The 2016 hack of the Democratic National Committee marked a watershed moment for political voting, showing how Western elections could be swayed by the click of a mouse.
Three years on and with the European elections taking place this week and the US presidential elections next year, are political parties now better prepared to fight off cyber meddling?
Cyber risk analysis firm SecurityScorecard carried out research into 29 political entities across 11 countries in North America and Europe to find out.
“Clearly, nation states are interested in participating in other nation state’s elections,” said Jasson Casey, chief technology officer at SecurityScorecard.
“The real question is: ‘have the political parties buttoned up, have they got better?’”
The New York-based firm found mixed results. While the Republicans and Democrats appear to have improved their cybersecurity postures in the wake of the 2016 election, smaller parties in the US and Europe are lagging behind.
There were also a number of alarming vulnerabilities discovered, including a US political party leaking voter data, a French political party using outdated authentication products and a European Union (EU) endpoint infected with malware.
To come to these conclusions, SecurityScorecard used their platform to gather data on a range of cybersecurity factors between January and May this year.
This included application security, DNS health and patching cadence, among others. Pooling all of this data together into an overall score per party, they were able to create an overview of how well prepared political parties in the US and Europe are for another cyberattack on the democratic process.
Here’s the geographical breakdown:
Political party cybersecurity: Europe
Of the 11 countries analysed, Swedish political parties came out with the highest overall cybersecurity rating. Meanwhile, political parties in France show “systematically lower security ratings” than all of the countries analysed.
Both French and Spanish parties were found to be using authentication systems that could be exploited to harvest usernames and passwords.
The report suggests that the yellow vest protests in France could be motivating hacktavists to target French political parties and so bringing their scores down.
Most strikingly, Gamarue malware was discovered on an EU endpoint – a server, desktop or laptop – that’s “likely” running a Windows operating system.
Gamarue is capable of logging keystrokes and stealing files, and “often propagates via USB vectors or classic spearphishing,” explains Paul Gagliardi, a threat researcher at SecurityScorecard.
“The malware is likely on an endpoint, not a website,” adds Casey. “It’s likely on an endpoint in a network that is basically coming out of a network administered by the [European] Union itself. That’s where the Europa.EU domain comes from – it doesn’t necessarily mean it’s serving that domain.”
“We received a callback from that malware family and we can attribute it to an IP address,” says Gagliardi. “And then through the internet registry and other records, we can find that the IP address is somehow associated with the EU.”
SecurityScorecard can’t determine what endpoint it is on and therefore cannot establish how serious it is.
“Is the malware finding on a researcher’s desktop, where they’re purposely detonating it? It’s unlikely, given the environment, but that’s always a scenario,” adds Casey.
Political party cybersecurity: UK
In the UK, the Liberal Democrats came out with the highest overall score, followed by the Labour Party, the Conservatives, UKIP and the Green Party. In fact the Lib Dems scored highest on all areas apart from application security, for which UKIP took the top spot.
SecurityScorecard researchers also discovered an unencrypted login portal using clear text authentication for a Conservative party email marketing campaign platform called the Pure Campaign app.
“The implications of clear text authentication are that you’re making it easier for adversaries to basically harvest credentials or usernames and passwords from anyone that might use that site,” says Casey.
Given that many many people reuse the same password across multiple accounts, hackers could exploit this to flaw to steal passwords and attempt to use them to break into other accounts.
“It’s easier for people who sit in between the user and the website to learn what those credentials are,” adds Casey.
“It could be a network administrator, it could be someone on a local access network, it could be an open Wi-Fi network. So basically anyone along the path from the host computer to the server would be able to see those credentials in the clear.”
Application security was the biggest risk for the majority of UK political parties, with the Greens scoring lowest with 38 out of 100.
Political party cybersecurity: US
In the US, the Green Party came out on top overall. The Republican Party came in second, with the Democrats lagging behind in most areas of cybersecurity. However, both parties have improved after “significant investments” since 2016.
“We generally saw a strengthening of posture across those two organisations,” said Cassey.
But while they are both “running a reasonable operation”, there was one alarming discovery of a US party.
An unnamed “major” US political party was “programmatically leaking a voting validation application”.
This meant personal details such as name, date of birth could be stolen and potentially used in identity theft and fraud.
Meanwhile, the Libertarian Party came in last place out of the four US parties analysed, thanks to poor DNS health.
SecurityScorecard said it has notified all parties of any security vulnerabilities.
While things show that things are getting better in the US, there’s no room for complacency, warns Casey.
“Security is a game of the weakest link, and with a determined adversary they’re still going to be able to go after certain individuals from their private infrastructure – personal targeting,” he said. “So I don’t think the problem is going away by any stretch of the imagination.”