politics security

Political parties vulnerable to cyber attacks

Despite recent headlines about cyber attacks on the nation's election infrastructure and the vulnerability of the political system to manipulation, political parties in the U.S. may still be ill prepared to respond to an escalation in cyber activities, according to a report from Security Scorecard.

In its research, the company analyzed 29 political party entities from 11 countries in North America and Europe and assigned scores for application security, DNS health, network security and patching cadence.  In the U.S. it considered security at the two major political parties as well as the Green Party and the Libertarian Party.

In overall scoring, the U.S. came in fifth, following Sweden, Northern Ireland, German and Italy.

Vulnerabilities ranged from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

"I think when you're trying to defend against something like a nation-state attacker, you have to be extremely buttoned up, and within hours we were finding indications that these parties were simply not to that level," said Paul Gagliardi, a threat researcher at Security Scorecard, in an interview.

The Republican National Committee scored higher than its Democratic counterpart. The Green Party earned the highest score while the Libertarian Party scored lowest.

While the DNC's score lagged behind those of the RNC "in almost all categories" measured, Gagliardi said the security posture of both organizations were comparable. Both still have worrying "low-hanging fruit" to deal with but are still operating on a higher level than past election cycles.

In addition to the parties' fundraising and coordinating bodies, there has been a substantial effort to improve the cybersecurity posture of individual campaigns. Earlier this year, the DNC rolled out an updated security checklist for candidates to help ensure that cybersecurity best practices are followed from a campaign's inception.

The Federal Election Commission is mulling a proposal to allow campaigns to accept free or low-cost IT assistance from non-profits without running afoul of campaign finance laws against accepting donations.

Still, Gagliardi said the research shows there are still weaknesses to be addressed at the party level.

"They're in this weird position where they're potentially being targeted by nation-state capabilities, but they don't have the defenses or funds of the industries that normally defend against that threat," said Gagliardi. "It raises the question: do they even have the funds or people to properly defend themselves?"

This article was first posted on FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected