Experts Warn Lack Of Discussion Impeding Cybersecurity Preparedness

Political campaigns face huge cybersecurity threats. But too few campaign professionals take the risks seriously enough. Experts are worried.

Despite the recent hacking of high-profile users’ Twitter accounts, and reports that Russia continues its attempts to penetrate U.S. institutions and government entities, cybersecurity remains something that campaigns are thinking about only when there’s an issue. 

“Campaigns do not talk publicly about the precautions they’re taking,” said Brian Franklin, co-founder of Campaign Defense, a cybersecurity training firm. “But while I think state parties are making slow progress, most campaigns seem to be ignoring the issue and addressing only when a problem comes up. The lack of discussion about it is concerning and will likely be an increasing problem as we get closer.” 

Some experts are advising political professionals to operate with an “assume breach mentality” from now until Election Day.

It’s advice they’re offering not just to campaign professionals but also to advocates and reporters covering the national horserace and even think tanks.

“As we’re entering this period between now and November, I think it’s absolutely to be expected that there will be a higher level of activity,” Jan Neutze, who heads Microsoft’s Defending Democracy Program, told C&E in a recent interview. 

Practitioners need to have the mindset to be constantly monitoring and investigating their own and their organization’s digital protections, Neutze said. 

While cyber threats had decreased early on during the pandemic, they’ve spiked back up, he said. “We’re seeing a constant drumbeat of nation-state activity.”

He added: “One of the things that is so challenging is the combination of cybersecurity threats and then exploiting that for disinformation purposes.” 

In terms of specific threats, Neutze said domain spoofing remains a popular avenue of attack, one that involves hackers creating a fake domain that looks like an organization from which the recipient would expect to receive emails. Another is “password spray attacks.”

“They try in large volumes to essentially crack passwords,” he said, noting that multi-factor identification deployed across your entire digital ecosystem “can really help secure yourself against these types of attacks.”

Campaigns remain a prime target, but if hackers or cyber criminals don’t have luck with the organization itself, they’ll start to target its vendors and advisors.

“Security is only as good as its weakest link,” Neutze said. “That’s why it’s imperative that campaigns are very intentional about what technology they use and the minimum baselines they set for folks they have to share files with and so on.” 

As part of its Defending Democracy Program, Microsoft recently made available patches for Windows 7, which was released in 2009. The company had pledged to support the software for a decade but extended that because “a relatively small but still significant number of certified voting machines in operation [are] running on Windows 7,” it said in September.  

“We didn’t want there to be any reason whatsoever why folks wouldn’t have access to these security patches,” said Neutze. “Some [elections officials] have the challenge that due to budget limitations they’re running some legacy applications and software where patches don’t exist anymore.” 

In fact, some cybersecurity experts view voting infrastructure as possibly a bigger target for countries like Russia that are bent on electoral interference. 

“The biggest problem that makes this threat real, is it’s not impossible for nation states to gain access to these [voting] devices even a year before the election happens,” said Quentin Rhoads-Herrera, director of professional services at CRITICALSTART, a cybersecurity services provider.

He advised elections officials to use network monitoring services and industry-standard encryption when data is at rest and when it’s sent. 

“If I vote for person X and that becomes a data point that’s sent to another device, it’s signed before it’s sent,” said Rhoads-Herrera. “That just confirms that data hasn’t been altered. That’s a common practice in things like banking apps.”

The recent HBO documentary “Kill Chain: The Cyber War on America's Elections,” highlighted the vulnerability of many voting systems in America today. 

Rhoads-Herrera echoed that, noting that most companies don’t want their machines tested by outside experts for fear that the vulnerabilities could be shared publicly. 

“These developers of voting machines, they’re not looking for widespread testing of their machines,” he said. “It’s an extremely real risk.”