thing. So that's one of our motivations.
The other motivation is that state parties themselves are eligible for us under the FEC advisory opinion, to the degree that they focus on their, you know, kind of core overhead work, and that when and the parts that they do to support federal campaigns that are already eligible.
And we think that they're vulnerable to and that they should be protected.
And they should be putting in some of these basics, and they should be getting the help they need.
So we're really excited about that, working with them. The training is actually more broad, it's open to more people.
So if anybody's listening now, who's, you know, in the political space in any way, shape, or form on a campaign, want to be on a campaign, going to be a candidate, work at an organization that's political based, it's really around teaching about risk, teaching about risk management, which is kind of a core cybersecurity, which often does not get addressed very well in a lot of cybersecurity trainings, teaching about some of the basics, like we've already been talking about some of these really core things and how to do them.
And then also thinking about how to structure a little bit, just your whole operation.
So we focus on like, getting the most out of what you have kind of thing, right?
Like, you're running workspace, you're running office, here's a few things that you could change, we could make your whole enterprise more secure, you know, just by setting stuff up correctly, which there's not a lot of expertise out in the field at that level.
Yeah, especially for campaigns, like I said, like a lot of campaigns might have only a couple of staff, like they're working out of their kitchen or something, like being able to provide the tools, but also like the knowledge base to like, if they're not very technical, like you can provide that expertise, and also assist them in terms of making sure that they're not opening themselves up to more risk if they're using a specific tool and like best practices when it comes from those tools.
But I'm curious, since you've been in this space for, you know, a period, a long period of time, what do you think the changes are that kind of the differences that you've seen from the 2016 election to the 2020 election in terms of cybersecurity preparedness or not preparedness?
Yeah, you know, I really didn't come into the space a little bit later, but I can tell you, I've been in cybersecurity for a long time.
And what I've seen, and I think this space is a relatively similar example, is that sectors come into cybersecurity, right?
Retail did not come into cybersecurity until the Target breach, right?
There was, it was diffuse, there was not a lot of centralized information sharing.
These were fierce competitors, right?
Like, you know, Target versus Mason, you know, like, and the margins were thin, there was not a lot of cooperation, but Target got hacked.
And I think everybody saw, whoa, like, that shouldn't happen to any of us, right?
And I think that's true in cybersecurity, you've seen it in retail, sort of the finance has been around, you know, been doing it forever.
But you know, retail, look at hospitals, like in the last four or five years, again, this evolution into cybersecurity, not just for an individual hospital, but for the entire sector, right?
And I think that's where the political sector is, it's in the early stages of defining itself as a sector around cybersecurity.
You know, we're not going to have in the political sector because of, because it's politics, right?
We're not going to have the cohesion that we, you have in other sectors where they really collaborate with competitors around security, right?
That, you know, coopetition is someone I used to work with, used to call it, which I think is the exact right phrase, right?
We compete like crazy in the marketplace, but on security, we collaborate because harm to one is harm to all, right?
You heard the platform, we're all in danger, right?
You know, people don't trust the Internet, then it doesn't matter if you're selling something different than me or at a better price, right?
So I think, you know, I see the political sector as evolving into cybersecurity.
Now, it's harder than some of these other sectors. We've talked a little bit about that if you want, but I think it's starting to happen.
There's starting to be leadership from the top down on the issues.
There are now an organization like BDC out there who can help you, right?
There's discussions around things like, you know, information sharing, some of these core sector-wide activities that other sectors have used to mature into this space.
So I think, you know, the political space is more difficult in some ways, but it's moving in the right direction.
But it's always going to be harder because of all the things you've already said, because of the decentralized nature of campaigns, the size of campaigns, and that, you know, the resource, one of the biggest factors is how long campaigns last, right?
I mean, you know, even if you win, you're gone in November, right?
So who, you know, whereas most cybersecurity is built based on like, okay, we're a hospital, we're going to be here for the next 50 years.
So like, what do we do?
Like, what's our trajectory? You know, it's like, our trajectory is, you know, work like crazy, win the election, and then go away.
So there's not a lot of long-term thinking, right?
Which is required in some parts of cybersecurity. Yeah, I think we've chatted about this before.
But like, even if you don't, like, let's say your political campaign lost in the previous election, like, it's still really important that you make sure that your domain registrar is up to date, and that, you know, it doesn't, you don't miss a payment, and it lasts, and then somebody on the Internet can then buy your domain and be posting different types of things, even if you might be thinking about running again.
And it's really important to, like, think about even if, like, after the campaign, if you win or you lose, there's still risks associated with that.
And you know, if you still have sensitive information, like, it's really important that you have that secure.
So it's good that you that you bring that up.
We have about three minutes left. So probably my last question is, I'm curious how you're preparing for the 2022 election, what you're most excited about, you kind of approach this big election year in the United States?
Yeah, I think, you know, we're gearing up, we're adding a couple of people, we're reaching out, we're trying to create these new relationships, so that we can really hit the ground running and trying to get camp.
And one of our lessons learned from, you know, 2020 was to get to campaigns as early as possible.
And we were kind of a late start.
So we want to get to campaigns, you know, when they're starting up getting them to adopt security early, even if it's just getting, you know, their website protected now, and you know, the only two people on staff getting them security keys and getting them, you know, signed into the strongest authentication, we can start there, then we can add people as they come along, you know, it's harder to retrofit, right?
When the when it's gotten tough, I'm very excited about 2022.
I think there will be a big emphasis on cybersecurity, I think we'll see a lot more uptake, we gave away over a million dollars worth of product in 2020.
I think we can definitely do more than that. Going forward, we serve more than 180 campaigns, I'd like to see that, you know, maybe close to double if we can do it, at least.
So I'm very excited and hopeful that the message is getting out there with the help of folks like Cloudflare.
And you all like what you all do, like, really helps us, you're out there helping people understand the value, not just DGC, but the value of protecting these important assets in a way that are critical to our democracy.
Yeah, and I think like the the portion of that is like, I think it's a really good model to, you know, you have a campaign, and like being able to identify like, oh, yeah, like they can definitely use security keys, because they might they need them.
But also, they might not be able to scale all the way up into using these really complex cybersecurity types of tools.
So it's try like figuring out the best like what fits for this campaign.
And like, I feel like that I think we can both agree like that is a very difficult, you know, it's a difficult job to do.
But like it's organizations like DDC, and so many others in the Belfort Center that are providing, you know, the documentation for all of it.
So really, really appreciate it.
Yeah, I just say quickly on that, that, you know, campaigns, any organization can only take on cybersecurity that they can manage.
And that's something we're talking a lot about in the training, right?
You can't just layer, layer, layer on stuff that you can't manage, you got to do stuff, but you have to be able to manage it.
And that's really where we try to focus, let's get these simple basics in place.
Let's get you better than you were before. And some of these things really, really help, right, protecting your website with like Cloudflare, turning on a security key and advanced protection with Google, these things actually work and provide great, great protection.
And that's, let's do that.
And then we'll be better off than we were yesterday. Yeah, definitely. Well, great, Michael, thank you so much for joining.
And definitely, everybody check out the DDC, the Defending Digital Campaigns Knowledge Base, which has a ton of great information and a lot of tools.
So thanks, Michael, for joining, and I hope you have a great day.
Yeah, thank you.