Report: U.S. political parties need to shore up cyber

Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from SecurityScorecard.

In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses.

Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

"I think when you're trying to defend against something like a nation-state attacker you have to be extremely buttoned up and within hours we were finding indications that these parties were simply not to that level," said Paul Gagliardi, a threat researcher at SecurityScorecard in an interview.

The Republican National Committee scored higher than its Democratic counterpart. The Green Party earned the highest score while the Libertarian Party scored lowest.

While the DNC's score lagged behind those of the RNC "in almost all categories" measured, Gagliardi said the security posture of both organizations were comparable. Both still have worrying "low-hanging fruit" to deal with but are still operating on a higher level than past election cycles.

In addition to the parties' fundraising and coordinating bodies, there has been a substantial effort to improve the cybersecurity posture of individual campaigns. Earlier this year, the DNC rolled out an updated security checklist for candidates to ensure that cybersecurity best practices are followed from a campaign's inception.

The Federal Election Commission is mulling a proposal to allow campaigns to accept free or low-cost IT assistance from non-profits without running afoul of campaign finance laws against accepting donations.

Still, Gagliardi said the research shows there are still weaknesses to be addressed at the party level.

"They're in this weird position where they're potentially being targeted by nation-state capabilities but they don't have the defenses or funds of the industries that normally defend against that threat," said Gagliardi. "It raises the question: do they even have the funds or people to properly defend themselves?"