Political Email Hacks

It seems that the hacking of public figures and politician’s email accounts has become a mainstay of election season. It happened to Hillary Clinton’s campaign manager John Podesta in 2016, and to the now French President Macron before his win in May.

And now, new warnings from security experts are alerting British officials to the danger that they too could be hacked in the run-up to the general election in the UK. James Norton, a former official at the US Department of Homeland Security and head of the security consultancy Play-Action Strategies, was quoted in The Guardian giving a stern warning to the major parties in the UK: “It wouldn’t surprise me if there’s already been some emails stolen … it would surprise me if it didn’t happen. Campaigns are a treasure trove, especially newer campaigns where you’re trying to understand the dynamics … I would think they would be targets, if they’re not already, in terms of trying to understand what their politics would be.”

While there is no doubt the political climate has become more divisive—which gives ill-intended actors more incentive to hack and leak—many people don’t understand why major political parties have not got better at protecting themselves. One of the main reasons is that parties before they are elected into power tend to not have access to the same intel and protections as when they are actually in office. As another expert in The Guardian explained, “Governments are well secured, political parties not so much. And then a campaign expands from a core party into a much more ad hoc organisations. That’s where you see people using resources, cloud services, with email, that they really wouldn’t use in a more permanent organisation. That really opens up the surface for an attack.”

So what can political parties do to make themselves less vulnerable to the kinds of attacks that can sway elections? Often, it’s not as sophisticated as you might think. John Podesta’s emails reportedly got hacked via a bogus password reset request, which one of his aids clicked on in error. In practice, there are two major areas to address when it comes to preventing a hack: education around email vigilance and moving away from centralisation.

Email is a favourite of hackers, as email content “offers an inside look at strategies, motivations and personalities.” Here, the protective measures aren’t too different from what an individual would do, but they do require constant vigilance and an adequate understanding of the risks that email carry. This can be quite tough, as email is such a quotidian and vital part of any campaign, so it can be hard to think of it as high risk. However, a major precaution is enabling multi-factor authentication, specifically via hardware keys, so a hacker can’t get in unless they physically obtain a piece of hardware in your possession. The other is to educate everyone in a political campaign to err on the side of extreme scepticism when clicking on password reset links. Institute a policy of “don’t click without asking” when any such request comes through. Getting everyone to understand that it’s their responsibility to prevent a hack is key.

The next area of concern is fragmentation versus centralisation. Having large, centralised databases of campaign data or contacts on the cloud is very dangerous, as it grants hackers access to everything if they manage to find one weakness. Instead, fragment your data so that a single attack can’t grant wide-ranging access. In addition, being very careful about cloud storage in general is vital, and only granting wide access to low-risk files is a good idea.