When you’re running a political campaign, you’re building a complex structure with a team of varied backgrounds and skill levels. In that environment, there is always more to do than time or resources allow. Digital security, the virtual fence protecting the integrity of your campaign, often gets deprioritized.
Modern campaigns, defined by new digital strategies, the prevalence of artificial intelligence, and a 'BYOD' (Bring Your Own Device) culture, have created massive vulnerabilities. Handling sensitive data and millions in donations with a fast-moving, often volunteer staff makes campaigns 'high-risk technology users' on par with investigative journalists and global NGOs.
Defending Digital Campaigns
Defending Digital Campaigns (DDC) stepped in to fill this gap. The organization was founded in 2019 by a bipartisan team, including the campaign managers for Romney’s 2012 and Clinton’s 2016 runs. DDC is a non-aligned, nonprofit C4 organization that provides free access to cybersecurity products, services, and information to eligible campaigns, committees, and state parties, regardless of party affiliation. Over 1,000 campaigns have been protected since 2019, with more than $12 million in donated cybersecurity products.
I spoke with Tiffany Schoenike, head of Strategic Initiatives, and Michael Kaiser, President & CEO, about the three core cybersecurity protections campaigns of any size can implement. They also shared how AI is shaping the landscape and creating new vulnerabilities, and how to hedge against these new threats.
What are the three core protections for campaign cybersecurity?
The DDC framework boils down the essentials of cybersecurity for campaigns into three core protections.
1. Account authentication
All those sites implementing two-step verification aren’t doing it just for fun. Account security for the many services your campaign uses is vital, and multi-factor authentication and passkeys are two of the lowest-lift but highest-return security measures. Doing so for all your accounts is important, but the core CRM, website, email, and finance software is critical. Utilizing an all-in-one platform like NationBuilder minimizes the risk.
“Strong authentication is number one, we highly recommend turning on passkeys for any account that really offers it." - Michael Kaiser
In 2024, Iranian state actors compromised a third-party account with access to the Trump campaign's systems, then used it as a launchpad to send phishing emails to campaign officials directly. Once inside, they caused significant damage. Strong authentication like passkeys and hardware security keys add extra barriers to prevent this from happening.
DDC recommends and provides free of charge:
- Moving beyond passwords: Security keys (such as Yubico) and passkeys.
- Enrolling in high-risk program protection: Google Advanced Protection and Microsoft AccountGuard.
2. Website security
DDoS attacks are a common threat vector for malicious actors looking to disrupt a campaign’s operations. Many website platforms like NationBuilder and Squarespace provide DDoS protection, but Cloudflare for Campaigns, which covers enterprise-level DDoS attacks and other vulnerabilities, can be attained through DDC, or a free basic level is available for any website if you're on a platform without it.
This threat was highly visible during the 2024 election cycle. Cloudflare blocked more than 6 billion malicious requests targeting a high-profile campaign website over eight days, with attacks peaking at 700,000 requests per second. Georgia's Secretary of State Brad Raffensperger saw the same playbook unfold when hundreds of thousands of IP addresses from multiple countries attempted to knock the state's absentee ballot site offline the day before Election Day. Campaigns relying on unprotected platforms had no recourse. Those using platforms with built-in DDoS protection, or services like Cloudflare for Campaigns, stayed online.
3. DMARC & email integrity
A lot of ink was spilled over the new DMARC (Domain-based Message Authentication, Reporting, and Conformance) requirements in 2024, and for good reason. Google and Yahoo created a new requirement that campaigns sending email to over 5,000 recipients require an active DMARC record to avoid being sent to recipients’ spam folders en masse.
DMARC increases email trustworthiness and security overall, and campaigns must take the time to set it up if your recipient count is above 5,000.
“What we see... is that campaigns actually do DMARC a lot of the subdomains they're using for sending, but they're not DMARC’ing the primary domain of the campaign... which is problematic because that's the domain that would be spoofed.” — Kaiser
To combat this, DDC partners with Valimail to boost DMARC and SPF security, protecting both the subdomain and root domains of email sends. In other words, they provide DMARC security and authentication for subdomains and root domains.
"Typically, campaigns have their SPF record set up correctly, but they don't have it protected. It's a little complicated, and we walk them through that,” says Tiffany Schoenike.
The DDC framework isn't about building a digital fortress; it's about basic perimeter security. Think of these three core protections as the posts, the rails, and the gate of your campaign’s fence.
- Account authentication: The lock on the gate
- Website security: The fence’s integrity
- DMARC: The ID check for anyone trying to enter
How is AI increasing campaigns’ cybersecurity risk?
As AI tools increase in breadth and sophistication, it becomes easier for malicious actors to personalize their attacks at scale through “spear phishing.” These attackers can use AI to harvest public data from FEC filings, enabling them to create more convincing fake email or SMS phishing messages.
Additionally, AI allows malicious actors to more easily mimic vendors and create convincing false invoices. The ability of AI to extract data makes ransomware attacks even more dangerous, as vulnerabilities are more easily exploited.
“AI-generated phishing campaigns have a much higher click rate than traditional campaigns... [Attackers] can come and look at my professional affiliations, where I went to college, where I came from, and start to craft a personal email at scale.” — Kaiser
The same Iranian operation that hit the Trump campaign in 2024 attempted a near-identical spear phishing attack on Biden-Harris campaign staffers. The FBI confirmed both attempts, but only one of them succeeded thanks to cybersecurity measures that were enabled.
How can you protect your campaign or party from increased cybersecurity risks from AI?
Create a campaign or party-wide AI policy and publish it for all staffers and volunteers to see and acknowledge. DDC created a secure AI toolkit to walk you through how to do this. Ensure that it has clear guidelines on how and when to use AI, which platforms are acceptable, and where to go with questions. And stay in the sandbox. Enterprise or closed models don’t use your data to train their model, and often have built-in input guards to add greater weight to data that you provide yourself.
“We really encourage people to have acceptable use policies... and to think about staying inside platforms. If they're in Microsoft or Google, there are tools in there like notebooks that they can use, which are closed environments.” — Kaiser
Many campaigns have a "BYOD" (Bring Your Own Device) culture. Staffers using personal ChatGPT accounts on their devices to produce campaign products is a major data leak vector. This could mean your prompts and sensitive data end up informing answers to other users' questions, or worse, your data is exposed. Ensure everyone who joins the campaign is aware of the risk and follows acceptable guidelines.
Security as campaign infrastructure
Cybersecurity doesn’t have to be an annoying hurdle. When your "virtual fence" is reinforced with strong authentication, a shielded website, and a locked-down domain, it actually enables your team to work faster and with more confidence. It helps protect your campaign staff and your candidate’s credibility from those who wish to steal, ransom, and discredit.
Under the FEC AO, federal campaigns (presidential, U.S. House, U.S. Senate), national party committees, and state parties are eligible for Defending Digital Campaigns’ free donated services with no in-kind reporting requirements. DDC has received similar advisory opinions in multiple U.S. states and are actively preparing campaigns for the 2026 midterm elections. To learn more about how they can provide free resources for your campaign, you can reach out to them directly or visit defendcampaigns.org.