“How secure are the presidential candidates’ campaigns?” This is the question asked by the SecurityScorecard Threat Intelligence Team in their recently published report “2020 Democratic Presidential Candidates Get Smart to Cybersecurity.”
This isn’t about platform or ideology – it’s about identifying how organizations that are in a constant state of movement secure the digital frameworks of their campaigns. The campaigns and their staff members are fully enveloped in a digital landscape that includes e-mail servers, text banking, fundraising, list-making, and database-building.
“Traditionally, political campaigns are similar to a startup: lean agile and focused solely on one goal,” according to SecurityScorecard.
Campaigns know which elections you’ve voted in, what party you’re affiliated with, your demographics, contact information, and anything else of note they want attached to your profile. They run bulk data, built from several databases including state motor vehicle registry, USPS address books, and municipal election departments, through database canvassing apps. For example, NGP Van is the database software and host most used by Massachusetts campaigns affiliated with the state’s Democratic Party to manage voter information and canvass results.
If campaigns aren’t careful, these databases could easily be stolen. Thankfully, according to SecurityScorecard, ”all candidates and their technical third parties have a ‘B’ score or above.”
Sanders’ and Warren’s campaigns use CloudFlare as a content delivery network, which means that their campaign infrastructure is hosted on multiple servers worldwide, making it harder to penetrate. In addition, CloudFlare allows campaign staff members to be able to securely log into communication and management applications through their browser.
“We at Cloudflare have seen many election-related cyber challenges firsthand,” the company said in a blog post. “In the 2016 U.S. presidential campaign, Cloudflare protected most of the major presidential campaign websites from cyberattack, including the Trump/Pence campaign website.”
For the websites themselves, many of the candidates use the hosting platform Pantheon, which works with WordPress and Drupal content-management systems, among others. Pantheon uses Google Cloud Platform, which has monitoring 24/7. All of these third-party solutions have authentication as well.
“These companies are uniquely positioned to best understand the threats that are posed,” said SecurityScorecard, “and any improvements to a security posture made by a single company enhances the security posture of all customers using the platform or service.”
SMBs should look at how these campaigns use third-party vendors that have an emphasis on data protection and security. Of course, sometimes what might look secure can actually be an illusion.
“Despite overall positive cyber posture,” says SecurityScorecard, “there were problematic findings with the non-sanctioned websites and applications.”
In one case, a third-party community event management application supporting Andrew Yang was found to have a Cross-Site Script (XSS), one of the most common security vulnerabilities today, embedded in its pages. Because of an exploitation between the way the browser sends information requested by Javascript, malicious code can be input that allows your account credentials to be compromised. In some cases, the attacker can even gain control of your browser remotely.
As we venture further and further into the 21st Century, it is clear that the dissemination of policy information and engagement of voters is becoming the most influential aspect of a campaign. Cyberattacks are ever evolving, therefore, it is imperative that campaigns continue to innovate and find ways to secure their digital infrastructures.
These organizations and all their moving parts are creating digital frameworks that should be followed by businesses interested in keeping their customers’ data secure.