By Joseph Menn
SAN FRANCISCO (Reuters) – A bipartisan Harvard University project aimed at protecting elections from hacking and propaganda will release its first set of recommendations today on how U.S. elections can be defended from hacking attacks.
The 27-page guidebook shown to Reuters ahead of publication calls for campaign leaders to emphasize security from the start and insist on practices such as two-factor authentication for access to email and documents and fully encrypted messaging via services including Signal and Wickr.
The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.
The ongoing effort is being led by the Belfer Center for Science and International Affairs, based at the Harvard Kennedy School of Government, and is drawing on top security executives from companies including Google, Facebook and the cyber security firm CrowdStrike. The guidebook will be available online (https://www.belfercenter.org/cyberplaybook).
“We heard from campaigns that there is nothing like this that exists,” said Debora Plunkett, a 31-year veteran of the National Security Agency who joined the Belfer Center this year. “We had security experts who understood security and election experts who understood campaigns, and both sides were eager to learn how the other part worked.”
Plunkett said the goal was a digestible outline that was both realistic and helpful, and that leadership buy-in was critical.
The handbook is the first effort from the Belfer Center’s four-month-old Defending Digital Democracy program, whose leadership includes top campaign officials from both the Republican and Democratic parties. Belfer co-director Eric Rosenbach said another guidebook, scheduled for spring, will aim at state election officials, who oversee the actual vote-counting and might also have to deal with propaganda intended to mislead or dissuade voters or sow suspicions about election integrity.
“Deterring information operations is inherently a government responsibility, and the technology firms will decide how to act on their platforms, but state organizations are the victims,” Rosenbach said.
The Belfer Center is also sending students out to the states to understand various voting technologies and procedures. The idea is to recommend best practices for each type of set-up, which could include mandated software updates, paper back-ups and audits.
Thus far, the project has offered no advice for the internet companies that are under fire for allowing Russian advertising and false claims to polarize Americans. That could come later, as could a broader program for quick sharing of threat information.
(Reporting by Jonathan Weber; editing by Diane Craft)