author photo
By Clare O’Gara
Wed | Jul 15, 2020 | 5:57 AM PDT

With COVID-19 ravaging the physical and digital world, and a U.S. presidential election on the horizon, cybersecurity is more critical than ever.

The Biden for President Campaign apparently got the message.

Biden campaign hires high profile cybersecurity leader

The Biden campaign recently announced who it hired to fill the positions of Chief Information Security Officer (CISO) and Chief Technology Officer (CTO) in order to address potential cybersecurity threats to the campaign. 

The pick for CISO was Chris DeRusha, who was once the Chief Security Officer for the State of Michigan, and previously served in the White House, Department of Homeland Security, and Ford Motor Company’s enterprise vulnerability management program.

And for CTO? The campaign hired Jacky Chang, who previously worked as a senior engineer on Hillary Clinton's 2016 presidential campaign. She was also a member of the Democratic National Committee's (DNC) voter protection team during the 2018 midterm elections. 

A spokesperson for the Biden campaign told The Hill these hires are all about security:

"Jacky and Chris will be central to strengthening the infrastructure we've built to mitigate cyber threats, bolster our voter protection efforts, and enhance the overall efficiency and security of the entire campaign."

When asked about cybersecurity, a spokesperson for the Trump campaign explained that the team "[doesn't] discuss our cybersecurity efforts, but we take it seriously," confirming that the campaign has "staff that handles those responsibilities."

What do cybersecurity professionals think about Biden's choices?

DeRusha and Chang have some lengthy cybersecurity resumes. But it's worth getting the perspective from other InfoSec professionals on the Biden campaign's picks.

First up: Brandon Hoffman, CISO and Head of Security Strategy at Netenrich. He touches on what this cybersecurity team has to accomplish:

"There are several high focus areas for the cyber team. The most important task is securing the critical data and assets with restrictions on who can access them. Subsequently, ensuring the shared platforms and networks across campaign locations and tiers of staff are appropriately monitored and controlled is also important. Another focus area would be messaging systems. Any system that can be compromised to send information to the public that is not legitimate will be a high value target for adversaries."

Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic, discusses the critical nature of hiring cybersecurity staff for political campaigns:

"This is a critical step in acknowledging the importance that cyberattacks have on an election and a campaign, especially one as important as the presidential election. All elections and campaigns will experience cyberattacks, and it is important to have an experienced and knowledgeable expert providing direction and response when cyberattacks materialize.

Unfortunately, most campaign staff are inexperienced when it comes to cybersecurity best practices and are very vulnerable to phishing attacks that attempt to steal their credentials, enabling attackers to gain access to emails or even voter registration databases which could provide an attacker intelligence on how to best target an election."

And Carson has some specific goals in mind for the cyber team:

"I hope that Chris DeRusha will emphasize the importance of password hygiene and privileged access management (PAM) when it comes to protecting campaign staff's credentials and access to voter information. PAM is a key cybersecurity strategy when it comes to protecting sensitive voting information and is a must have security to reduce the risks from becoming a cyber victim."

Campaign security in a post-2016 election

The 2016 election provided crucial lessons in what was missing in campaign cybersecurity.

We covered this extensively in our July 2018 article, "20 Tricks by Russia: Steps of the DNC Hack."

It looks like the Biden campaign is looking to avoid a case of deja vu.