How one cybersecurity nonprofit is working to keep elections secure
The race to secure political campaigns from hackers is about to pick up steam ahead of the upcoming midterm elections and the 2024 race for the White House.
Defending Digital Campaigns, which was granted permission by the Federal Election Commission in late 2019 to provide campaigns with free digital help, has been working with eligible candidates during the heated primary season.
The non-profit, which grew from Harvard’s Defending Digital Democracy Project, acts as a go-between for cybersecurity firms and tech giants like Google and campaigns that are often so laser-focused on winning that security is an afterthought.
“I like to say that we’re small but mighty,” Michael Kaiser, DDC president and CEO, joked about the organization's four employees during a virtual interview last week.
The Record spoke with Kaiser, who previously served as the executive director of the National Cyber Security Alliance, about the primaries, the road to Election Day and why he’s already planning for 2024. The interview has been edited for length and clarity.
The Record: Could you describe some of the DDC’s efforts to date?
Michael Kaiser: We do direct one-on-ones with campaigns. A campaign comes to us — they’re eligible, they need things — we hop on the phone with them
We ask them questions like, “Hey, what are you doing now? What have you done? What are your concerns about cybersecurity?” We try to match up the tools that we have with the things they need.
We focus on the basics like security keys, password managers, protecting their websites with Cloudflare and then other things that they can do, like creating a culture of cybersecurity within their organization, using encrypted communications for sensitive transfer of data or sensitive conversations. We try to give them a simple structure for getting their campaign more secure.
This cycle, we've been doing trainings since last January on cybersecurity essentials for campaigns and political organizations. Those are open to anyone — you don't have to be an eligible DDC entity in order to participate. We train all up and down the ballot political organizations of all stripes.
TR: How has the ’22 cycle compared to the ’20 cycle? Are you seeing any differences between the midterms and a presidential election?
MK: When I came into this space starting late 2019, I thought everyone would be like, “No one cares about cybersecurity.” I've found that's not true, actually.
This cycle we’re getting even more openness. There’s an increasing awareness of a need for this. I don’t have any quantitative data, it’s only qualitative but I see very little resistance to the issue. There’s always friction around actually getting it done. But no one's saying, “We're not at risk.”
TR: Generally speaking, are campaigns today smarter about cybersecurity than in the past?
MK: I look at this as a sector. And, like every sector, it has its idiosyncrasies and its own uniqueness.
What I see is a burgeoning interest in this burgeoning understanding that it's something that you need to do. I think we'll see over time more and more people understanding that cybersecurity is kind of a core activity of a campaign just the way compliance is a core activity of a campaign.
My dream — and maybe I'm an idealistic fool — is that when campaigns are getting set up, people will be saying, “What are we doing to make sure that our domain is secure from the start?” That's the long term goal. Then people just build it in. That's what other sectors have done.
But it didn't start that way. Trust me.
TR: We are roughly 60 days from Election Day. What will the DDC do before voters go to the polls? How does the work change?
MK: The difference between primary and post primary is the focus on established candidates, incumbents, the core campaigns of every party and trying to reach as many of those as possible. We've done pretty well on that.
Now we're doing deeper outreach. We are doing things like talking to the state parties and saying, “Can you help us reach your federal candidates?” We're working with organizations that endorse candidates. We go to them and say, “Can you help us reach your candidates right now that they're in the general election?”
"My dream — and maybe I'm an idealistic fool — is that when campaigns are getting set up, people will be saying, 'What are we doing to make sure that our domain is secure from the start?'"
— Michael Kaiser, president and CEO of Defending Digital Campaigns
We push much harder now to reach as far down into the ecosystem as we can.
TR: Turning to 2024, have you begun to think about how to help defend that? The White House campaign season will kick off the day after the midterms end.
MK: I think it's maybe already started.
We want to be there earlier. We became operational right after Labor Day in 2019; we didn't even really get all our corporate partners onboard until January. We were late to the game.
We want to work really quickly with presidential campaigns as they start to form. We want to be able to offer our services from day one, if we can, or at least day five.
There will be targeting of these campaigns. It could potentially be a very big field. We want to make sure that we're ready to serve all of those folks, should they want it.
TR: How do you plan to do that? Do you plan to staff up? Are you hoping to make more partnerships? What does it look like?
MK: Maybe we'll have some announcements down the road.
Presidential campaigns grow very quickly and we want to be able to work with them and scale with them as time goes on.
You saw Joe Biden's campaign go from, I don't know how many people that were in South Carolina, to we're gonna hire 2,000 people in the next three weeks. That's faster than any Silicon Valley startup. That's faster than anything.
We want to be able to serve that as that happens. That involves making relationships early; making sure that they understand who we are and what we do and what we can provide; making sure that we are lining up some vendors that can serve that space that is slightly different than the smaller space that we've been serving; and making sure that we're working with all the important folks in the space.
We work with the national committees. They're aware of us, they know what we can provide, they can send people to us. They may say, “We recommend you get keys for everybody. Go to DDC and get keys. Get your website protected with Cloudflare.” Or send people to our training.
One of the trainings we do is what we call “cyber tune up” which is where Betty, our onboarding specialist, does a training and she just shows people a half-hour of demos, like here's how you turn on a security key in Facebook.
A lot of cybersecurity is finger wagging. We want to give people a structure and tell them what to do. That's important. But we also want to show them how to actually do it and help them do it. So we do that and we have our knowledge base, which has a lot of “how to” sections in it.
So we want to do some of that and be helpful. And then we want to be flexible. I believe that going into 2024 — I haven't had any conversations with any of the parties about this yet; they're kind of focused on this November right now — is asking, what is it that you see out there that you want around these organizations to make them more secure?
Because that's part of our job is to try and go out and get this stuff and let's say we'd go get someone to donate it.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.