Hacking of Trump Campaign Reminder of 2016

The hacking of Trump campaign emails and attempted hacks of Harris campaign staff emails highlights the challenges facing IT professionals responsible for campaign cyber security. Eight years ago, John Podesta, Hillary Clinton's campaign chairman, was duped into entering his Gmail password into a malicious webpage. This mistake led to the eventual release of over 20,000 emails via WikiLeaks and may have contributed to the campaign's declining support leading into the 2016 election.

Details of the Trump campaign hack are still emerging but many speculate a successful spear-fishing attack that led to a cascading series of "trusted" email communications, further spreading the compromise.

Eight years removed from the Podesta incident, safeguards have improved, MFA has become a standard, user education has increased, password reuse has declined - so how are campaigns still exposed? The answer is rooted in the characteristics of how campaigns are governed. Anyone who has worked on a campaign use key words to describe the experience: fast-paced, urgent, decentralized, chaotic, etc. And as campaigns press forward towards election day, the pace becomes more frenetic...in summary, mistakes will be made.

If parts of your operations resemble a campaign, it is critical to identify where pressures exist that challenge seemingly effective security controls. Is there an area where exceptions are made frequently because urgent requests are the norm? Are users routinely working extended hours around projects or other stressful timelines? Are less formal channels of communication such as Slack, Teams or texting used to bypass controls when urgency is needed?

A closer look may reveal vulnerabilities that require improved controls that are effective, but still meet the user requirements for urgency.