Some Sage Counterintelligence Advice For Political Parties and Their Candidates

NOTE:

I am NOT an intel dude. I have never been an intel dude. I have never been a counterintelligence dude. Never. These are my OPINIONS. 

If the adage that "all politics is war" is true, then this past election could certainly be proof of that. I won't get into specifics about candidates, their positions, or even their actions or culpability. This advice specifically for the Democratic National Committee is nonpartisan and exactly the same counsel I would give the Republican National Committee. In fact, the reason I wrote this post was in response to the DNC leaks/hacks. Also, there will be ZERO discussion about attribution and motives. To me, answering why something happens doesn't always help you mitigate how it happened in the first place. These "rules" apply to anyone who is a target of espionage by any actor, state or otherwise.

You're the active target of an intelligence apparatus. Given the result of this election, we can assume they achieved their objective and will see their success to continue their activities against you. So it is imperative that you and your staff operate as such. Knowing this, let's be clear - these agencies have a great many resources directed at you and will see any and all information as potential actionable intelligence. This means they'll be seeking out any vulnerabilities you have and will exploit them to get that information and will encompass both physical and virtual realms. Ultimately, assume you've been compromised on all of these fronts. For the foreseeable future, your survival in the political arena will be dependent on your acknowledgement of this.

Let's get to what you came here for - the "rules".

Physical Security

1. Assume every room you felt was "secure" is not. This may sound a bit paranoid but we already know the DNC suspected their offices were bugged by an unknown entity and sent a TCSM team in to investigate. Though, no active bugs were found, we know electronic surveillance is an ongoing tool used by intelligence agencies against targets especially political ones. If you haven't already, have a TCSM team inspect every office, bathroom, closet, etc. regularly. When they're done, assume you're still being bugged and be careful when discussing confidential information.
2. Assume your cars, homes, and hotels are also compromised. Yeah, I'm paranoid. I know this. That said, if I were to compromise you, I'd hit the places where most people engage or discuss things that make exploitation possible. These are also places you can't sweep every day for bugs. Don't take work home and don't discuss work at home. Also, assume whatever "dirt" you do in these places is being photographed, videoed, and audibly recorded. I shouldn't have to say this but....STOP DOING "DIRT".
3. You're being followed everywhere. Conduct surveillance detection routes regularly and pay attention to new vehicles in your neighborhood. Talk to your neighbors. Notice vehicles which you can never seem to shake. I have a rule I follow when inspecting vehicles for contraband - anything new and shiny in a sea of filth is not normal. If you're one of those people who use Uber or some other service, think about having the driver drop you off a block or two away from your destination and look to see who gets out when you do.
4. Consider every potential or new "intimate" encounter to possibly be a "catfish" or a honeypot until proven otherwise. Yeah, it sucks to say this but sex is still a proven way to gain secrets and access. I'm not saying you don't have "game" but you should be very suspicious of something that "sounds too good to be true". I'm not telling you to shun relationships but just be wary of new people wanting more access and information than they should have. Also, imagine these contacts suddenly being blared across social media for the world to judge. Foreign Intelligence Services have a long history of exploiting these encounters. 'Nuff said (Note: In case, I didn't make it clear enough - don't be stupid and don't do "dirt").
5. Invest in a good safe that's bolted in the ground, high security door locks, dog, burglar system, and a few nosy neighbors. Same crime prevention advice I give everyone applies in the counterintelligence world. You need early detection and you need it yesterday.
6. Follow the Moscow Rules.
1. Assume nothing.
2. Never go against your gut.
3. Everyone is potentially under opposition control.
4. Do not look back; you are never completely alone.
5. Go with the flow, blend in.
6. Vary your pattern and stay within your cover.
7. Lull them into a sense of complacency.
8. Do not harass the opposition.
9. Pick the time and place for action.
10. Keep your options open.
7.  Adhere to the ever-wise directives of Notorious B.I.G.. Seriously, regardless of how awesome this track is, the truths contained in it are essential to the success of any campaign. Though it's not a literal translation of acceptable ethical rules of conduct, interchange the words to fit a typical political campaign and it's very illuminating. 

Information Security

1. You need a security classification program. The federal government has a security classification program that's been somewhat successful at compartmentalizing information and preventing some data leakage. You don't have to mirror theirs but you should implement something similar. The first step in this process should be the development of a risk management process. Look at what information you could never lose without seriously compromising your objectives, the information you could lose with some compromise of your objectives, and information that is safe for some data leakage or available for public release. This classification should known and enforced organization-wide. Any and all of your policies and procedures to safeguard this information should encompass the physical and virtual realms.
   
   This classification could look something likes this:
   a. Confidential - this could include documents or communication that should never leave the organization.
   
   b. Sensitive - this could include information  that if discovered could have an impact on day-to-ops or the overall reputation of the organization
   
   c. Close Hold - this could include information that is normally only discussed between as few members as possible. This should also be treated as Confidential if it warrants.
   
   d. Publicly Releasable - this is information discussed in the organization that could be disseminated for public release with little to any approval.
   
   Note: All security classifications should be used sparingly and reviewed regularly to mitigate against hyper-vigilance and overclassification.
2. Consider being more transparent and don't be "dirty". The DNC leaks proved in many ways that transparency could be a great mitigation tool. When you're seen as being overly sneaky, people assume you have "dirt" to hide. How you do this is up to you but it cannot be denied the impact transparency can have with preventing further leaks.
   
   Political parties are, by their nature, involved in some "dirt". They're either digging for "dirt" on someone else or trying to hide their own. Perhaps, it would be more prudent to limit these activities to lessen the number of attack platforms that can be used against your organization. Just a thought.
3. Assume you have an informant in your organization. This doesn't mean you have to treat everyone as if they've been compromised. It does mean you should never assume they haven't been. Don't go on an organizational "mole hunt" but you should always be aware of what you say to who you it say it to.
4. Don't trust any outside communication that isn't part of an existing conversation. Move the conversation offline. Have a gatekeeper handle these when possible. The gatekeeper should be the only person who has direct unsolicited access to communications with key personnel. To say the least, the gatekeeper must deploy a mitigation-first mindset.
5. Consider building a "secure" room at your HQ. The Intelligence Community calls them SCIFs. They're rooms in which permanent workstations and secure phones are located and are regularly swept for bugs and access control is very strict. Consider only discussing strategic information here and here only. This aids in figuring out how you've been compromised if this leaks, as well as protecting against inadvertent leaking.
6. Consider ways in which the mundane could be damaging if exposed. For political parties, imagine your entire donor database being leaked. Got any donors who would rather not have their personally identifiable information leaked? How about your call sheets or talking points to donors? Could they be useful for an adversary in figuring out how to counter you? My personal favorite - internal polling. Think the other side or an FIS wouldn't love to know how you're projecting a path to victory? How about areas your constituents feel you're weak in? What if the adversary not only used that information themselves but then leaked it, especially at a moment when you're trying to project strength?
7. Consider a breach a serious incident. Data leakage happens. Some secrets are difficult to contain. Look at the stealth bomber and the Predator drone. Things happen. That said, there should be severe ramifications for even inadvertent leakage of seriously compromising information. Whatever those consequences are for those parties, they should be swift, consistent with existing policy, and indiscriminate. Period.
   

The Week's Hilarious Law Enforcement-Related Tweet

You may have noticed that I'm pretty heavy into sarcasm. While going through Twitter, I came across this gem of hilarity. Enjoy! I did.

🚦"I think I can make this light"
Traffic Cameras : #DriveSafe pic.twitter.com/XThmnmuY8G

— DC Police Department (@DCPoliceDept) November 16, 2016

UPDATE: New FOIA Requests Are Updated!!!

Sooo, I'm kind of back on my Freedom of Information Act "grind". This time, I've grown curious about how Reedy Creek Improvement District aka Disney World interacts with law enforcement. I've heard various reports that most law enforcement-related dispatches are relayed through Florida Highway Patrol and Orange County. I'm less curious about shoplifting dispatches (I'm surely, mostly klepto-tourists seeking crimes of opportunity) and more curious about the more serious incidents that either go reported in the media or that don't.

Here are snippets of the new requests so far:

Title of Request	Agency	Date Submitted
FHP Emergency Dispatches	FHP	11/19/2016
Orange County Emergency Dispatches	Orange County Sheriff’s Office	11/19/2016
Disney LEA Mutual Aid	Reedy Creek Improvement District	11/19/2016

I'll keep you posted should something more concrete develop. The plan is to write a piece on what I find in the FOIA documents to give more a robust picture of Disney's security via publicly available information. If anything, I'm sure there will be a number of interesting data points to be discussed in the replies.

As always, the best place to keep up-to-date on any FOIA requests I do is here or the link above. Also, Muckrock is an AWESOME place to discover not just my requests but other people's as well. If you see anything noteworthy in my requests, please feel free to reach me via the "Contact Me" link above.