One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign. High priorities should of course involve things like having good bodyguards and site security teams when making public appearances, ensuring one's campaign Web site doesn't get defaced by people who disagree with one's policies, and protecting e-mail privacy.While I would dearly love to see someone with an at least marginal understanding of technology get into public office from time to time, I know that might be a bit too much to ask at this point on the national political stage. Lacking personal understanding of such matters, however, one should definitely hire people who know what they're doing and get them to advise on technical matters -- and actually listen to their advice.
I could comment at some length on the difference between people who know how to market technology or can run a technology company and those who actually know technology sufficiently to be credible advisers. In other words, I could comment on the inadvisability of hiring someone like Steve Ballmer as a technology adviser. That's not the point of this article, though. Instead, I'll just offer a short list of tips for anyone who might want to run for public office and avoid the embarrassment of failed e-mail security:
- First and foremost, make sure e-mail authentication is encrypted. This should apply to all e-mail, all the time, but is especially important for circumstances where having your account cracked is not only annoying, but also embarrassing, such as when running for public office on a domestic security platform. Make sure all your campaign staffers are doing so as well.
- Use encryption for important e-mails. Never underestimate the importance of being encrypted. Make all your campaign staffers use it too.
- Digitally sign e-mails, and require all campaign staffers to do the same. Use a well tested, proven, cryptographic signing technology, such as PGP or S/MIME, to sign e-mails, so that there should never be any question about the authenticity of an e-mail. While you're at it, make sure all your campaign staffers understand how to employ cryptographic digital signatures securely -- and that you understand how to use it, too.
- Have a specific computer set up for campaign-related business. Make sure it's set up to be as secure as possible, and make sure as many features are disabled as can be without crippling your ability to do campaign-related work. Don't use it for personal Web browsing, non-campaign related communications, or anything else that might put its security at increased risk. Make all unencrypted connections on that computer through a secure proxy. Use that computer -- and only that computer -- to access your campaign e-mail. For obvious reasons, this computer should probably be a laptop. At least the most important campaign staffers, with the most intimate relationship to the inner workings of the campaign, should employ similar measures.
- Use POP or IMAP for email, instead of a Webmail account. In other words, don't be Sarah Palin. This account should be associated with a domain name specific to your campaign (to make it look more official, as well as to provide greater control over e-mail security), and your campaign staffers' official communications should be carried out via addresses associated with that domain name as well -- or perhaps with a second domain created specifically for communications amongst campaign workers.
Some of these measures will of course require the help of technically proficient experts. Get one on-staff if at all possible, or at least hire one on a consulting basis. If you run a small, local campaign that doesn't have enough money to spend it on hiring an expert, make use of that six degrees of separation principle to find out who your advisers, campaign staffers, and their friends and relatives might know who would be willing to help you out. Once you get such help, listen to the advice you're given.
You don't want to be the next candidate for public office whose name is in all the papers having made amateurish mistakes with the security of campaign communications, after all.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.