CNET’s Dan Patterson interviewed Chris Wilson, CEO of WPA Intelligence, about how state campaigns combat cyberattacks before midterm elections. The following is an edited transcript of the interview.
Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.
Dan Patterson: Chris Wilson, first tell me what states are you working in, and how are these states defending against cyber attacks?
Chris Wilson: Okay, well, in terms of states that I’m working in and my firm is working in, pretty much all of them. We’re doing work everywhere from Alaska to Texas, up to New England, down to Florida. Myself, I focus really more on the Senate and gubernatorial races, so I’m involved in Arizona, Nevada, Montana, North Dakota, going down Oklahoma, Texas, Missouri, Ohio, Tennessee, and again Florida. Those are kind of pretty much all the major competitive races, I have some level of involvement in or at least try and pretend that I do.
And then in terms of what we do from a data security standpoint, there’s a lot that goes into that. It’s not my area. I actually hired somebody from state government who had run for a Midwestern state and been in charge of all the data security operation for them, to come do that for us. Just to go through some of the top-line, high-level stuff.
We do things like rotating encryption keys, double-factor authentication. We make sure that all of our AWS instances are segmented by clients, so there’s no commingling of data. Even though we keep all of our voter file information together, all the client information is separate, so if somebody were to hypothetically try and get into our Arizona file or the Texas one, there wouldn’t be one. If they even got into one, they wouldn’t be able to get into both.
SEE: Network security policy template (Tech Pro Research)
And then I think, most importantly, for our data science team, they all have hard keys, so if they were to hypothetically lose their laptop, or if something like that were to occur, even if there was an attempted breach on some of our security, we would be able to control that from our offices and make sure that it was mitigated.
I feel like we are doing all that we can do. As hackers learn to do more, we always have to try and stay one step ahead of that, and there’s probably new things being done today that I’m not even aware of.
Dan Patterson: Of the battleground states, which states are most vulnerable to cyber attack?
Chris Wilson: Well, that’s tough for me to say because I would say, from my role, I don’t really see a lot of it. I get little reports in the morning where Dave, who is our Director of IT and Security, will say, “Hey, we had somebody try and hack into this or do this.” It’s almost a daily basis, but there’s nothing that’s led me to believe it’s a fuzzy-bear type of instance or something like that, like the DNC had happen from Russia. That’s for us.
I would say, in terms of security, I think what you have to do is you have to look at the campaigns themselves and see which of the campaigns are maybe least sophisticated from their operations. And these campaigns that are run, particularly in an off-year election like this, non-presidential year, a lot of them are run by people who don’t have a lot of experience when it comes to technology. A lot of these are smaller campaign efforts. You can look at a U.S. Senate race, for instance, in Montana, and I wouldn’t put them that way because the campaign manager for Matt Rosendale, the Republican nominee, is a guy named Sam Cooper, very smart, very talented, worked with me on the Cruz campaign.
But I would say typically they probably have less than 10 people there. If you didn’t have somebody like Sam, who is able to monitor what’s going on, and didn’t have a level of awareness, you might have concerns. I’m not concerned about any of the races, I would say, that I’m involved in, but if I were to look around the country and see some of these smaller efforts that maybe don’t have anyone who’s been involved at a presidential level in the past, those are the ones and look at and say, if I were trying to hack, not that I want to give advice to that, I’d probably focus on one of those races.