Significant strides have been made since the campaign cybersecurity debacle in 2016 that led to the disclosure of a trove of emails by Wikileaks that arguably cost Hillary Clinton the U.S. presidential election, according to a report published this week assessing the security posture of the major political candidates that make up the current Democratic party field.
The report rates the security posture of each primary candidate a B or better. A year ago, a similar assessment conducted by SecurityScorecard, a provider of risk analysis tools and author of the report, gave the Democratic National Committee (DNC) a C grade.
The assessments conducted by Security Scorecard are based on a non-intrusive approach to threat hunting derived from a set of best cybersecurity practices defined within its software-as-a-service (SaaS) application.
Scott Walsh, a senior threat intelligence researcher for SecurityScorecard, said that survey results suggest all 14 of the campaigns assessed have significantly bolstered their cybersecurity capabilities by relying on many of the same approved vendors as well as the expertise of third-party IT services firms. Among the candidates still in the race, the Joe Biden campaign (97) ranked highest. The lowest score was attained by Elizabeth Warren (86).
The SecurityScorecard platform automates penetration testing along with providing access to web vulnerability and network scanning tools to assess the websites of each campaign. At no point did SecurityScorecard attempt to use exploits, default credentials or brute force credentials, or intentionally perform actions that would negatively impact a candidate’s platforms or third-party infrastructure and potentially surface additional cybersecurity vulnerabilities. However, most of the candidates appear to have made major investments in cybersecurity that enable them to thwart most of the common attack vectors that might target their websites.
Of course, there always will be a correlation between the amount of funding a candidate can raise and the level of investment they can make in cybersecurity. As the campaigns wear on, some candidates may have to cut back on their cybersecurity investment levels.
Longer-term, Walsh said campaigns soon will be facing more complex cybersecurity issues such as the rise of deep fakes that involve, for example, videos of a candidate asking for money that have been created using machine learning and deep learning algorithms that lead campaign donors to a fake website.
In the meantime, Walsh said the best thing campaigns can do is always verify with whom they are sharing information. Whenever possible, they should always use an additional communications channel to confirm the identity of anyone they communicate with—for example, via email or a social media outlet, he said, adding they also might want to be on guard for fake invoices that might be from a fraudulent media outlet.
It’s clear that as candidates embrace various digital technologies to expand the reach of their message to potential voters, the medium is not only the message—it’s now also a threat vector that can derail both national and local campaigns alike.