How IT pros secure political campaigns in an age of deepfakes

Midterm election season is underway, meaning it’s game time for campaign staffers—as well as cybercriminals and hacktivists.

Bobby Ford, chief strategy and experience officer at Doppel, a social engineering defense platform powered by AI, told IT Brew that political campaigns will oftentimes hire a third-party IT vendor to help maintain operations and defend against cyberattacks.

“Being an IT professional is hard, being a third-party IT professional is probably harder, and I would suggest being a third-party IT professional to one of these campaigns has got to be extraordinarily hard,” Ford said. “They’re under this constant attack, which is growing, evolving, and maturing on a minute basis—not daily, not weekly, but every minute it’s becoming more sophisticated.”

What’s the threat, doc? Michael Kaiser, president and CEO of Defending Digital Campaigns, said some attacks on campaigns might utilize phishing and other social-engineering tactics, and might even use an IT vendor as an attack vector. For example, attackers could use a fake version of a vendor’s invoice to insert malware into a campaign’s IT infrastructure, or utilize deepfakes of an IT vendor to convince campaign staffers to take an action that compromises the campaign’s data.

“We have to understand that this fake content can cover a lot of ground, from a video, to a photograph, to an email, to a voice, all these different ways that things can be made now,” Kaiser said. “The content is very diffused, and it’s not all fully fake, some of it’s partially fake.”

Deepfakes are a particular cause for concern, Ford added, and can even involve the campaign’s candidate.

“It is still beneficial for me to compromise your system and to steal your data, but I don’t even have to go that far anymore,” Ford said. “All I need to do is plant a deepfake, or launch a deepfake, and I can impersonate whoever it is that’s running for office…If I can sow that seed of doubt…I don’t need to have an intrusion on your system, I can just influence the campaign that way.”

Election (in)security. Ford suggested that those teams providing IT support to a campaign, as they are sometimes handling cybersecurity alongside operations, need an additional vendor to provide cybersecurity against social engineering attacks like deepfakes.

All campaigns and their staff may be considered “high-risk technology users” because they are subject to a wide range of attacks from nation-state actors to hacktivists.

Kaiser also pointed to some campaigns’ enormous budgets, which could encourage cybercriminals to “follow the money.” For example, some Congressional races are seeing more dollars spent by super PACs and outside groups compared to the candidate themselves.

The team that manages that security. Ford said that IT workers who provide services for campaigns should think about sorting adversarial actions into two buckets:

• Things that the adversary can do to infiltrate systems
• Things that the adversary can do to influence a candidate’s base

“I would treat those two as completely separate things, and I would ask myself, what controls do I have in place to protect against both of those?” Ford said.

Kaiser suggested that the IT and security professionals implement “common sense measures” such as passkeys and other account authentication methods. In addition, IT pros can try to protect the campaign’s social media and other public-facing domains.

“Those are places where people would get in and could dump fake content…onto your website…because [they’ve] gotten access,” Kaiser said. “That can be really damaging because it looks like it’s coming from the campaign.”