Cybersecurity

Report: U.S. political parties need to shore up cyber

 

Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from SecurityScorecard.

In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses.

Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

"I think when you're trying to defend against something like a nation-state attacker you have to be extremely buttoned up and within hours we were finding indications that these parties were simply not to that level," said Paul Gagliardi, a threat researcher at SecurityScorecard in an interview.

The Republican National Committee scored higher than its Democratic counterpart. The Green Party earned the highest score while the Libertarian Party scored lowest.

While the DNC's score lagged behind those of the RNC "in almost all categories" measured, Gagliardi said the security posture of both organizations were comparable. Both still have worrying "low-hanging fruit" to deal with but are still operating on a higher level than past election cycles.

In addition to the parties' fundraising and coordinating bodies, there has been a substantial effort to improve the cybersecurity posture of individual campaigns. Earlier this year, the DNC rolled out an updated security checklist for candidates to ensure that cybersecurity best practices are followed from a campaign's inception.

The Federal Election Commission is mulling a proposal to allow campaigns to accept free or low-cost IT assistance from non-profits without running afoul of campaign finance laws against accepting donations.

Still, Gagliardi said the research shows there are still weaknesses to be addressed at the party level.

"They're in this weird position where they're potentially being targeted by nation-state capabilities but they don't have the defenses or funds of the industries that normally defend against that threat," said Gagliardi. "It raises the question: do they even have the funds or people to properly defend themselves?"

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Federal 100 Awards
    Federal 100 logo

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

Stay Connected