Some Sage Counterintelligence Advice For Political Parties and Their Candidates

NOTE:

I am NOT an intel dude. I have never been an intel dude. I have never been a counterintelligence dude. Never. These are my OPINIONS. 

If the adage that "all politics is war" is true, then this past election could certainly be proof of that. I won't get into specifics about candidates, their positions, or even their actions or culpability. This advice specifically for the Democratic National Committee is nonpartisan and exactly the same counsel I would give the Republican National Committee. In fact, the reason I wrote this post was in response to the DNC leaks/hacks. Also, there will be ZERO discussion about attribution and motives. To me, answering why something happens doesn't always help you mitigate how it happened in the first place. These "rules" apply to anyone who is a target of espionage by any actor, state or otherwise.

You're the active target of an intelligence apparatus. Given the result of this election, we can assume they achieved their objective and will see their success to continue their activities against you. So it is imperative that you and your staff operate as such. Knowing this, let's be clear - these agencies have a great many resources directed at you and will see any and all information as potential actionable intelligence. This means they'll be seeking out any vulnerabilities you have and will exploit them to get that information and will encompass both physical and virtual realms. Ultimately, assume you've been compromised on all of these fronts. For the foreseeable future, your survival in the political arena will be dependent on your acknowledgement of this.

Let's get to what you came here for - the "rules".

Physical Security

1. Assume every room you felt was "secure" is not. This may sound a bit paranoid but we already know the DNC suspected their offices were bugged by an unknown entity and sent a TCSM team in to investigate. Though, no active bugs were found, we know electronic surveillance is an ongoing tool used by intelligence agencies against targets especially political ones. If you haven't already, have a TCSM team inspect every office, bathroom, closet, etc. regularly. When they're done, assume you're still being bugged and be careful when discussing confidential information.
2. Assume your cars, homes, and hotels are also compromised. Yeah, I'm paranoid. I know this. That said, if I were to compromise you, I'd hit the places where most people engage or discuss things that make exploitation possible. These are also places you can't sweep every day for bugs. Don't take work home and don't discuss work at home. Also, assume whatever "dirt" you do in these places is being photographed, videoed, and audibly recorded. I shouldn't have to say this but....STOP DOING "DIRT".
3. You're being followed everywhere. Conduct surveillance detection routes regularly and pay attention to new vehicles in your neighborhood. Talk to your neighbors. Notice vehicles which you can never seem to shake. I have a rule I follow when inspecting vehicles for contraband - anything new and shiny in a sea of filth is not normal. If you're one of those people who use Uber or some other service, think about having the driver drop you off a block or two away from your destination and look to see who gets out when you do.
4. Consider every potential or new "intimate" encounter to possibly be a "catfish" or a honeypot until proven otherwise. Yeah, it sucks to say this but sex is still a proven way to gain secrets and access. I'm not saying you don't have "game" but you should be very suspicious of something that "sounds too good to be true". I'm not telling you to shun relationships but just be wary of new people wanting more access and information than they should have. Also, imagine these contacts suddenly being blared across social media for the world to judge. Foreign Intelligence Services have a long history of exploiting these encounters. 'Nuff said (Note: In case, I didn't make it clear enough - don't be stupid and don't do "dirt").
5. Invest in a good safe that's bolted in the ground, high security door locks, dog, burglar system, and a few nosy neighbors. Same crime prevention advice I give everyone applies in the counterintelligence world. You need early detection and you need it yesterday.
6. Follow the Moscow Rules.
1. Assume nothing.
2. Never go against your gut.
3. Everyone is potentially under opposition control.
4. Do not look back; you are never completely alone.
5. Go with the flow, blend in.
6. Vary your pattern and stay within your cover.
7. Lull them into a sense of complacency.
8. Do not harass the opposition.
9. Pick the time and place for action.
10. Keep your options open.
7.  Adhere to the ever-wise directives of Notorious B.I.G.. Seriously, regardless of how awesome this track is, the truths contained in it are essential to the success of any campaign. Though it's not a literal translation of acceptable ethical rules of conduct, interchange the words to fit a typical political campaign and it's very illuminating. 

Information Security

1. You need a security classification program. The federal government has a security classification program that's been somewhat successful at compartmentalizing information and preventing some data leakage. You don't have to mirror theirs but you should implement something similar. The first step in this process should be the development of a risk management process. Look at what information you could never lose without seriously compromising your objectives, the information you could lose with some compromise of your objectives, and information that is safe for some data leakage or available for public release. This classification should known and enforced organization-wide. Any and all of your policies and procedures to safeguard this information should encompass the physical and virtual realms.
   
   This classification could look something likes this:
   a. Confidential - this could include documents or communication that should never leave the organization.
   
   b. Sensitive - this could include information  that if discovered could have an impact on day-to-ops or the overall reputation of the organization
   
   c. Close Hold - this could include information that is normally only discussed between as few members as possible. This should also be treated as Confidential if it warrants.
   
   d. Publicly Releasable - this is information discussed in the organization that could be disseminated for public release with little to any approval.
   
   Note: All security classifications should be used sparingly and reviewed regularly to mitigate against hyper-vigilance and overclassification.
2. Consider being more transparent and don't be "dirty". The DNC leaks proved in many ways that transparency could be a great mitigation tool. When you're seen as being overly sneaky, people assume you have "dirt" to hide. How you do this is up to you but it cannot be denied the impact transparency can have with preventing further leaks.
   
   Political parties are, by their nature, involved in some "dirt". They're either digging for "dirt" on someone else or trying to hide their own. Perhaps, it would be more prudent to limit these activities to lessen the number of attack platforms that can be used against your organization. Just a thought.
3. Assume you have an informant in your organization. This doesn't mean you have to treat everyone as if they've been compromised. It does mean you should never assume they haven't been. Don't go on an organizational "mole hunt" but you should always be aware of what you say to who you it say it to.
4. Don't trust any outside communication that isn't part of an existing conversation. Move the conversation offline. Have a gatekeeper handle these when possible. The gatekeeper should be the only person who has direct unsolicited access to communications with key personnel. To say the least, the gatekeeper must deploy a mitigation-first mindset.
5. Consider building a "secure" room at your HQ. The Intelligence Community calls them SCIFs. They're rooms in which permanent workstations and secure phones are located and are regularly swept for bugs and access control is very strict. Consider only discussing strategic information here and here only. This aids in figuring out how you've been compromised if this leaks, as well as protecting against inadvertent leaking.
6. Consider ways in which the mundane could be damaging if exposed. For political parties, imagine your entire donor database being leaked. Got any donors who would rather not have their personally identifiable information leaked? How about your call sheets or talking points to donors? Could they be useful for an adversary in figuring out how to counter you? My personal favorite - internal polling. Think the other side or an FIS wouldn't love to know how you're projecting a path to victory? How about areas your constituents feel you're weak in? What if the adversary not only used that information themselves but then leaked it, especially at a moment when you're trying to project strength?
7. Consider a breach a serious incident. Data leakage happens. Some secrets are difficult to contain. Look at the stealth bomber and the Predator drone. Things happen. That said, there should be severe ramifications for even inadvertent leakage of seriously compromising information. Whatever those consequences are for those parties, they should be swift, consistent with existing policy, and indiscriminate. Period.
   

Computer/Network Security

1. Consider all phones, computers, tablets, and other electronic devices as perpetual bugs or informants. Seriously, don't tell these devices anything you don't want to see on the evening news. Their whole job in life is to hold and disclose information upon request. If you haven't secured these devices well enough, it's not matter of who asks but how they ask. You've been compromised so treat these devices as such.
2. Scan these devices for malware regularly and secure them physically at all times. If you have a device that connects to any DNC infrastructure (I don't give a darn if it's just email you access), it needs to be secured physically from theft (keep it arm's length at all times or locked up when you're not around) and scanned for malware.
3. Backup your data and destroy and replace all devices that have have connected to the network. You've been compromised. Everything you've ever touched is also possibly compromised. Consider you may not have caught every infected device. It may not matter that you hired the best security firm in the world, if you missed one infected device that has unfettered access to your infrastructure.
4. Implement organization-wide information security protocols and minimum requirements for every device that connects to your network. No device should be able to connect if it doesn't meet certain criteria. They should be full-disk encrypted, allow remote swipes from administrators, require secure certificates, transmit data through a secure VPN, use a robust DNS, and operate on secured and updated operating systems. Period. Any device failing this is potentially compromised and untrustworthy.
5. Treat cell phone numbers as confidential information and SMS as insecure. SMS messages can be sent via spoofed numbers and fool recipients into believing their receiving authentic message traffic from a trusted source. Under no circumstances, should key personnel give out their numbers to nonessential entities or be stored on organization-wide media. Period.
6. Use end-to-end encryption whenever possible. Pretty much, you should be going end-to-end encrypted for every transmission period. Download and use apps like Signal which are open-source and widely cited as secure.
7. Encrypt all of your databases when possible. I am no expert here but lots of breaches these days are heavy on databases with loads of sensiitive information. Call an expert and have them go over your classification to determine what should be encrypted.
8. Get rid of your Internet-connected toaster. Seriously, throw out any IoT devices in your home or office when possible. Anything you've kept default login credentials is just bad. Really bad.
9. Trust no PC or laptop with a webcam. There was plenty of snark laid on Rand Paul because he sold webcam covers for laptops to "prevent" NSA snooping. He was right, in some respects. If it has a camera or a microphone that you can't physically disable, you have a potential "snitch".
10. Keep cell phones and other devices outside of meetings with organization and trusted outsiders. Let me reiterate this again - treat these devices as "snitches".
11. Never ever ever ever ever reuse passwords, though we all do. Chances are most people reuse passwords. That said, this is what drives most data breaches. If you have an account with any service online, some of your data to include passwords are in the wild. Use unique and complicated passwords for everything. Also, get a password manager and use it. 
12. Trust very few outside software sources. If you did not code something yourself and even if you do, there's no guarantee it's not susceptible to exploitation. Have others both in and outside the organization audit and vet any software for security issues. Patch this software regularly. Consider open source software.
13. Create online personas for every personal online account you have. With passwords and user credentials being traded like stocks these days, it behooves anyone to use fake identities that are non-attributable to their real-life selves, especially their work lives.
14. Use the app store on your phone sparingly and only in compliance with the organization's guidelines. Don't download and install it unless IT has said it's okay. Seriously, just because it looks cool doesn't mean it's secure or something you should even have on a networked device.
15. Disable any device using USB flash drives. The DoD went to this a while back. It caused a lot of heart aches but it prevented a lot of data leakage. With drives now coming with enough memory to upload an entire organization's information treasures, it behooves you to limit the number of ways to get that information out. Also, limit the number of USB connected devices to networked devices. This means no unapproved devices with insecure drivers. Ahem, China.
16. Enforce two-factor authentication. Whether it's your email or calendar or cloud service, please use TFA. If it's not available, move to something that does. Credentials are everywhere in the wild. If your password were to unknowingly become compromised, this provides an extra layer of security.
17. Hire a firm to come on full-time. Find a reputable firm that covers all of the D's - detection, deterrence, delaying, and destroying the intelligence adversary. I have no expertise in this realm but there are some very reputable firms out there. Talk to companies with great security records and see who they use and vet the heck out of them. Finally, red team yourself. Have the firm test your security as if they were the adversary. They should have similar capability as the intelligence agency coming after you or at the very least, have similar experience or familiarity. Have them test your mitigation against a variety of physical and virtual attacks. The results of these tests should be reviewed and immediately remedied (if possible) by the responsible stakeholders in your organization.
18. Remember, security is not a convenience but a necessity. Your very survival depends on adhering to this principle. Embrace security like you do water and air. There's a reason it's a primal imperative. Just remember "security" is a feeling of being safe and "mitigation" is what makes you safe.
19. Have a plan for a breach. No matter how good you are, there's someone else who's better. Someone will engage in idle gossip. Someone will have an affair. Someone will have secrets that can be exploited. Prepare for this, have procedures in place for when this happens, and assume this is happening already regardless of what you've done to prevent it and be ready. Be careful of hyper-vigilance but don't pretend like a breach isn't possible - because I guarantee it is very possible. You should already know that by now.

Below, I've included some resources I found useful over the year. I'm no expert but I do seek their advice.

Books

• The Complete Privacy and Security Desk Reference
• The Mitrokhin Archives
• Surveillance Countermeasures: A Serious Guide To Detecting, Evading, and Eluding Threats to Personal Privacy

Apps

• Umbrella: Security Made Easy
• Signal
• Protonmail
• Veracrypt
• MalwareBytes
• Adroid Device Manager
• Secunia

Sites

• EFF
• The Grugq
• PwnAllThings
• NIST
• GRC

Podcasts

• Spy Museum - Election Espionage
• The Complete Security and Privacy Desk Reference
• SecurityNow
• Advanced Persistent Security

Again, this advice is great advice for any political organization. This time it was the Democrats who got hacked. Next time, it could be the Republicans. If we're to have a free and democratic society, then a healthy balance between organizational security/privacy and transparency must be struck. Our failure to adhere to this directive will only result in further disastrous escalation.