Cybersecurity of Major U.S. and European Political Parties Found Wanting
SecurityScorecard’s latest report analyzes the visible security posture of leading U.S. political parties and those from ten EU countries. The selected U.S parties are Republicans, Democrats, Greens and Libertarians. The European national parties varied by nation, but for example comprise LibDems, Labour, Conservative, UKIP and Greens in the UK. In total, 29 political parties from 11 countries were analyzed.
Four risk categories were examined during Q1, 2019. These were application security (including detectable vulnerabilities), DNS health (looking at DNS configurations), network security (including open ports and SSL certificate issues), and patching cadence (software updates and patching frequency).
Apart from examining individual parties, the report (PDF) also combines results by nation to provide a general view of national political security cadence. Where any party has a much smaller server real estate than others (for example, the Greens in both the U.S. and the UK), or where one nation has fewer political parties than other nations, a process of normalization was employed to ensure a consistent result.
Overall, Sweden, followed by Northern Ireland has the most secure political parties, according to SecurityScorecard. The U.S. scores fifth, while the UK is a lowly ninth out of eleven. France comes last. These figures are somewhat surprising. Given the publicity following the U.S. DNC attacks in 2016, and the continuing concern about foreign interference in U.S. elections, it would be easy to expect better than fifth place.
Similarly, although not so publicly, the UK’s Brexit referendum was subject to Russian IRS manipulation. Britain’s public aspiration is to be the ‘best country in the world in which to conduct business’ (a government mantra dating back to Tony Blair’s premiership). In March 2017, the UK’s National Cyber Security Center (NCSC, part of GCHQ) wrote to British political parties to warn about “the potential for hostile action against the UK political system.” Given this direct warning and ongoing advice from the NCSC, ninth out of eleven is also disappointing.
SecurityScorecard’s process is to analyze, without warning, those aspects of a server that are visible from or over the internet. The results are calculated as a score out of 100. The internal working of the server, the network and the security controls in place are not examined; so, this is not a security audit. Nevertheless, where any firm displays poor security habits that can be seen, there is an implication that a poor security attitude may spread deeper into the infrastructure.
Within the U.S., the Democratic party (DNC) security score consistently lags that of the Republican party (RNC). This is no change from the status before the 2016 DNC hack. While both parties have made progress in their security posture, problems remain. For example, DNC is using Okta MFA; but in one instance the initial URL of a calendar application is served unencrypted over HTTP. “A motivated attacker could MitM (Man in the Middle) the beginning of this session, redirecting the calendar authentication to a bogus instance of Okta, harvest the user’s credentials and still send the 2FA mechanism as normal,” warns SecurityScorecard.
For the RNC, a completely unencrypted login to what appears to be an RNC-API (Application Programming Interface) server was discovered.
Within the U.S., the Green Party (92.5) presents the best security posture, followed by RNC (87.2), DNC (83.5) and finally the Libertarian Party (78.1). The Libertarians would have fared better but for a very low score in ‘DNS health’, primarily for the lack of Sender Protection Framework (SPF) for its domain names. Elsewhere, it scored better than both the RNC and DNC for ‘network security’, and ‘patching cadence’.
Within the UK, the overall scores had LibDems (92.9) first, followed by Labour (88.8), Conservatives (85.6), UKIP (75.5), and the Green Party (62.5) last.
Elsewhere, SecurityScorecard found a French political party with an insecure login system to its mail platform, where users and passwords are sent in plaintext over an unencrypted channel. In Spain, an expired certificate is used on a subdomain being used for federal taxes. In the UK, the Conservative party hosts a login to their PureCampaign application via an un-encrypted login portal. “Although the credentials are sent to the server via a secure manner,” warns SecurityScorecard, “this represents poor security design and presents a risk to a simple MitM or social engineering attack.”
Perhaps the headline discovery, however, is that an IP space designated to the EU shows signs of Gamarue malware infection. Gamarue is a Windows-based data stealer, and the EU Parliament elections are being held this week on Thursday, May 23,2019. While without analyzing the network infrastructure SecurityScorecard cannot say what Gamarue was doing (it could, for example, have been a security researcher working on the malware), it did detect Gamarue’s beaconing signals.
Overall, the security posture of U.S. and EU political parties is disappointing. The DNC hack should have been a warning for all parties to up their security game. While there has been some improvement, all parties should still do better. Their function in life is to be elected to government, Free elections are the backbone of democracy, so it is no exaggeration to say that democracy itself is threatened by poor online security.
While election meddling by social media manipulation is common, this has in the past been largely done at scale by nation states. The danger for the future is that mainstream cybercriminals decide this is a lucrative market. Data could be stolen and sold, or simply held to ransom. Or it could be done by transnational affiliations. In March 2019, F-Secure analyzed 24 million Brexit-related tweets. It concluded that the pro-leave results were largely manipulations, while the pro-remain tweets were largely organic. But it further found that the leave tweets did not primarily emanate directly from Russia (as may have been expected from recent history) but from loosely allied far right groups on both sides of the Atlantic.
Attempts to influence elections via social media and other online activity will continue. And it is equally clear following the 2016 DNC hack that stolen data can make this easier and potentially more effective. It is therefore incumbent on all political parties that they gain and maintain maximum security for their online estates. They haven’t yet done this.