Mick Baccio: “Start securing your personal digital crown jewels – and those of your family”

Cybersecurity lessons from the first CISO of a presidential campaign

With just four months until election day, the US presidential election campaign is running at full speed. This brings concerns about cyber threats, nation state threat actors, and generative AI at the top of everyone’s mind again. Without getting caught up in cyber anxiety-inducing discussions, how can we realistically prioritize what to worry about? We talk to Mick Baccio, Global Security Advisor at Splunk SURGe, at Splunk’s .conf24 in Las Vegas.

Between 2015 and 2018, Mick Baccio served as Branch Chief of the Threat Intelligence team at the White House. In 2019, Mick became the first CISO in the history of US Presidential campaigns, working on Pete Buttigieg’s 2020 White House race. As campaign CISO, he developed and implemented a strategic enterprise information security and IT risk management program and built an information security culture through the establishment of security awareness training programs and exercises.

A job with an expiration date

Mick started his role as campaign CISO in July 2019. “When you take a role like that, you know the job does have an expiration date. The elections are in November 2020, but any time before that, the role can end. If your candidate doesn’t raise enough money, if they misspeak, if they just don’t get the traction, you’re not going to be there next month.” That forces you to make decisions quickly and prioritize, Mick explains. “For example, I wanted to roll out hardware tokens to everyone. But how much time do I have to do that? Do I roll them out to the entire staff, or part of the staff? In that sense, working for a campaign is similar to working in a startup, where you have to make a lot of small decisions like that, with fewer resources than you might be used to.”

“At companies like Splunk, you generally sign a multi-year contract. Well, the campaign is not going to be around multi-years. It might not even be around multi-months. So it’s a very unique environment, where you have to negotiate with security vendors and find non-profit organizations such as DDC (Defending Digital Campaigns) to work with. Every dollar spent on security is a dollar that isn’t spent on votes, so it’s incredibly important to take advantage of help like that.”

Take your work home

“I started with MITRE’s Crown Jewels Analysis, asking myself the question: what’s the most important thing we need to defend? And if it breaks, what else breaks because of it? I think generally, for any organization, it’s your email. If your email stops working, you’re done. You really can’t do much else after that. So it’s important to protect everyone’s professional accounts.” But it doesn’t stop there, Mick points out. “People need to secure their personal account too, as well as that of their immediate family.”

“Most people have a password manager. Most people have multi-factor authentication. But is it across all of the accounts you have?” In the end, it comes down to doing a crown jewels analysis on a person, rather than on an organization, Mick says. “We need to sit down with people and go through all of this.”

“Honestly, it’s easier from a corporate environment, from an enterprise environment, to keep people secure. But we need to look outside of that. Hackers will not target your professional email, because they know you have professional security in place. But you might not have an MFA on your personal account. So we need to instill those ‘eat your cyber vegetables’ habits into people who might not ordinarily know about them or understand the importance of them.”

Extrapolating trust

Technology is moving fast, but is Gen AI the biggest threat at the moment? “Four years ago, we were not concerned about deep fakes, but now, this technology is available to everyone. However, we’re still at the point where these videos can be easily debunked. If you had a fake video of President Macron or President Biden or anyone like that, their staff immediately would come out and go, That’s not us. That’s not real. So I don’t think it would do damage,” Mick says.

“What my concern is though, are we doing our homework well enough? The 2020 presidential campaign saw a pretty heavy IO (Influence Operations) campaign, but we didn’t really learn about it until two years later. Does that mean we’re not going to learn about current threats until 2026 when we’ve done the research?”

At the same time, Mick wonders if we are focusing on the US too much. “There’s over 60 elections globally this year. We have a lot of people across the globe keeping tabs on the US election, for a very good reason. There is a lot of scrutiny on it. But that in turn begs the next question, is there enough scrutiny on the other elections that are going on across the globe?”

“And how do we address threats in those elections?” We can try to extrapolate the threat models, but it’s not one size fits all, Mick says. “Different elections have different targets, and you have to tailor your strategy to each country, each candidate, each region. That becomes resource intensive, and we need to be aware of that.” However, Mick is optimistic about the resources coming to market. “At Splunk, we’ve rolled out the Joint Cyber Defense Collaborative, and we see more and more organizations getting involved in providing tools and resources to create trust in the voting process.”

Ultimately, building trust is what matters, Mick says. “While elections are very specific to a country, if we can build trust in the voting process here, we can extrapolate that across the globe.”

Over Daphne

Als freelance schrijver en journalist werkt Daphne Frik aan verhalen over verschillende onderwerpen in de technologiesector, van cybersecurity en cybercriminaliteit tot post-quantum cryptografie.

Daphne begon haar journalistieke carrière in het financiële hart van Londen, waar ze bij een financieel mediabureau schreef over faillissementen, herstructureringen en herfinancieringen. Terug in Nederland werkte ze bij een investeringsbank op de Zuidas, om vervolgens de switch te maken naar het onderwerp dat ze het meest interessant vindt: technologie.

Na een periode bij Fox Crypto als technisch schrijver werkt Daphne nu als freelancer en helpt ze met bedrijven in de IT-sector complexe, technische informatie te vertalen naar een duidelijk verhaal dat voor iedereen te begrijpen is.

Ook maakt ze persoonlijke verhalen over inspirerende professionals en schrijft ze graag over de onderbelichte kanten in de technologiesector, met de hoop de discussie hierover aan te wakkeren.