Paul Gagliardi, head of threat intelligence and CISO at SecurityScorecard, investigates how secure the U.S. presidential campaigns actually are and whether they have learned their lessons from 2016.
Cyber security is going to be a hot topic in the run up to this year’s U.S. presidential elections in light of the controversy surrounding the 2016 polls, which were marred by hacking and allegations of foreign interference.
This included the theft and subsequent leaking of emails from the Democrat campaign, which many believe cost them the keys to the White House.
Given that in the following four years those wishing to disrupt or influence elections have grown more sophisticated in their methods, candidates competing in forthcoming elections need to be on their guard and ensure they have robust security measures in place.
To this end, SecurityScorecard conducted research into the security ratings of each of the contenders for the 2020 Democratic presidential nomination.
The findings show that each candidate has a good security posture and lessons seem to have been learned from four years ago.
Threat actors, whether state-sponsored or hacktivists, are increasingly trying to influence foreign elections through the use of offensive cyber operations.
This not only includes the dissemination of fake news, but also compromising the IT networks of key campaigns competing in those elections.
This was clearly demonstrated in 2016 when Russian-sponsored actors were believed to have attempted to influence the outcome of the US presidential election by releasing thousands of stolen emails from the Democratic campaign.
Such activity exposed how vulnerable the IT networks of political entities can be to cyber attacks and how they lacked an incident response plan to counter any malicious activity.
Since then, those threat actors wishing to influence foreign elections have grown more sophisticated in their approach.
For instance, the US National Security Agency and the UK’s GCHQ believe that Russian agents have been masquerading as Iranian sponsored actors to attack more than 20 different countries to better cover their tracks.
This could have serious implications for the campaigns and their affiliates if they do not have sufficiently robust defensive strategies in place.
Reaching out to voters and potential donors is pivotal to any election campaign, therefore investment in marketing and media relations forms a significant proportion of campaign spending.
Creating the collateral for an election including websites, social media accounts, and advertising is akin to a well-funded start-up – lots of frenetic activity for the purpose of getting noticed and in the hope that the generated momentum will help them achieve their goal.
For instance, the campaigns of the two frontrunners for the Democratic nomination are spending millions of dollars on such publicity.
According to opensecrets.org, Bernie Sanders’ campaign spent $35 million on media as of February 2020, by far the largest proportion of the campaign’s budget. Of this, nearly $6m was spent purely on Google Ads, highlighting the importance of online campaigning.
Joe Biden’s campaign, which had roughly half the budget of Sanders’, spent $13m on media and $2.4m on Google Ads.
This desire for agility can mean that cybersecurity is an afterthought. The associated costs of implementing robust defences and processes are often viewed as stifling rapid growth as it takes away money that could be spent on attracting new supporters and donors.
Why security matters
Political campaigns are built on vast amounts of data. This could be personally identifiable information about staff, supporters and donors, analytics, and sensitive communications.
Many political organisations also have access to details of every registered voter, which need to be kept safe. Any leak of this information can have severe consequences.
This includes having a dramatic impact upon the outcomes of elections, as witnessed in 2016, which in turn damages the democratic process and shows distrust in the democratic process itself.
There is also the data privacy of those individuals whose information is held or accessed by specific campaigns.
For example, earlier this year the entire registry of voters in Israel, including names, addresses and telephone numbers, was leaked via an app used by the ruling Likud party. This has clear privacy implications for Israel’s 6.5m registered voters.
Making the grade
In the run-up to the 2020 U.S. presidential election, there is undoubtedly going to be a focus on how secure each campaign is.
It was this focus that encouraged SecurityScorecard to conduct research into the security ratings of the campaigns of those hoping to be the Democrats’ nominee for President.
At the time of writing, while Joe Biden and Bernie Sanders are effectively the only candidates in the race to win the nomination, the campaign websites of other candidates were still up and running.
This could indicate that other elements of their IT networks remain in place, meaning that they are still vulnerable to being breached.
Our research found that all candidates analysed had a rating of ‘B’ or higher, using a scale of A-F, indicating that they have a positive cybersecurity posture.
Looking at specific campaigns, Joe Biden, Michael Bennet and John Delaney had the highest security scores of 97 out of 100, making them an ‘A’ grade. Tulsi Gabbard also had an ‘A’ grade, while Sanders’ campaign came out with a score of 89 or a ‘B’.
The campaigns of Mike Bloomberg and Elizabeth Warren also achieved ‘B’ grades with a score of 87 and 86 respectively.
The differences between a score of an ‘A’ and ‘B’ are negligible, but the differences between those and a ‘C’ or below are five times more likely to suffer a security breach than those with higher grades.
Although an organisation might have robust cyber security, threat actors can still breach them by exploiting weaknesses in third party suppliers, therefore, the security of vendors also needs to be taken into account when considering the overall defensive posture of a particular entity.
All of the candidates used third parties such as ActBlue, Pantheon, Mobilize America, ActionKit for critical technical functions, and these were all rated ‘B’ or higher.
While these grades show that the candidates appear to be taking their security responsibilities seriously, they must remain vigilant. Political parties and campaigns need to ensure that they invest in cybersecurity, as not doing so is likely to be a significant false economy.