When the campaign was getting off the ground last year for Jess King, a Democratic candidate in Pennsylvania's 16th Congressional District, staffers sat down for a meeting with David Parry, a professor at Saint Joseph's University, who walked them through basic precautions against hacking and other online threats.
“He talked us through Facebook, email, Twitter, all the major platforms and what he thought were the best practices in terms of digital security,” said Guido Girgenti, the campaign’s communication director. “Setting up two factor verification, where things are not just dependent on your mobile phone is important. Not using the same password for everything is important.”
Parry used training materials created by Tech Solidarity, a group started after the 2016 election by Maciej Cegłowski, the founder of bookmarking startup Pinboard, with the goal of connecting technology workers with progressive political candidates. The organization, which has picked up volunteers and run events across the country, has raised nearly a million dollars so far for candidates it endorses — but Cegłowski believes that there is something else he and his tech colleagues can provide that may be even more valuable to campaigns than donations: their security know-how.
Before the primary election, he says, many candidates have limited contact with national representatives of their party. Consequently, grassroots campaigns with little access to information technology resources are left to fend for themselves in the era of politically-motivated hacking.
In the world of politics, this seems to be a teachable moment.
“Unless they’re at the point where they can have a dedicated IT person, or where the Democratic party will play that role for them, they’re just abandoned,” Cegłowski said of the campaigns he’s worked with.
Cegłowski isn’t alone in that concern. Campaign staff and party officials across the country are antsy in the wake of the hack that released the contents of Hillary Clinton campaign manager John Podesta’s Gmail account into the wild internet — a political catastrophe that generated months of stormy headlines for the troubled campaign. A spokesperson for the Republican National Convention, for instance, said the party is planning a series of seminars this year to educate state party and campaign officials about digital threats.
Tech Solidarity has endorsed eight progressive Congressional candidates — each of whom still has a day job — in lower-income districts that Cegłowski believes are being ignored by the Democratic Party.
In addition raising funds for those campaigns, Cegłowski has designed a no-nonsense list of security guidelines for political campaigns. He developed it, he said, in collaboration with friends and colleagues at Facebook, Google, and the federal government — a security-obsessed circle, he admitted, that initially developed a curriculum that was far too lengthy and technical for a general audience. After a few difficult training sessions with campaign staff, he and his collaborators boiled the document down to the approachable checklist Parry used in Pennsylvania. Its key suggestions are low-hanging fruit: Keep software updated, share sensitive information only over the encrypted messaging app Signal, use a password manager and two-factor authentication, and employ full-disk encryption, a feature now built into Windows and Apple computers as well as most smart phones.
“What’s the equivalent of wash your hands and boil water, like we do for public health?” Cegłowski said. “What is that in terms of computer security? Things that people can act on that don’t require expert understanding.”
Convincing fledgling politicians to take security seriously, Cegłowski and Parry agree, has been easier in the wake of the Podesta hack.
“In discussing what happened with Podesta, and the Wikileaks debacle, and the way that disinformation campaigns have worked more recently, we just noticed that people were not being given good advice, and not given especially actionable advice,” Cegłowski said.
Every campaign Cegłowski has approached with the checklist has been amenable to it, he said. One wrinkle: Though he’s also tried to share the guidelines with journalists — hundreds of whom were reported this month to have been targeted by Russian state hackers in recent years — he’s found that they were much less receptive to the security tips.
But in the world of politics, this seems to be a teachable moment. “I have not met any campaign that does not take it seriously,” Cegłowski said. “Everybody is worried about it.”