President-elect Emmanuel Macron became France's next leader in a landslide victory that was boosted, at least in part, by his campaign's muscular cybersecurity strategy. Macron's triumph is a teachable moment for enterprise.
On the Friday before France's runoff election, a huge story dropped. It came hours before the almost two-day media blackout that France mandates before elections. The Macron campaign had been hacked. There was a massive data dump.
How You Do Cybersecurity Is Make-or-Break
Macron faced a problem not unlike the one that hit the Clinton campaign 6 months earlier--a bombshell.
But Macron didn't win because the news went quiet, and he didn't win because France doesn't have anything even remotely resembling Fox News. And while the pundit class in France is different, that's not why he won either.
For those of you who enjoy nuance and the rigors of reality--don't worry. I'm also not going to say Macron won because of the way his campaign handled its cybersecurity. It's impossible to know that. But I will say that had Hillary Clinton's campaign brought the same foresight to their cybersecurity measures, it is somewhat more likely she would have been the one to take the oath of office this past January.
Those of us interested in cybersecurity were underwhelmed by the amount of air time the issue got during most of the 2016 campaign, but worse was the empirical evidence that the Democratic candidate--famous for an email security problem--was clueless about cybersecurity.
Consider, John Podesta was hooked by a phishing email. And yes, teaching your staff how to avoid the snares of social engineering (the hacking term for tricking a person into doing something to render a target vulnerable) is an integral part of good leadership.
Think: "General Competence."
How to avoid "getting got" is something you want to see in a candidate--whether they are running for office or they are up for a job.
Back to the hack: Mounir Mahjoubi, the head of Macron's digital team, was aware five entire mailboxes had been stolen, including personal accounts.
Two independent cybersecurity firms had already reported separately that the Russian hacking group known variously as Fancy Bear, Pawn Storm and APT 28 (or Advanced Persistent Threat 28), appeared to be targeting the Macron campaign. The group has connections to Russia's GRU, the same military-grade hacking entity that went after the Clinton campaign.
In March, Trend Micro identified a phishing domain designed to look like a storage URL used by the Macron campaign. It was similar to other exploits put out there by Fancy Bear, but again there was no conclusive evidence the Russian group was behind the attack. In fact, the Cyrillic characters found scattered among the meta data leaked on the Friday before France's election could alternately be read as a red herring intended to fit the news from six months earlier, and mislead cybersleuths.
Hey, for all we know, hackers working at the behest of friends of (friends of) Trump are the culprits. Russia certainly has an interest in a destabilized European Union. But then so does Trump. And for that matter so does UK's Prime Minister Theresa May, which all leads to this very obvious statement: while it matters who did it, it also doesn't entirely matter who did it.
When you are getting attacked, survival is the only thing that matters. Macron won. That's the big news here.
How'd They do it?
Surviving the release of nine gigabytes of data from your party consisting of email and other documents dumped in a pastebin location on the eve of a runoff election is no mean feat.
When a military aircraft has been targeted with a heat-seeking missile, one of the evasion tactics is to fire a decoy flare. The Macron campaign did something similar with their data.
According to reports, Macron's digital team created dummy accounts, or honeypots, that looked like an individual's account with top level information from the campaign, but much of the contents was fake--planted specifically to render a data dump confusing, if not useless, since it would take a tremendous amount of time for reporters and citizen journalists to sort out the real from the fake.
It bears (no pun intended) repeating: The reason the eleventh-hour story went nowhere was because the Macron campaign had a plan in place: they made sure anything stolen would be difficult to use. It was a brilliant cybersecurity countermeasure.
I've long advocated lying as a strategy for keeping people out of your stuff. Fake security answers are the classic measure. The idea is simple. Obsessive over-sharing on social media makes it pretty easy for a scammer to discover helpful facts about our lives--often enough to correctly answer security questions, but not if you answer them incorrectly.
It's important when protecting your digital assets to think like a spy--figure out what information they need or want and then make that information difficult to get and-or put to use if they happen to gain possession of it.
And it's crucial to be tactical in your approach to risk. Developing an offensive security management protocol is now de rigueur. It's time to go beyond a pro-active cybersecurity plan: You need to attack. Put the digital equivalent of an ink bomb in the money bag.
Creating bad information designed to be stolen is part of the new ultimate breach preparedness plan. Of course it is important to remember that the "ultimate" plan changes all the time. The key is having a basic approach that can be adapted to new circumstances, something I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves. I call it the three Ms: Minimize Your Exposure, Monitor your personal identifiable information (PII), Manage any damage that happens when your defenses (or those of the businesses and government agencies that collect and store your PII) are insufficient to protect against the threats out there.
A big part of the first M--minimizing your risk--has to do with reducing your attackable surface. Your attackable surface can be anything: An IoT device, outdated system or employee who has not been trained to maintain good cybersecurity practices.
You company is only as secure as your least insecure employee, app, or attitude.
Distorting your attackable surface--the essence of what Macron's campaign managed to do, is a natural evolution of the three Ms. The tactic did double duty, since it also managed the damage: The data stolen was difficult to use.
Good security is all about the right attitude. So, may the best hacker win. (Just let it be you.)