Malign foreign influence operations during the 2016 United States presidential election season raised awareness about the need for tighter security within campaigns. And while the 2020 presidential campaigns have shown some improvement, many are still seriously lagging—and facing real threats—with nine months left before election day. Now Google is trying to help move the needle.
Today the search giant is announcing new efforts to help campaigns secure their GSuite accounts through the Advanced Protection program—complete with free Titan security keys. Google is working with the nonpartisan, nonprofit Defending Digital Campaigns, which will interact with political groups and distribute the free keys. DDC will also take the critical step of offering consultants to help campaigns actually activate the protections.
“We’re delighted to now have a partnership with Defending Digital Campaigns through which we can reach all the presidential and congressional campaigns and help get them the security that they need, that they’ve been asking for, without having to worry about cost and complexity,” says Mark Risher, director of product management, identity and user security at Google.
By definition campaigns are transient and ad hoc, which makes it even less likely that they’ll prioritize digital security than more traditional organizations might. For such a fleeting project, high-quality infrastructure isn’t typically a focus in general—or in the budget. (Pete Buttigieg’s campaign did employ a chief information security officer, but they parted ways several weeks ago.) Looking to bridge this gap, free and low-cost digital security services have flooded the election industry over the last few years, especially since the Federal Election Commission relaxed campaign finance restrictions last year to allow offers of free security services. Many, like Project Shield from Google’s Jigsaw, offer web security services like DDoS defense.
But even these low-cost tools face adoption issues, because campaigns still have to know what protections they need and how to implement them. Both Google and Defending Digital Campaigns say that low-cost security keys are the number one request they get from election officials and campaigns. DDC already offers reduced-price YubiKeys, but as part of its collaboration with Google, the group is going farther. DDC can’t provide unlimited tech support to everyone, but it is going to have a handful of dedicated staffers ready to help campaigns order security keys from Google, set up Advanced Protection on as many Google accounts as possible, and add the keys.
“You’ve got to get people to take the time to actually turn it on, so we’re going to be working with campaigns and helping them,” says Michael Kaiser, president and CEO of Defending Digital Campaigns. “Hardening your accounts is really something that every campaign needs, and not only the campaign workers themselves, but the spouse of the candidate, friends, family. There are a lot of different folks in the orbit of the campaign that need to make sure that they’ve got some kind of enhanced protection, because the bad actors are going to probe every potential access into a campaign.”
These threats aren’t just theoretical. On Monday, Brianna Wu, a Democrat running for the US House of Representatives in Massachusetts’ 8th District, announced that two of her non-campaign Google accounts were recently compromised by hackers. As TechCrunch reported, one account was linked to Wu’s Nest home camera system and the other was an alternate personal Gmail account, but both had strong, unique passwords. Wu reported the incident to the FBI.
Google and Defending Digital Campaigns’ new initiative is an immediate way to reduce account takeovers like the ones Wu experienced. Google recently announced that users can set up Advanced Protection without a separate security key—using their phones as the extra authentication factor. The move aims to allow users to set up Advanced Protection as soon as they think about it, rather than having to wait to order physical keys. But Google’s Risher emphasizes that separate security tokens still offer the strongest protection against phishing, and provide a backup in case you damage or lose your phone.