Software

E-mail security advice for politicians

How much attention would you give e-mail security if you were running for office? One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign.

One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign. High priorities should of course involve things like having good bodyguards and site security teams when making public appearances, ensuring one's campaign Web site doesn't get defaced by people who disagree with one's policies, and protecting e-mail privacy.While I would dearly love to see someone with an at least marginal understanding of technology get into public office from time to time, I know that might be a bit too much to ask at this point on the national political stage. Lacking personal understanding of such matters, however, one should definitely hire people who know what they're doing and get them to advise on technical matters -- and actually listen to their advice.

I could comment at some length on the difference between people who know how to market technology or can run a technology company and those who actually know technology sufficiently to be credible advisers. In other words, I could comment on the inadvisability of hiring someone like Steve Ballmer as a technology adviser. That's not the point of this article, though. Instead, I'll just offer a short list of tips for anyone who might want to run for public office and avoid the embarrassment of failed e-mail security:

  1. First and foremost, make sure e-mail authentication is encrypted. This should apply to all e-mail, all the time, but is especially important for circumstances where having your account cracked is not only annoying, but also embarrassing, such as when running for public office on a domestic security platform. Make sure all your campaign staffers are doing so as well.
  2. Use encryption for important e-mails. Never underestimate the importance of being encrypted. Make all your campaign staffers use it too.
  3. Digitally sign e-mails, and require all campaign staffers to do the same. Use a well tested, proven, cryptographic signing technology, such as PGP or S/MIME, to sign e-mails, so that there should never be any question about the authenticity of an e-mail. While you're at it, make sure all your campaign staffers understand how to employ cryptographic digital signatures securely -- and that you understand how to use it, too.
  4. Have a specific computer set up for campaign-related business. Make sure it's set up to be as secure as possible, and make sure as many features are disabled as can be without crippling your ability to do campaign-related work. Don't use it for personal Web browsing, non-campaign related communications, or anything else that might put its security at increased risk. Make all unencrypted connections on that computer through a secure proxy. Use that computer -- and only that computer -- to access your campaign e-mail. For obvious reasons, this computer should probably be a laptop. At least the most important campaign staffers, with the most intimate relationship to the inner workings of the campaign, should employ similar measures.
  5. Use POP or IMAP for email, instead of a Webmail account. In other words, don't be Sarah Palin. This account should be associated with a domain name specific to your campaign (to make it look more official, as well as to provide greater control over e-mail security), and your campaign staffers' official communications should be carried out via addresses associated with that domain name as well -- or perhaps with a second domain created specifically for communications amongst campaign workers.

Some of these measures will of course require the help of technically proficient experts. Get one on-staff if at all possible, or at least hire one on a consulting basis. If you run a small, local campaign that doesn't have enough money to spend it on hiring an expert, make use of that six degrees of separation principle to find out who your advisers, campaign staffers, and their friends and relatives might know who would be willing to help you out. Once you get such help, listen to the advice you're given.

You don't want to be the next candidate for public office whose name is in all the papers having made amateurish mistakes with the security of campaign communications, after all.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

51 comments
paul.scott
paul.scott

I am working for one of the few campaigns that I have seen that actually has a dedicated Technology Director on staff to manage domain names, website, email, security, and tech support. Paul Scott Technology Director Andrew Martin for Nevada www.martinfornevada.com

tinyang73
tinyang73

Great, entertaining and informative article! Thanks Chad.

Colonial_Boy
Colonial_Boy

Guys! I just found this: "Obama supporter Mike Kernell (D-TN) confirms his son, David Kernell, hacked Sarah Palin???s email to help Obama" Found this @ http://hillbuzz.wordpress.com/2008/09/18/soetorobama-supporter-mike-kernell-d-tn-confirms-his-son-david-kernell-hacked-sarah-palins-email-to-help-soetorobama/ I'm going to do a little more verification work, but so far (despite some derogatories) the info on that website looks like it's accurate (and not a hoax from "Vast Right-Wing-Conspiracy").

Meesha
Meesha

Thanks Chad. The two things that I took away from this blog was that 1) DON'T use public delivery systems for sensitive information sharing; and 2) the old adage that "don't write/print anything you don't want your mother to see" is apropos to this issue - in this case "mother" was the public and governance was Ms. Palin's obligation. As one poster wrote earlier, her politics/governance is not the main issue, except as fodder for the political machine, but rather it's her obvious blind acceptance that a public tool such as Yahoo would be private. As I writing this I am very much reminded that this response is OUT THERE!!!!

Michael Kassner
Michael Kassner

To get BALTHOR to make three comments, and in a row is a huge kudos to you. Seriously, great post Chad and I hope it creates an immense amount of discussion as it's important.

JackOfAllTech
JackOfAllTech

her email was hacked and not the poor ethics and morals of the ones who did it? To me, it looks like an act of desperation. They can't find anything to criticize about her politics so they are attacking her personally in any way they can. How lame.

BALTHOR
BALTHOR

Any very high frequency computer can copy the entire Internet in a short time.This would be infinite frequency.I see that everything Internet is diverted.We are seeing a false Internet.

BALTHOR
BALTHOR

I now suspect that the entire Government e-mail location is being diverted.The e-mail is copied to a hacker memory system.Palin's e-mail would still exist in the Government location if it hasn't been deleted.It could be that at the upload there is a phone line split,one line to the Government,the other to the hacker.All of the e-mails ever delivered to her may still be in the Government location.It's like the hacker system is in parallel to the Government's.

BALTHOR
BALTHOR

When an e-mail is sent it gets uploaded to the Federal memory location.The e-mail sits in the Government's protection until it is deleted.Our Government is being attacked.

Editor's Picks