The French presidential election is over. Emmanuel Macron has won and will become France’s new president. A lot will be discussed about his victory in the upcoming weeks and throughout the upcoming French legislative elections (next month in June) that will result in a new French National Assembly and a new French prime minister. Until then, Macron has certainly successfully fought a tough political battle and his campaign team has also fought a tough cybersecurity battle during the elections.
We have been hammered every day since December (Mounir Mahjoubi, Macron’s campaign digital lead)
The campaign was certainly hit by hackers and documents were eventually leaked on the eve of election day, referred to as MacronLeaks. However, the leak came too late to impact the elections. It is also still unclear whether the content of the leaked documents would have warranted any tangible impact on the election process if the documents had been published earlier in the campaign. The leaked documents are still being reviewed and analysed. The key point is that there was no impact on the election process and no surprise.
I read a few interesting reports on the subject of Macron’s campaign cybersecurity, including this one: Fighting Back Against Putin’s Hackers. I like it a lot that lessons have been learnt from the DNC hack that has reportedly impacted the USA presidential elections. Applying lessons learnt is a very important element to security risk management. My key take-away of the measures applied to Macron’s campaign include:
- The election’s cybersecurity was taken seriously. People worked on it and a program was put in place. Yes, some information was eventually leaked, but too late to have any impact on the election process. It seems that the risk was managed well enough overall.
- Lessons learnt were applied from recent elections’ related hacks. A threat and a risk were identified and managed.
- A clear focus on staff security awareness with weekly communications.
- Sensitive communications between campaign staff were managed through a mix of different channels/apps – not all by emails (from this interview in French). All the data eggs were not in the same basket.
- A soft “counteroffensive” decoy strategy was implemented to “flood” hackers with misleading information and get them busy sorting things out.
This is a successful security risk management story, especially following the French government decision to abandon the online voting option for overseas residents for the upcoming legislative elections over hacking fears. Cybersecurity risks can be managed.
I can say Bravo to a smart election campaign cybersecurity. Vive la France. Vive la cybersecurity!
Note: I am not interested in the attribution claims of the article referred above. I simply comment on the positive cybersecurity risk management measures that have been implemented.