politics security

Political parties vulnerable to cyber attacks

Despite recent headlines about cyber attacks on the nation's election infrastructure and the vulnerability of the political system to manipulation, political parties in the U.S. may still be ill prepared to respond to an escalation in cyber activities, according to a report from Security Scorecard.

In its research, the company analyzed 29 political party entities from 11 countries in North America and Europe and assigned scores for application security, DNS health, network security and patching cadence.  In the U.S. it considered security at the two major political parties as well as the Green Party and the Libertarian Party.

In overall scoring, the U.S. came in fifth, following Sweden, Northern Ireland, German and Italy.

Vulnerabilities ranged from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

"I think when you're trying to defend against something like a nation-state attacker, you have to be extremely buttoned up, and within hours we were finding indications that these parties were simply not to that level," said Paul Gagliardi, a threat researcher at Security Scorecard, in an interview.

The Republican National Committee scored higher than its Democratic counterpart. The Green Party earned the highest score while the Libertarian Party scored lowest.

While the DNC's score lagged behind those of the RNC "in almost all categories" measured, Gagliardi said the security posture of both organizations were comparable. Both still have worrying "low-hanging fruit" to deal with but are still operating on a higher level than past election cycles.

In addition to the parties' fundraising and coordinating bodies, there has been a substantial effort to improve the cybersecurity posture of individual campaigns. Earlier this year, the DNC rolled out an updated security checklist for candidates to help ensure that cybersecurity best practices are followed from a campaign's inception.

The Federal Election Commission is mulling a proposal to allow campaigns to accept free or low-cost IT assistance from non-profits without running afoul of campaign finance laws against accepting donations.

Still, Gagliardi said the research shows there are still weaknesses to be addressed at the party level.

"They're in this weird position where they're potentially being targeted by nation-state capabilities, but they don't have the defenses or funds of the industries that normally defend against that threat," said Gagliardi. "It raises the question: do they even have the funds or people to properly defend themselves?"

This article was first posted on FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected