Scoring the Democratic Presidential Candidates on Cybersecurity
CISO Paul Gagliardi scores Democratic candidates’ campaigns and their third-party vendors on cybersecurity.
March 27, 2020
For months now, U.S. lawmakers have heard warnings about Russia interfering with this year’s elections. But the threat extends beyond voting machines and voter data to the campaigns in both parties. MSSPs increasingly play larger roles in cybersecurity for candidates and the voting process. A new report offers insights into how well MSSPs and others are performing on the candidate side.
President Trump is the incumbent and largely covered by national security agencies. But the Democratic candidates are pretty much on their own when it comes to cybersecurity, at least for the moment. SecurityScorecard scored their efforts in their latest report.
“The entire team entered the exercise thinking we would unfortunately find some significant holes in the candidate’s security,” said Paul Gagliardi, CISO and head of threat intelligence at SecurityScorecard.
In a previous report on national and foreign political parties, the SecurityScorecard team discovered major flaws and issues in many of them. Gagliardi said the team “expected that to extend” to this year’s crop of Democratic candidates’ campaigns as well.
“Fortunately for American voters, that was not the case and we were pleasantly surprised that there were no low-hanging giant flaws we could find across the campaigns,” he said.
SecurityScorecard’s Paul Gagliardi
“We should have expected this, but it was surprising to see modern campaigns choosing a subset of vendors and third parties to do all the heavy lifting. We’ve historically found large flaws in the political parties within software solutions that were seemingly developed in-house — for example, solutions to capture voter information,” Gagliardi added.
MSSP Insider talked with Gagliardi about the report findings and what they might mean in light of foreign interference in U.S. elections.
Channel Futures’ MSSP Insider: What are the highlights in the SecurityScorecard you released earlier this month?
Paul Gagliardi: We graded all candidates’ campaigns at a rating of “B” or above, whereas our last report in 2019 found that the DNC overall had a “C” grade. This turnaround shows an increased focus on cybersecurity measures and candidate willingness to invest in good cyber hygiene.
Each campaign utilized third parties for critical technical functions. These third parties also exhibited clean external facing hygiene, although there is a risk of them becoming a target for sophisticated actors.
However, there were problematic findings with nonsanctioned websites and applications. For example, we discovered a cross-site scripting (XSS) attack among a third-party community event management application supporting Andrew Yang, who has since dropped out of the race.
CFMI: How did the key Democratic candidates and the third-party vendors they use to support their online presence score?
PG: Of the two remaining candidates, Biden scored a 97 and Sanders scored an 89. While this is good overall, we want to see any presidential hopeful taking cybersecurity as seriously as possible, particularly given recent threats from nation-states and increased vulnerabilities as workforces move fully remote.
We looked into a number of third-party vendors, including:
services and third parties such as Google, NGP, and Mailchimp, which candidates permitted to send email on their behalf.
third parties such as Cloudflare, Cloudfront, and Fastly, which provide technical, defensive, and infrastructure services to host the campaign’s websites and platforms.
other commonly used third parties, including ActBlue, Pantheon, Mobilize America and ActionKit.
The campaigns outsourced critical functions to expert third parties, which mirrors …
… the trend in the current business climate overall.
That is not to say security concerns are alleviated by simply outsourcing; in fact, it’s the contrary. The Opus & Ponemon Institute reported in 2018, 59% of companies had suffered a third-party breach at some time, but less than 20% of companies had some sort of process in place assessing the risks third parties pose.
After rigorous testing, no egregious lapses in security were discovered within these third parties, but some represent a common attack vector. Because up to nine different candidates are utilizing the same third-party vendor, it makes it a serious target for more advanced actors.
Google, AWS and other large providers are under constant threats not just limited to geopolitical motives; however, boutique nonprofits that offer a single technical offering to political candidates do not have the same resources that larger tech companies have.
There is inherent risk involved with using third parties. At the same time, there is a technical and security advantage of using a vetted third party singularly focused on providing a service such as donation acceptance or merchandise sales.
CFMI: What steps do you suggest political candidates take to improve their cybersecurity?
PG: They should be screening all third-party vendors before engaging with them, as that is best security practice.
We certainly understand the power of vetted and mature third parties that provide focused technological solutions. It appears this is exactly what the Democratic candidates have elected to do, which is the advisable path — as opposed to creating your own donation acceptance software or virtual merchandise store.
However, the most common use of our ratings platform is assessing the cybersecurity risk of using such third parties, which is why we extended our analysis to the most popular organizations these campaigns were using.
The campaigns should be conducting a similar risk analysis of the vendors they use. As campaigns grow larger in terms of donations, supporters and digital marketing, they also need to scale their security teams and security awareness training appropriately.
By far the most important aspect of successful security team is the people — the leaders, security personnel and everyone in between.
CFMI: Will you be scoring the candidates again closer to the election?
PG: We’re planning to release another report in the late summer detailing the cybersecurity posture of the Trump administration and the Democratic nominee.
Read more about:
MSPsAbout the Author
You May Also Like