Tech Security and Political Parties
Every organization that uses computers and cell phones needs to think about security, but this is particularly important for political parties. A party maintains a large volume of information, such as personal data about party members, that is potentially valuable to political rivals, hackers and possibly the government. Many parties operate in dangerous political environments in which their opponents, or even government actors, will not shy away from tactics like hacking or theft. In the most dangerous political settings, poor security could expose party staff or members to some sort of government retribution or physical harm.
To protect themselves and their resources, parties should consider security in all aspects of their technical operations, from the individual staff and member level to party-wide networks and software. There are three levels of tech security: individual, organizational and application. This section describes all three in more detail.
Security begins with individual party members and staff. Many corporations and government agencies have had vital computer networks compromised because a single staffer clicked on the wrong email attachment or gave a vital password to someone who called on the phone posing as a technician. Training and the organization-wide enforcement of good security procedures can help a party avoid these potential security problems.
Any staff or party member who uses party computers or accesses party systems through cloud-based applications like those of Google Drive should receive basic security instructions. They should know to:
- Never reveal passwords to anyone not authorized to have them.
- Never allow access to software or computers to people not authorized to use them.
- Never disclose security practices to people outside the party or those unauthorized to know about them.
- Always change passwords regularly, particularly when a piece of software prompts them to do so.
- Never use simple passwords such as “password” or “12345”; these are a frequent source of security compromises.
- Update computer operating systems, antivirus software and other types of software when the system prompts updates, remaining wary of suspicious and potentially malicious update prompts that might be phishing attempts.
- Beware people calling the party office and asking for a password, even if they claim to be tech support staff.
- Beware of clicking on links or opening attachments in emails unless the destination or file is known to be safe. Note: .exe files arriving by email are particularly dangerous because they are pieces of software ready to run when clicked.
- Log off from accounts when an application is not in use, including specific software applications and computer user accounts. Depending on computer operating systems and network requirements, staff might need to turn computers off when not in use.
- Maintain the physical security of party offices. In short, lock the doors. Not only can political rivals steal computers to gain access to party data, but thieves can take valuable digital devices as well.
These basic security practices apply to contractors, subcontractors and consultants, as well as party staff and members.
- Party staff, members, consultants and contractors should only have access to the computers and software required for their roles in the party. When possible, each person should have unique software logins, accounts or profiles; multi-user username/password combinations are vulnerable to abuse.
- Many software packages have varying access levels depending on the user’s role, and a user should only have access to necessary levels. For example, a grassroots member-management system might allow some people to view member information without allowing them to alter or update that data. Higher-level accounts might allow data entry or alteration, and administrator-level accounts might allow the account-holder to change the software’s basic settings.
- Disgruntled former employees are a frequent source of security problems. A party should change passwords and delete user accounts when people leave the office or party. This practice applies to every computer or software application the person used.
- A party should screen new employees and vendors carefully to ensure they have no history of undesirable behavior that could harm the party.
- To the greatest extent possible, a party should secure its offices and other physical locations against theft or spying.
- Likewise, a party should train its staff to be particularly careful with party-owned computers; a stolen laptop or tablet might give access to important networks, documents or data.
- A party should implement organization-wide requirements for computer users to change passwords at regular intervals.
- If a party is working with a tech vendor that is also working with other political parties or organizations, the party should determine whether the vendor has internal procedures to prevent the improper passing of information from one team to another.
- Cloud applications are, by their nature, accessible from anywhere in the world. A party should take particular care to train its staff and/or members in username/password security for any cloud software (such as Google Docs) that the party uses.
- When possible, a party should put a dedicated internal technology team in charge of its computers and software. If staff are not available, a consulting firm can substitute. But technology security should be someone’s defined job – it cannot be an organization-wide afterthought.
Finally, a party must consider security at the network and application level. The intricacies of application-level security might be beyond most party staff’s capabilities, but the party’s technology team and/or technology vendor(s) should understand its vital importance.
- Technology staff and vendors must be aware of the security risks or considerations of any technology they recommend, create or install for a party. They must make party decision makers aware of any potential problems and present a plan to circumvent those problems.
- A tech team must secure individual computers, both physical and remote, or cloud computer networks against unauthorized intrusions. Technology staff should monitor and update “firewalls” and other digital security barriers.
- Technology staff should set up the correct levels of application access for staff, members and others when they configure software applications. Users should only be able to utilize the features and view the information that their roles demand; these roles and the accompanying levels of access require careful planning.
- Tech staff must take particular care with administration-level accounts and the accompanying usernames and passwords. Once staff installs and configures an application, they should change these passwords in order to prevent vendor staff (or others) from inappropriately tampering with the software in the future.
- Data backup should be a part of the security process. Technology staff should store information on an archived network in case the network is compromised and the data corrupted. The data archive itself must be securely protected.
- A party and its vendor should establish a regular process to ensure that organization-wide software applications remain up to date, with the latest software “patches” regularly applied and upgrades installed. This consideration applies both to proprietary and open-source software, as well as to any custom applications the vendor has created to meet the party’s specific needs.
- If a user can remotely update or access software via application programming interfaces (APIs) or other data gateways, the software’s vendor must ensure that these are protected against unauthorized access.
If a party truly fears that its data, networks or computers have been compromised, it should consider bringing in a specialized security firm. The party might also consider preemptively hiring a security firm to audit the party’s technology for security considerations. This process can include the use of “white hat” hackers – skilled tech staff who attempt to break into systems in order to identify potential security risks. Of course, the party should conduct a thorough background check on security specialists and other technology vendors.
Even if it is only to support a political group, joining an internet community such as Facebook or Twitter opens a person up to feedback, both positive and negative. This is particularly true for women, who can become the target of online attacks that range from name-calling to direct threats of violence. Female party members and supporters who join online communities should think through the following questions:
- What are the gender-specific issues with this online platform with regard to privacy, safety and security?
- Would using this technology put me, as a woman, in particular danger?
- Are there ways to mitigate personal risk?