Why campaigns, parties, and grassroots movements are being systematically targeted — and what genuinely private communication looks like in an era of state-sponsored hacking and AI-driven surveillance
In March 2016, a campaign aide to Hillary Clinton received a phishing email. It looked like a standard Google security alert. He clicked the link. Within hours, Russian military intelligence had access to John Podesta’s Gmail account. Fifty thousand emails were eventually published by WikiLeaks, timed for maximum political damage in the weeks before the US presidential election.
The technical sophistication of the attack was minimal. A convincing email. A link. A login page. The entire operation that reshaped a presidential election began with something that every organisation in this article is still doing every day: trusting email as a secure channel for sensitive communication.
This is the central problem for political organisations of every size, in every country, across every part of the political spectrum. The information they handle — donor identities, campaign strategy, internal polling, opposition research, coalition negotiations, candidate vulnerabilities — is extraordinarily valuable to a wide range of adversaries. And the tools most of them use to handle it offer almost no meaningful protection against anyone determined to obtain it.
Why Political Organisations Are Disproportionately Targeted
The targeting of political organisations is not incidental. It is strategic and deliberate, carried out by adversaries with significant resources and clear objectives.
State actors — foreign intelligence services operating on behalf of governments with an interest in the outcome of another country’s political process — represent the most sophisticated and well-resourced threat. The Internet Research Agency operations targeting the 2016 US election, the GRU’s hacking of the Democratic National Committee and the Democratic Congressional Campaign Committee, the FSB’s targeting of European political parties, and the leak of Emmanuel Macron’s campaign emails days before the 2017 French presidential election are the most prominent documented examples. They are not the only ones. Most successful intrusions into political organisations are never publicly disclosed.
But state actors are not the only threat. Opposition research firms, some operating in legal grey areas, have a commercial interest in obtaining private communications, donor lists, and internal strategy documents. Ideologically motivated hackers target organisations across the political spectrum. Journalists pursuing legitimate stories and those pursuing something less legitimate both benefit from leaked internal communications. And the general ecosystem of cybercrime — ransomware operators, data brokers, credential thieves — treats political organisations as targets of opportunity, often with no political motivation at all.
The common thread across all of these adversaries is that political organisations make exceptionally attractive targets precisely because they handle sensitive information in volume, operate under time pressure that discourages careful security practice, rely heavily on volunteers and temporary staff with variable security awareness, and have historically invested very little in the infrastructure needed to protect what they handle.
What Gets Exposed When a Political Organisation Is Breached
The consequences of a successful breach depend on what the organisation holds. For most political organisations, that is a great deal.
Donor identities and financial relationships
Donor lists are among the most sensitive information a political organisation holds. Individual donors may face professional, social, or personal consequences if their political affiliations become public. Corporate donors may face reputational or commercial risk. Major donors to controversial causes or candidates may face organised opposition or harassment. In some jurisdictions, certain categories of political donation carry legal obligations around confidentiality. A leaked donor list is not just a privacy violation — it is a threat to the individuals on it and to the organisation’s ability to fundraise in the future.
Internal strategy and polling
Campaign strategy — targeting decisions, messaging priorities, resource allocation, identified vulnerabilities in the candidate or the platform — is directly valuable to opponents. Internal polling that has not been published represents a significant intelligence advantage. Opposition research compiled by the campaign is, by definition, exactly what an opponent would want to obtain. The leak of internal strategic documents does not just embarrass the organisation. It transfers a competitive advantage directly to the adversary.
Private communications between key figures
The Podesta emails were damaging not primarily because they revealed illegal activity but because they revealed the unguarded private communications of senior figures — candid assessments of colleagues, frank discussions of political positioning, internal disagreements made public. Every organisation has private communications that would be damaging out of context, or simply damaging. The assumption that those communications are private is, for most political organisations, not grounded in the security of the systems through which they travel.
Supporter and activist identities
In many political contexts — opposition movements in authoritarian states, organisations campaigning on controversial issues, activist networks operating in hostile environments — the identity of supporters and participants is itself sensitive information. Exposure can mean professional consequences, social ostracism, or in extreme cases physical danger. The organisation’s responsibility to protect the identities of those who trust it with their participation is not just an operational concern. It is an ethical one.
How the Attacks Actually Happen
The sophistication of the 2016 DNC hack, and the state actor resources behind it, can give a misleading impression of what political organisations typically face. Most successful breaches do not involve advanced persistent threats or zero-day exploits. They involve the same attack vectors that target every organisation — executed against targets that are particularly vulnerable because of how they communicate and collaborate.
Spear phishing
Targeted phishing — emails crafted to appear legitimate to a specific individual, referencing real context about their role and relationships — is the starting point for the majority of successful intrusions into political organisations. The Podesta attack was spear phishing. The DCCC breach began with spear phishing. The Macron campaign was targeted with spear phishing. In each case, the attack worked because a legitimate-looking email containing a link was indistinguishable, to the recipient, from the dozens of legitimate emails containing links they received every day.
AI has made this dramatically worse. The volume, personalisation, and linguistic quality of AI-generated spear phishing now exceeds what human attackers could produce at scale. A campaign team receiving hundreds of emails a day, under time pressure, with variable security awareness across staff and volunteers, is not realistically going to catch every AI-generated phishing attempt. The question is not whether one will succeed. It is what happens when it does.
Credential theft and account takeover
Once a phishing attack obtains a credential, the attacker has access to everything that credential protects — and in most political organisations, a single email account or file sharing login provides access to an enormous amount of sensitive material. Campaign communications, shared documents, donor databases, strategic planning files. The perimeter collapses at the point of a single successful credential theft because there is no meaningful separation between what different credentials can access.
Insider exposure and operational security failures
Not all exposure is the result of external attack. Political organisations typically involve large numbers of people — staff, volunteers, consultants, advisors — with varying levels of access and varying standards of operational security. Documents shared by email can be forwarded beyond the intended recipients. Conversations on consumer messaging apps can be screenshotted. Sensitive information discussed in platforms with inadequate access controls can reach people who were never supposed to see it. The attack surface is not just external. It is every person with access to a shared inbox, a forwarded email, or a consumer file sharing link.
What Genuine Private Communication Looks Like
The answer for political organisations is the same as it is for any organisation handling sensitive information under adversarial conditions: replace open, unverified communication channels with closed, authenticated ones where the attack vectors that have proven so effective simply do not exist.
No links. No exposed access points.
Every shared link is a phishing opportunity. Every email notification asking a recipient to click through to a document is a format that attackers can replicate. A communication environment that operates without links — where documents and conversations appear in an authenticated dashboard that participants access directly, without any email-based trigger — removes the primary mechanism by which political organisations have been successfully breached. There is no link to spoof. There is no notification email to replicate. There is no anonymous access point for an attacker to discover and exploit.
Verified identities, not shared passwords
Access to sensitive communications and documents should be tied to verified individual identities, not to shared passwords, group logins, or links that anyone who receives a forwarded email can follow. When a volunteer leaves, or a consultant’s engagement ends, or a relationship with an external advisor concludes, access should be revocable instantly and completely — not dependent on changing a shared password and hoping nobody retained the old one. The identity of every person who accessed every document should be recorded, automatically and immutably, in a form that can be reviewed if questions arise.
Passkeys over passwords
Passwords are the single most exploited vulnerability in political organisation security. They are phished, reused across platforms, shared between team members, and guessed. Passkey authentication replaces the password entirely with a device-bound, biometric credential that cannot be phished, cannot be shared, and cannot be entered into a fake login page. Even if an AI-generated phishing email convinces a campaign staffer to navigate toward a fraudulent login page, passkey authentication stops the attack at the credential layer. There is nothing to steal because there is nothing to type.
Encryption that the platform cannot access
Most consumer communication and file sharing platforms encrypt data in a way that the platform itself can decrypt — which means a court order, a government demand, or a breach of the platform’s own systems can expose the content. For political organisations operating in jurisdictions where government surveillance is a concern, or facing adversaries with the resources to compel platform disclosure, this is a meaningful vulnerability. Encryption that is managed at the application level, with keys held by the organisation rather than the platform, means that even a successful legal demand served on the platform produces nothing useful. The protection is cryptographic, not contractual.
Automatic deletion and ephemeral communications
Not everything needs to be retained. Sensitive strategic discussions, internal assessments of candidates or policies, planning conversations that were relevant in the moment but not intended as permanent records — these can be configured to delete automatically after a defined period, or on demand once all participants have acknowledged them. The information that does not exist cannot be leaked, subpoenaed, or exposed in a breach. Automatic deletion, applied selectively to the communications that carry the most risk if exposed, is a meaningful reduction in the organisation’s long-term exposure.
Protected participant identities
Donor lists, supporter databases, and activist contact information should never travel through email or be stored in systems with inadequate access controls. A secure, encrypted environment where participant identities are held separately from public-facing systems, accessible only to authenticated individuals with a clear need, and protected by the same layered security as the organisation’s most sensitive communications, is the appropriate standard for information whose exposure could have direct consequences for the individuals on it.
The Grassroots Organisation Problem
Most of the documented high-profile breaches of political organisations involve well-resourced national campaigns with professional staff. The security problem is, if anything, more acute for smaller organisations — local parties, grassroots movements, single-issue campaigns, activist networks — that lack the resources to hire security professionals, the institutional knowledge to implement complex security programmes, and the administrative capacity to manage sophisticated tools.
The security tools available to these organisations need to be simple enough to use without training, affordable enough to be accessible without a dedicated technology budget, and effective enough to provide meaningful protection against the adversaries that target them. That is not a combination that email, WhatsApp, and shared Dropbox folders provides.
A platform that requires nothing to install, authenticates participants through credentials they already have, and applies encryption automatically without any action from the user meets the grassroots organisation where it actually is — not where a well-resourced security programme assumes it to be. The security should be invisible. The usability should be immediate. The protection should not depend on every volunteer understanding what they are doing and why.
The Democratic Argument
There is a dimension to this that goes beyond operational security. The right to organise, plan, and communicate privately is foundational to democratic participation. Political organisations — whether they are governing parties, opposition movements, or grassroots campaigns — need to be able to develop positions, debate strategy, and coordinate action without the fear that their private deliberations will be exposed, weaponised, or used against them.
When private political communications are systematically exposed through inadequate security — whether by foreign intelligence services, domestic opponents, or opportunistic attackers — the effect is a chilling one. Candid internal debate becomes self-censorship. Sensitive strategic planning moves off any recorded channel. The deliberative processes that healthy organisations require become constrained by the knowledge that nothing is truly private.
The answer to that is not to communicate less candidly or to avoid recorded channels entirely. It is to have channels that are genuinely private — where the encryption is real, the access is controlled, the identities are verified, and the protection does not depend on trusting a platform whose interests may not align with the organisation’s.
The breach that changes an election begins with a phishing email. The donor list that damages an organisation begins with a forwarded attachment. The private conversation that becomes a public scandal begins with a message sent through a platform that was never designed to keep it private.
None of these are inevitable. They are the predictable consequences of using open, unverified channels for communications that require closed, verified ones. The tools that make the difference are not complicated or expensive. They are simply different from the ones that have already proven, repeatedly, to be inadequate.
Democratic participation requires private communication. Private communication requires more than a password and a prayer.
