Political parties vulnerable to cyber attacks
- By Derek B. Johnson
- May 23, 2019
Despite recent headlines about cyber attacks on the nation's election infrastructure and the vulnerability of the political system to manipulation, political parties in the U.S. may still be ill prepared to respond to an escalation in cyber activities, according to a report from Security Scorecard.
In its research, the company analyzed 29 political party entities from 11 countries in North America and Europe and assigned scores for application security, DNS health, network security and patching cadence. In the U.S. it considered security at the two major political parties as well as the Green Party and the Libertarian Party.
In overall scoring, the U.S. came in fifth, following Sweden, Northern Ireland, German and Italy.
Vulnerabilities ranged from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.
"I think when you're trying to defend against something like a nation-state attacker, you have to be extremely buttoned up, and within hours we were finding indications that these parties were simply not to that level," said Paul Gagliardi, a threat researcher at Security Scorecard, in an interview.
The Republican National Committee scored higher than its Democratic counterpart. The Green Party earned the highest score while the Libertarian Party scored lowest.
While the DNC's score lagged behind those of the RNC "in almost all categories" measured, Gagliardi said the security posture of both organizations were comparable. Both still have worrying "low-hanging fruit" to deal with but are still operating on a higher level than past election cycles.
In addition to the parties' fundraising and coordinating bodies, there has been a substantial effort to improve the cybersecurity posture of individual campaigns. Earlier this year, the DNC rolled out an updated security checklist for candidates to help ensure that cybersecurity best practices are followed from a campaign's inception.
The Federal Election Commission is mulling a proposal to allow campaigns to accept free or low-cost IT assistance from non-profits without running afoul of campaign finance laws against accepting donations.
Still, Gagliardi said the research shows there are still weaknesses to be addressed at the party level.
"They're in this weird position where they're potentially being targeted by nation-state capabilities, but they don't have the defenses or funds of the industries that normally defend against that threat," said Gagliardi. "It raises the question: do they even have the funds or people to properly defend themselves?"
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.