Securing the 2020 Presidential Campaign: Threats, Challenges, and a Global Pandemic

so we all know about the important infosec roles in the 2016 election but it turns out that in 2020 folks were very prepared and spent a lot of time thinking about infosec and so this next panel has some of the key experts from that campaign in 2020 and they're going to talk about the threats and the challenges and of course how all of this played in the global pandemic so we've got timbal who was participant in four different presidential campaigns he's currently the director of cybersecurity for civis which is a election data company allison was a security program manager for the dnc uh krishnan uh focuses on enterprise security for the dnc so again how are elections the same and different

from general enterprises matt was the director of engineering for the biden for president campaign and wills the cso for act blue which is a non-profit political fundraising arm you're going to hear some great stories and if you don't have your fill i encourage you to buy any of these people drinks because i promise you they have stories that even they're not willing to share in this kind of public reported stage but i think you'll learn a lot and uh you'll get some insight into what the threats we face as well as how a organization that doesn't have quite as many resources as some of the best of us still manages to produce locked down security organizations

hello and welcome today's to today's panel talk securing the 2020 presidential campaign threats challenges and a global pandemic my name's tim ball and i'll be your host and moderator for this uh exciting panel with all of our guests so we're gonna do a quick set of intros and then we're going to get into it so we'll introduce yourself sure thanks timbal hi everybody i'm will rogers i'm the chief information security officer at actblue.com next to allison hi folks my name is allison go i am the security program manager for the dnc and matt thanks tim ball i am the head of technology at zinc collective and was previously the engineering director at biden for president

and lastly christian thanks tim uh i'm krishnan i'm currently the acting chief security officer at the dnc previously led our enterprise security program at the organization that's great and i'm tim ball i'm the ciso at citizen analytics previously i was the senior security engineer for the hillary clinton campaign so we'd like to begin with some campaign nouns and verbs allison could you explain what a dnc a bfp a coordinate campaign and a vendor yeah so there's there's a lot of acronyms as i'm sure in any industry so when we refer to the dnc this is the democratic national committee which is the committee itself so i was headquartered in dc um we serve as an advisory uh

kind of position to national federal campaigns the dnc is different than some of our other what we call democratic sister committees there is also the democratic senatorial committee uh congressional governors attorneys general legislate legislative um a lot of other sister committees but as the dnc we focus on national federal campaigns um [Music] also join uh so matt hodges is formerly from biden for president which we refer to as bfp um so that is the biden harris campaign from a 2020 cycle which is a separate entity than the dnc so if you think about we have biden we have the dnc and then we have what we call the coordinated campaigns the coordinated campaign sits in the middle

of both of those um during the general election so you'll hear us mention the coordinated campaign a lot so if you think about dnc is over here biden coordinates kind of in the middle sphere supporting both and uh with input from both sides um we also in the the in the democratic politics world we also have vendors in the vendor space so uh will and timbal definitely very much come from the vendor space and offer a lot of the tech that supports not only the biden and the dnc campaign but ticket campaigns up and down the ticket from other presidential governors races all the way down to your local state senate race um so that's kind of a quick

run through of some of the things you may be hearing and if there's anything else that i think we may need to pause and define in a second i'm sure i'm happy to hop in as well that's great thank you very much so i think we want to get straight into how do campaigns work and how does security for campaign typically work um matt and krishnan do you want to talk about that yeah so how do campaigns work how does security work it's kind of a big open-ended thing that we could go a lot of different directions with but from uh from a high level if we're talking about presidential campaigns um the presidential campaign is

basically broken down into two legs it starts off with the uh primaries uh that is actually the longer of the two legs um and the primaries are the uh the the point on the calendar when a number of candidates have uh declared their attention to run for the nomination they're all democrats and the dnc is working with all of them which can create its own challenges um but they eventually will narrow that down into one candidate um through the primary elections that go to the general election um once we're in the general election that's what we normally think about when we're talking about the election cycle at least for people who work outside of politics or to thinking of of the two

two candidates who are running for president and at that point uh organizations scale up very quickly um before we talk about the challenges of scaling up really quickly krishna maybe you could speak about some of the challenges on that first leg of working with multiple primary campaigns yeah that's a good question there so i think um you know when during the primary season what's not as well known is that given that there you have this at least in the 2020 cycle we had close to a dozen or more candidates uh vying for the nomination um the dnc as being the head of the democratic party um we have to work with all these candidates right

they are they're all democrats vying for the nomination so we have to provide them equal levels of support when it comes to uh cyber security and so uh you know one of the challenges that we faced in that early part of primary season especially for these primary campaigns right is that cyber security is not the top of mind thing right they're trying to get votes they're trying to fundraise money um and so for us really it was trying to get in at the as early as possible with campaigns trying to give them good cyber security advice so that you know if they became the nominee right they had that really strong foundation in place to help them

scale up which we'll talk about uh down the road you have to kind of piggyback on that so um i think at a high point i think we were working with 20 25 to 27 different presidential campaigns uh during the primary primary season as the dnc and um as a dnc we had very much positioned ourselves as an advisor we'd get in um as soon as folks had declared and really be like all right here are some resources here are some best practices to start from the get-go um while you scale up your staff and move from state to state caucuses primaries uh and really matt talked about fundraises and banking those votes um and making sure you were getting a

name out for yourself but yeah there is definitely the tension um in the campaign world where basically every dollar you bring in most of it's got to go to getting votes um and where does cyber security fit in there and making sure that it's a priority is always going to be a challenge for us that's great so one of the things that i think we've all talked about in the past is about how presidential campaigns are like a giant startup that you've never experienced before matt i was wondering if you could give sort of your ground level take of what it's like being at this crazy kind of startup yeah so i think some of the similarities

that you might see on a presidential campaign uh that you see in startup land is uh first of all this concept of like hockey stick growth um you know when startups talk about hockey stick growth they're talking about users and how how quickly can they scale up their product um when campaigns would talk about hockey stick growth they're probably talking about the number of staff that work for the campaign or work within one of those organizations that allison introduced whether it's the presidential campaign itself the dnc or or the coordinated um you know it's it's a very fast timeline i think people might look at the presidential cycle and think that it goes on forever but if you actually take

a step back and look at like how much happens on that calendar year it's only a matter of like something like 18 19 months and then the whole thing is over um so what happens in that time frame is when a campaign launches you're literally launching with like 20 people it is a small group of people who are kind of in the know they were brought on very early generally speaking those 20 people do not include anyone of any technical or security background i think the space is making some progress in that but i think it's fair to say that that is more of an exception than the rule um i think people like ourselves are pushing on that to make

that more of the rule instead of the exception but but the reality is you start off very small and then you start scaling up super fast as a campaign is moving through the primary cycle you start bringing on staff as rapidly as you can afford them so that you can distribute them across the primary states and so you go from 20 staff to about 200 in just a few months and like that's 10x growth in just a few months of just your staff and anyone who's worked in um securing employees accounts or their devices knows that uh growing that quickly can be very very challenging um you know your humans are always your most difficult things to to

secure um add on top of that that even even before the pandemic uh the workforce is totally distributed across the state so there's there is this concept of a headquarters but uh the majority of your employees are not at the headquarters they're at whatever field offices when field offices were a thing um or if you're in a pandemic they're in whatever uh coffee i guess coffee shops were closed they were in their apartments um and that is distributed everywhere so you're you're 10xing your staff very rapidly fast forward a few more months you get to the general election um you you literally go from 200 staff to over 2 000 staff you 10x this again

and that 10x happens even even more quickly because as fundraising is coming in you're spending every single dollar you can on vote acquisition not on scaling staff in any linear fashion once you're in the general election you go from 200 to about 2 000 staff within three four weeks um it is extremely rapid and so that just once again um is an exponential on that challenge of securing not only endpoint devices but humans and educating a large a large staff there the last thing i'll say about the parallels between a presidential campaign and a startup is um startups generally build out products in an mvp fashion it's not they're not always the most robust products right away but then they

have the opportunity to iterate on them when they go to market um campaigns are building software campaigns are writing code campaigns do not have that runway to then iterate and uh make them robust like most technical organizations do generally speaking on a presidential campaign when you are trying to push something up that your team is putting together whether you're building it or you're buying it or some combination you build it you ship it you move on to the next problem and so what that ends up looking like is an entire organization built on a term that i used a lot this last cycle bronze metal software um it does its job it's not the most lovely piece of

software but uh as you can imagine bronze metal software is not only buggy but can can create a bit of anxiety from making sure that you're following uh software best practices testing best practices and and keep keeping things patched that's that's another big challenge there um so that fast pace and fast growth is where i would say presidential campaigns can feel a lot like a startup and that i was going to bring up you have the last point where you have an explicit end date right so after election now your massive 3 000 person startup goes to zero right so that that that aspect of startup is also crazy because in about two weeks time you're

trying to off-board all these people as they kind of figure out what they're going to go do next right and so the issue there is how do we not again create more security issues the off-boarding piece right so onboarding challenges off-boarding challenges a lot of fun yeah it's uh it's very rapid in both directions and it's it's one of those environments where it's it's consistently high stress um again like many startups you're working late hours and and you're you're staring at your desk for 15 16 hours a day and that can create um opportunities to make errors which i think is something some smaller technical organizations experience early on yeah that's a really great perspective

i'd like to hear from the dnc folks because i believe there's a lot of sort of myths about the hollywood idea of what it's like to work both at the dnc and the campaign allison christian what do you think it was like supporting so many staff and so many campaigns how did you apply um resources yeah i mean i didn't speak to it from the like it's not at all what you see in the movies or the tv shows or it's not at all like the west wing's version of uh of what campaigns are um so i very much come from uh like a field perspective um running campaigns across the country um and really living in the field and field

offices are not fancy they're often filled with lots of overworked over-caffeinated underfed staff who are working 20 hours a day to talk to voters um to make sure that they know where to vote and who they're voting for and really mobilizing all of that and that's what the really the bulk of these folks are doing um so even in a non-pandemic year these are extremely chaotic environments in field offices they're not fancy i'm usually there for weeks maybe at most months maybe but sometimes days you really fly into a place uh do your thing bop on in the next state living out of your trunk for a little bit sometimes there may not even be an

office um sometimes your office is the closest starbucks or your hot spot in your car um and so like that's kind of the the chaotic environment of what campaigns look like on the ground um and campaign warriors and feel folks like that's what they do they go from state to state to uh to really make it make sure it happens um and so when we shifted in when the pandemic happened not only were we reworking the cyber security and how do we onboard all these thousands of people um at the same time at a global pandemic was uh coming what was really impacting america but also reinventing how a campaign worked from the basics um i don't know i i mean i i don't think

that anybody walks into 2020 being like oh yeah we're going to do an entirely remote campaign and everyone's gonna do field contacts and talk to voters from their childhood bedrooms i don't think that that was really in anybody's mind but really reinventing how campaigns work and making sure that it was secure and then making sure that people had video conferences and were getting onboarded without us ever even touching their laptops was not something i think any of us had ever thought of so it was all things kind of combining all at once at the same time on all of us last year yeah i mean the pandemic definitely you know threw a wrench into all of our plans in

2020 i mean as matt kind of alluded to campaigns are these crazy startups and now you throw in this additional element of well you're going to completely take away all of the sort of the norms of how campaigns are operated right based out of physical offices where everyone's co-located together and now your remote setting um you know there are so many challenges right just from like procuring equipment um you know to figure out how are we going to secure all these human beings right um you know we didn't do anything fancy when it came to cyber security right um if you've heard about the dnc security checklist right it's just uh really the the fundamental aspects of

you know how a person should really think about cyber security in the in the 21st century right which is you know just updating your devices turning on two-factor authentication using a password manager right if we get those basic things done right we we we've sufficiently secured our human beings but imagine the fact that this is the first time people have ever heard of a password manager this is the first time someone's ever heard of a security key and you're doing this remotely oh and guess what their internet connection is not that great so they actually can't get on video with you and you're troubleshooting with a person who maybe has really doesn't have too much

technology experience i mean these are kind of the crazy challenges that we walk through and that stand up you know going from a few hundred people to a few thousand people and really this was ingenuity and us you know working those long hours and ensuring that you know we had the right cyber security posture right because ultimately our goal was we didn't want to see a repeat of what happened in 2016 right that's you know it's kind of like everyone works a democratic ecosystem yeah that's kind of this monkey on our shoulder we wanted to do whatever we can and so that's really i think what kind of pushed all of us to kind of work

take to do whatever it takes you know to ensure that campaigns you know were secured on the 2020 cycle but now it was tons of fun yeah i think that that was maybe uh i can't speak to it because i wasn't at the dmc in 2016. but um i don't think people had questioned whether or not security was a priority like we would come in basically you start running your presidential and you get introduced to some of us on your presidential campaign and be like okay yeah cyber security got it important so it wasn't the buy-in question it was the hal question um and so that's what we focused a lot of our time on before uh

now president biden was named the eventual nominee was making sure that all 20-something presidential campaigns had access to state-of-the-art resources they knew who the contacts are they know what the priorities were and you hear the top 10 punch list things that you should do right now to make sure that no matter what size of your campaign that you were set up to succeed because one of them was going to eventually be our nomination and so we were trying to support all of them at the same time and make sure they all had these standards and practices so that whoever was going to be our bosses eventually when they won the nomination that they were going

to be set to go and then really to succeed that's great so one of the biggest jobs during a campaign is fundraising it's a huge job it's a massive job in fact i would say that most campaigns spend most of their efforts trying to help gain fundraising and then doing some earned media to be able to persuade voters will what's it like being a vendor working in this campaign space what challenges did you have fascinating for a start i will say i'm a relative newcomer to the uh political space and to the country as you might have heard uh and i joined act blue uh naively at the beginning of 2020 uh thinking that it was going to be uh you

know lift and shift from every other organization that i've run security in before and that i would face similar challenges not only were we dealing with a global pandemic which obviously introduced its own challenges but i think most people will agree that we've entered a period of polarization in the states that probably hasn't been seen for quite some time and that really introduced a whole bunch of other areas of concern that i had never had to previously deal with in previous roles so things like disinformation campaigns that uh you know would would sidetrack us for weeks um and uh take take energy and effort that we were expecting to put into other areas um constant attempts at disruption trying

to prevent that flow of money from getting from you know largely small dollar donors around the country um to to the campaigns that they are supporting and trying to make that difference um so yeah it was a it was definitely a wild ride for us um thankfully we didn't have any any major incidents we had no uh uh you know significant problems um certainly not at the sort of 2016 scale which was a real testament to how everybody in the ecosystem worked together one of the things that we were extremely grateful for was the close collaboration with the dnc and other uh not only other major committees and campaigns in the space but also other vendors

i think we we had a collective mission and goal um and it meant that we were able to uh really lean on each other for support in those in those times of need um sorry my mind's just gone blank we can uh we can erase that section um one of the uh the other areas that was problematic for us uh i don't think many people necessarily realize that act blue is essentially infrastructure uh fundraising infrastructure but not just for democratic campaigns up and down the ticket from federal and presidential all the way down state local we also allow fundraising for non-profits and progressive organizations which means that we have a whole array of different uh groups that

are fundraising through us and different individuals that are looking to donate to those groups so we had a whole array of additional challenges last year surrounding some of the racial justice movements that meant that there were a lot of people that were very angry at what we were doing which made it particularly troublesome for us that's really great i myself work for civis analytics we do data analytics for amongst other people many democratic campaigns we found that the best way that we could help campaigns was by making changes to our software to make it so that campaigns could be secure by default mandating two-factor authentication we could monitor users to see if they were or were not using

two-factor authentication and if they weren't i could ping matt and say hey please get your users to turn on two-factor authentication um that's to me one of the bigger changes between what happened in 2016 where i was working for the clinton campaign and five years later when all other changes have happened i'm sort of wondering um matt and krishnan we've talked before in the past about the idea of software archaeology where every four years campaigns have to resurrect dead code dust it off and sort of wonder what it's like can you talk about that process yeah krishna do you want to do you want to start here because i think i think dnc ends up being the the primary

stakeholder on that well yeah and i think so it's interesting that right because you know we just had a major election cycle kind of finish up um and you know one of the things we're doing at the dnc is kind of going through this process of looking at all of the sort of the products that the bfp side made um and trying to figure out you know which of these things do we sustain which of these things do we just you know uh sort of you know this deprecate which things do we turn off um and yeah you know the and and to come to to make it difficult right the dnc has its own engineering

team right so we're also trying to figure out like what are the products we want to build out um that kind of you know sustain these boom and bust cycles right these four-year kind of presidential cycles and so it's kind of one of these things where you know right now we're in this process of you know figuring okay how do we integrate some of the bfp stuff into our current you know roadmaps that we've built out um and really build out uh we can kind of sort of be this place where you know campaigns can come to and like use our products to service as opposed to having to build out the products themselves you

know from scratch every four years but it's really not every but it's it's not they have like four years to do it right they literally have like maybe 18 or 24 months really um but even then it's even shorter than that because you're not gonna have a full-scale engineering team for maybe about only about six of those months right so you're really thinking about like small window of time how do we sort of make sure that they're only building the things that are absolutely necessary for like a bespoke reason i think that's one of the problems we're trying to solve at the dnc side but again it's not just uh something that dnc uh you know works on

itself right we have great vendors such as act blue and siddis right who also can have contribute to this right we don't want campaigns to be building out their fundraising infrastructure right we don't want you know campaigns to building on data analytics pipelines right these are all things that we think you know should be you know uh sort of uh infrastructure that anybody in the ecosystem can kind of come to and use um and it also has the security impact as well right because again if you're not you're not building bronze level uh bronze medal code anymore right which is still good right um you know you're building look you're building code that you know has

been has been worked on for years that many eyes looking at it and these are not sleepy eyes right these are folks you know who are you know working in the off cycle when you know there's like more rest um people are you know more engaged um and can you know actually yeah make sure that we're not making any errors at that point in time yeah i'd probably just like drive that that last point home even more um as a response to like what has changed over the past five years what's changed since the previous cycle um you know we we've seen a pretty a remarkable explosion of vendors entering the democratic political space which is in

my opinion phenomenal um you know if if anyone ever listens to me on other platforms all i'm doing is yelling that presidential campaigns need to stop building software um it's like somewhat ironic because my job at the biting campaign was to lead a team to build software um and i and i'm very adamant that campaigns need to be doing less of that um because if you're building technical products the the two most valuable resources that you could have are time and people and uh campaigns will give you neither and then they'll take them all away so um you know when we when we talk about this bronze metal software being built in-house at presidential campaigns it's

bronze because you're going very very fast with a team that's like 20 the size it should be and then you stand it up very rapidly and then you tear it down very rapidly you give it to allison and chris none and then they have to decide like okay where where is the like devastating time bomb in here that one one of them accidentally put and uh is it worth keeping alive or is it worth or should we just you know throw it in the raw pile um and then another election happens in just a few months and uh you haven't had much time to improve that software and so either you stand up what was kind of

uh rickety from two to three years ago or you start from zero again and just rinse repeat that again um with the explosion of vendors in this space who can actually invest long-term uh people and hours to building products it it fixes a lot of that um which is great you know it creates tools that i would say are silver or gold metal i'm a big fan of more gold medal software in this space um but i think it also creates a new security challenge in that the surface area is now much larger now instead of having the dnc in a presidential campaign and one or two vendors that you you're worried about a security posture

you have the dnc a presidential campaign and 65 vendors that you have to worry about the security posture and each one of those vendors is a new vector into either the dnc or the campaign that they're working with yeah i mean i think that that's yeah so that's krishna i'm probably probably thinking the same thing i am the the vendor space really has exploded in the next couple years which is awesome um but then also i think as the dnc is a place again for us to push out standards um and make sure that those vendors in the space as they're coming up and developing their product and selling to campaigns and really building their their base of users that

they are doing it at gold standard in terms of cyber security as well as uh their their infrastructure as well christian do you have anything to add on that yeah i was going to say we use this term vendor right and i think when most people think vendors right they think of you know a large organization right but in the campaign space right a vendor could literally be a single person with a laptop whose best friend works you know on the campaign and and the broken the campaign like hey we need you know you to build something so it's like hey i'm a software engineer i can build this for you that's a vendor for us right and

this is actually more common not right it's one to two people they know folks in the ecosystem they want to contribute right um but again giving the short time frames right cyber security oftentimes is not the top of mind thing to that for them and so a lot of what the dnc does is we want to introduce standards we want to kind of ensure that folks are you know practicing good cyber security hygiene even at the one and two person level but even more so you know at the you know civics and at blue level which have hundreds of people right i do also want to pivot to some of the other things that have really helped us

in the last couple of years one of which is we call the ddc defending digital campaigns which is a bipartisan organization that takes advantage of the fec's ruling uh that cyber security can be be sold at a discount or and or free to um federal campaigns um this was huge for us last year um because if we go back to that that problem of all right so you're getting all this money for your campaign but it's probably going to be spent on folks and staff probably not cyber security well one way we can we can we can whenever we were talking to campaigns saying like all right you need to buy all these things and then they'd ask us how much it costs

um the ddc and this and the fec allowed us to point them to a place where it was either heavily discounted or free um for example uh security keys we deployed out security keys to 70 80 percent a huge percentage of staff for free um which is amazing because that's i mean that's a lot of money in terms of like campaign but then it's also like making sure that folks are actually using them um and enrolling their their their devices and things like that um christian i don't know if you want to dive into that as well yeah no i mean in terms of numbers right you know the dnc we were all all staff

were required to use security keys right so 100 compliance on security keys on the dnc side on the coordinated campaign so this is the the zero to three thousand back to zero and three months of fund organization right i think we go we got like close to 80 and really the main reason why we couldn't get to 100 was just logistics right in those last couple of weeks you're still hiring people like literally the day before the election right you're hiring people you're on boarding them you're giving the accounts it's as hard to get those people you know security keys when it takes you know four to five days to get to their place um you know and you know

getting time to onboard them as well so uh you know it's given the logistic challenges right i think we did you know pretty well but um we kind of uh of course our goal is to you know get to 100 compliance you know i think in upcoming uh campaign cycles yeah for sure and like four to five days shipping doesn't seem like a big deal but in campaign world that's a lifetime um we were on boarding people every single day by the dozens or hundreds uh every single day we were on boarding hundreds of people uh because every single day mattered um every single day is thousands and thousands of voters you could have talked to so

uh when towards the end when we were again scaling up um i think things were just getting stuck in the mail we just didn't have the time to get them a security key into their machines but we got 100 at staff which is really great um and really when we're saying 80 of thousands of people in a remote environment where we never touched their things i think was a huge testament to our staff actually for them to understand it take it seriously and then take that action um i think kudos to them to help really understand that it it wasn't mere christian it was all of them yeah and there's one more thing on the

logistics piece right you know if you talk to anybody in the democratic ecosystem about the dnc security team they'll probably tell you about security key chills and the second thing they'll probably tell you is we're chromebook shelves right and you know the we we made it such that you know every we wanted all staff to be using chromebooks whenever possible right and unless you're willing you know to come up to the security team and give a good justification about why a chromebook wouldn't work you're going to use a chromebook um and of course during the pandemic guess what there were shortages of chromebooks because it wasn't just the the we weren't the only folks here

who were trying to figure out how to deal with remote situations a work from home situation and how do you kind of defend your organization you know from a cyber security perspective right you had you had you know uh schools you had you know non-profits all these organizations who typically use chromebooks right um we're also putting in massive orders as well at the same time that we were and it came to a point literally where i think we probably were fighting with you know like uh school kids chromebooks right we were calling up you know every reseller across the united states trying to figure out when the next like palette of chromebooks would arrive to them and

i'm pretty sure we were competing with kids who didn't get chromebooks i'm sorry if you're a kid if you're a high school middle school elementary school student who's watching this didn't get your chromebook i apologize it was all small but hopefully it's for a good cause hopefully was for a good cause yeah i mean the chromebook market was hot this summer uh that was uh i mean we could identify which shipping container all of our chromebooks were stuck on we were absolutely competing for that but um yeah that was another thing and then i mean we can talk about the security checklist so we required all of our staff to go to the security checklist uh if you want to

take a peep at it we have it on democrats.org security um and it's something that we we require everyone to go for go with and we would spend hours of like office hours walking people through this and matt i know you can talk about this as well and it's open christian and really onboarding people into doing those basic hygiene of two-factor making sure you are using your password managers correctly and then security keys walking people through security keys and how they work um i can't tell you the number of times we would do a security a consultation and someone would be like yeah i got it but i stuck it in my computer and it didn't do anything and

then be like okay well you gotta do this and then all these steps and then explain it to them on how that would happen and then they would understand that they'd be like okay god now i got it but like um it really i think that that's something that the security industry really needs to to work on is like people get this thing they stick it into their computer and nothing happens um how do we make that easier how do we make that where they don't have to turn it on and go through a bunch of slabs and click this and click that how is it just on from the get-go and they have to work really hard to

undo it um instead of having to work really hard to turn it on and like i heard this from from folks doesn't matter what what what what their role was everything from lawyers to a new field organizer to uh just staff in the middle like how do we do this thing i got this thing what do i do with it everyone else have opinions about checklists and the security i i would add that um you know so my role on the biden campaign was to uh lead a team of software engineers i was not officially a member of any security organization within within the campaign but by my nature of of being someone technical it became a de facto responsibility not

only of mine but everyone on my team you know as we as we've kind of mentioned a few times already is the dollars need to go to votes the dollars need to be spent on basically uh getting people to vote running ads to get them to vote which means you're not spending dollars bringing on a large it or security team on the campaign so to fill that void um you know we had to deputize the software engineers you you know you know a lot about computers now you know a lot about security keys because we need you to go teach the rest of the organization how to do that and i think that's a unique uh challenge in

this space in that um more private sector corporate environments can really make that investment whereas like again the time and people works against us um in in a presidential campaign and so why this was extra hard is because it wasn't everybody's primary job it was everybody's high high priority secondary job and there's only so many hours in the day so when you're trying to onboard again those two 3 000 people who just got here in the last few weeks you've never met them in person you're never going to meet them in person and they're working out of their apartment um it's it's part of the reason why i think i think you said some of security keys

got stuck in the mail i think some people just didn't get to have that like hang on that they really no i know that too yeah they stuck it in and nothing happened and they were like it's fine i'm gonna go talk to more voters yep you know 30 minutes 30 minutes on the phone with one of us on a help desk they could have gotten 10 people to go vote so think about it that way that's that's how that's how an average field organizer is thinking about their time i do think it actually added uh or brought up an interesting point um which is that within the political space you're also fighting against they're

trying to work alongside the the sec and their also like the fec and their requirements so as alison mentioned the ddc got this uh um a judgment that said they were allowed to offer these things at a discounted rate um if they don't do that it counts as a donation in kind and that brings all sorts of all sorts of problems and there's a whole array of sort of legal frameworks and compliance regulations there that also need to be taken into account on top of all of the cyber security uh issues that we're dealing with right right well you don't you don't want to add fdc jails real jail that's what we always tell people like you don't mess with it

yeah it turns out fec jail is just federal prison so at all this you guys have already talked about what was like for part of the pandemic work but the real job of a campaign as alison you were saying is is to change and get voters and clock in voters like and getting donations how do you feel that the pandemic really changed all of our jobs yeah i mean i wasn't working in the field and huge i mean props to everybody who works field and digital organizing this last year because they really had to make it think of it on the fly and i i cannot say that they reinvented organizing enough because they really did um all

the fundamentals of okay you go knock on somebody's door went out the window because you could knock on somebody's door um but i think the the principles were the same and they really used the tech and the tools and what they had to make it scrappy and harness the energy that we were feeling from volunteers and folks on the ground who wanted to go talk to voters and make sure that they voted for joe biden kamala harris and democrats up and down the ticket across the country um and making sure that it was successful um and so that was a huge challenge and really finding and and i think security and i.t and all of our all of our skill sets including

all the software folks uh we were really pushing in the same direction because we were faced with this unprecedented challenge so we didn't want to create more problems we really truly wanted to solve them for the staff who was reinventing how to organize and how to win a campaign so with our last five minutes i think maybe we can do a quick lightning round about what do we want to do going forward what's 2022 look like uh and beyond so why don't we start with will sure so uh the 2020 cycle brought unprecedented engagement uh from small dollar donors around the nation um i think blue raised uh something like five billion dollars um over

133 million different donations a vast number of those people donated for the first time and it made a a sizable difference to to the outcome we want to empower small dollar donors around the nation to be able to continue to get get involved and make their voices heard but we want to do so in uh you know as secure manner as they possibly can so for us it's really uh continuing to innovate on our product make sure that we make it as easy for people to donate as possible but making sure that security is baked in from the ground up krishnan you want to build on that

i think we it would be a lost opportunity we didn't put a plug in for the fact that you know we're we are all hiring right so we're looking at 2022 and 2024. um all of our organizations are looking for you know talented staff on the dnc side around the technology team we're looking for software engineers product managers security engineers i.t staff um and so if it's something that you feel dedicated to cause you wanna jump in you wanna get your hands dirty and you know help elect democrats across the country this is the time to do so right it's not six months before the election right when you know everyone is thinking about the election

it's you know 24 to 36 48 months now right this is the time to actually build out that infrastructure so that when we're you know going through that crazy startup phase we have the the sort of the foundation to build off of i'd say quickly you know top of mind right you know for me it's looking towards the next two and four years um you know i think in the last cycle up to 2020 um everyone kind of understood cyber security just because everyone knew what happened in 2016 right and there was kind of collective feeling that we didn't want to see that happen again and so when you said cyber security people was nodded their heads

intuitively um i think all the work we did you know had a positive benefit right we didn't have a major incident but my fear is that now folks are thinking that cyber security the problem is solved right look we went four years no no major problems um we must be doing things well okay cyber security guys go back to your corner and uh and and you know we'll bother you every now and then and so one of my fears is that that same level of this paranoia has kind of gone away because of a lot of the great work we did right it's kind of like a it's a weird conundrum to be in and so one of

the the things i i we i'm trying to do is figure out how do we kind of ensure that cyber security is still top of mind in 2022 in 2024 because guess what the threat actors are still coming after us right nation states criminal groups they aren't letting up um and we need to make sure that you know we are taking cyber security just as seriously as we did yeah that's great matt do you have any thoughts about the what's i don't know what what does the warfield war field look like against us and the other side yeah i mean so it's kind of it's kind of a mismatch it's kind of a disbalance here because one of the

things that we have to do in the political space is we actually have to report to the fec every dollar in and every dollar out and what every dollar out means is we have to report who are the vendors we're paying to do work for us and while we we would never be advocating for a purely obscurity oriented model of protecting ourselves we have to file every single month and say we paid this organization for this service and it's publicly available and anyone can go look at it turns out that's a really easy and convenient place for uh malicious actors to go and figure out where where our uh attack surface area is um so

in addition to to plugging that uh the space itself is hiring the vendors are certainly hiring as well and please go go bring your technical expertise to all of the vendors in this space because um as i said i i i'm pushing for campaigns in the dnc to build less tech and for these enduring vendors to build more so um you know thinking about bringing in talent outside of the obvious spaces is where we really need to devote a lot of our attention as well thanks hey allison would you like to put in your thoughts i know you have them i have lots of thoughts um i mean just to piggyback on what i think everybody's saying is like you

know making sure that the culture that we've built and you know every 2016 shook everybody awake and everyone was really pushing as hard this last year to make sure that it didn't happen again but making sure that this culture doesn't doesn't end and that we continue it even in off cycles even though there is no off cycle now um and we are still very much in active campaign mode in multiple states um yeah making sure that that that cultural still exists and then also making it easy to uh do these securities best practices how do we push to make some of these things more intuitive uh secure by default like making sure the security keys are easier

to use making sure that it's harder for people to opt out of these things and it's just like baked into having an account you have two factors as soon as you set it up uh and and and really just making it more user-friendly so that we don't run into the problem of uh this thing what am i gonna do with it i'm gonna toss it in the corner and not worry about it for a minute for me i think that the most important thing that we can do besides please anybody join one of our teams is to make sure that we get as many people as we can to come out and vote because a big part of our playing field

that we have to deal with is that our playing field itself is controlled by politicians who make laws that somewhat skew the the playing field so with that i think that's the end of our panel i'd like to thank all of our panelists and i'd like to thank besides las vegas for inviting us to come and speak