[x0ner]

Campaigns should be finding ways to work with professionals from the cybersecurity sector, not looking for ways to bolster defenses on their own. The adversaries these groups face far exceed the norm when it comes to industry standards––your security admin from off the street is going to be no match for a well-determined government. You need seasoned professionals who have background across active incident response, defensive efforts, intelligence and general best practices to even stand a chance.

People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.

[tptacek]

That's a great way for campaigns to get lots of WAFs, intrusion detection systems, endpoint agents, and vulnerability scans. But what campaigns need is actionable advice that breaks phishing and attachment attacks. For that: they should use iPhones and, when they use their desktop computers, Yubikeys. You don't need professionals from the cybersecurity sector to make that happen (although I am one of those); you just need someone to buy a bunch of Yubikeys and spend 15 minutes with the campaign showing how to use them and telling them to be afraid of their desktop computers.

[x0ner]

I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.

[tptacek]

Campaigns :clap-emoji: never :clap-emoji: have :clap-emoji: this :clap-emoji: person :clap-emoji: on :clap-emoji: staff.

You really have to get a sense for how ragtag a political campaign is. Startups --- themselves pretty ragtag --- are raising funds and building for an imagined future in which they're big. They might engage professional IT and security (though many don't). Campaigns aren't like that; every single one of them will be "out of business" within a year and a half. They have minimal infrastructure and a mostly volunteer staff, and there are many hundreds of them every cycle.

At best, you might suggest that the upstream service providers for campaigns, like NGP VAN, should get better at security. The DNC, for instance, has an experienced CSO. But that CSO can't do all that much for individual campaigns.

[x0ner]

Just to end this out, I do agree. I was not suggesting this resource be paid, but that they should have someone dedicated, even a volunteer.

[bsder]

> you just need someone to buy a bunch of Yubikeys

This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.

What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...

If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.

[tptacek]

The purpose of a U2F key is to break phishing. You want users to use them as much as possible (on computers), but you do not depend on them being the only second factor.

So you can buy and enroll 2 keys, or just do what Google forces you to do: enroll an additional second factor, like a code generator.

I do not understand your revocation argument at all. When you let a staffer go, you lock their account. You do not care about their keys.