CyberWire Daily - The U.S. campaign trail is actually quite secure. [Research Saturday]
Episode Date: May 9, 2020Multiple media reports have indicated that the United States’ (U.S.) 2020 general election could be targeted by foreign and domestic actors after the successful cyber and misinformation attacks duri...ng the 2016 general election. The responsibility of secure and ethical online campaigning has become a central issue in the 2020 election. In some cases, it has become part of candidate platforms. Joining us in this week's Research Saturday is Paul Gagliardi from Security Scorecard, discussing their recent report detailing the cybersecurity of the 2020 Presidential race. The research can be found here: 2020 Democratic Presidential Candidates Get Smart to Cybersecurity Report Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We did a report about six months prior where we looked at the cybersecurity of all the political parties, both small and large, domestic and abroad.
That's Paul Ghilardi. He's the head Cybersecurity, a detailed investigation by the Security Scorecard Threat Intelligence team.
We got really good coverage with that, especially following the well-reported interference attempts at the election in 2016. We wanted to make sure that we're seeing some changes both in the political parties and the candidates themselves as it relates to their cybersecurity posture. So give me an idea of
what you were setting out to examine here. So with the political party report, we really just
wanted to assess their maturity level and how seriously they seem to be taking cybersecurity
from an external only perspective and without being intrusive or needing permission to necessarily pen test. In that report, we were somewhat disappointed in
the parties themselves. There were some glaring holes in some minor parties and especially those
abroad. The two main parties in the U.S. seem to have their act together to a degree, but there
was certainly room for improvement. So when we took a glance at this,
at the specific candidates, I was anticipating sort of the same results that we'd have varying
quality of defense systems or maturity in place. To our surprise, they seemed to be well positioned.
We used our tool to sort of start off the interrogation and we really dug into the entire external footprints of these
candidates. And after looking at the parties, I was anticipating some large holes or flaws in their
software or their defense mechanisms, and that really wasn't the case. So as an American voter,
I was proud to say that it does seem that the candidates themselves are taking cybersecurity
and the hygiene of that quite
seriously. Well, can you give us some insights? What is the setup of a typical political campaign
that's being run at this level in terms of the types of things that would require their attention
when it comes to cybersecurity? I mean, at this point, a campaign is almost completely digital.
And to reach their constituents from email to marketing to now virtual campaigns to accepting donations to just organizations,
it requires a litany of different technical resources and types of offerings.
So to properly simulate or properly stand up a campaign, you have to leverage quite a few different technical disciplines in terms of being able to accept donations securely, being able to maintain a list of all those voters or potential voters that you're trying to market to.
It's probably matured quite a bit since 30 years ago where it was, you know, paper and paper and pencil and door knocking.
It's now primarily, I would guess, a digital exercise.
And I suppose it's fair to say these are basically high-velocity small businesses.
Yeah, exactly.
It's akin to almost a startup.
They have very specific goals, and they are focused primarily on that.
And we've seen in other startups that to get that product out to market, they'll sometimes be
lackadaisical about other things. And that's not necessarily their fault. It's just that their
business requirements are to get the product or get their offering out there. Just as with this
political campaigns, their objective is to get
their message and to reach voters. And we were initially anticipating that perhaps that blinded
by that objective only, they might be lax about cybersecurity. And I'm happy to say it doesn't
seem like that was the case, that they balanced their objectives with also promoting cybersecurity
defenses and proper hygiene in balance with those objectives,
which is the job of any CISO.
My job is to implement defense or policy,
but also balance that with how that's going to impact my business or my primary objectives.
Well, let's walk through the research here together.
What were some of the areas that you examined?
So our product is, you can think of
it sort of like a credit rating here at Security Scorecard. We offer a credit rating, except it's
representative of your cybersecurity posture. So it's an A through F letter rating, and it's often
used in third-party risk or vendor risk management. So the grades updated every single day, and if I'm
a Fortune 500, I might want to
know of all the 10,000 vendors that I use, which ones of those are risky or having some signs or
indicators of compromise that might be reflective of a future breach. So we put that tool and we
pointed it towards all of the, I think at the time there was 15 or so candidates and sort of let it do its thing and create a risk rating.
On top of that, the research team really dug into the specific findings to contextualize them,
to maybe expand on the types of things that our product doesn't do at scale.
And part of that is sort of defining a digital footprint.
So, you know, if I look at Bernie Sanders, what are all of his digital assets that are public facing in the Internet?
And that's sort of the foundation of what we call a scorecard.
So if we can define all those assets and then start to look for hygiene issues as it relates to how they're configured or how they were purchased or how they were deployed, that's sort of what starts the process. On top of that, we then were really digging into
maybe more in-depth types of findings without being intrusive or requiring permission. We
obviously never stepped over any legal boundaries, but we had ex-pen testers that were
making sure everything within those offerings, say the website that accepts donations, etc.,
all the I's were dotted and T's were crossed.
Well, let's go through some of the specifics together. Can you share some of the specific
things that you took a closer look at? I think one thing that was really interesting where we
found some egregious findings were applications that are not necessarily sanctioned by the
campaign manager or by the candidate, but they do represent
potentially the user base of that voter. So for Andrew Yang, there was a sort of a website where
you can organize with other constituents and plan events or just communicate. It's not an
officially sanctioned Andrew Yang website, but to your common voter, it might not be clear that it's not.
And we went through that same rigorous testing. And with that application, it was just completely void of any security controls. We were able to quickly show a cross-site scripting error
where if we were malicious in nature, we could have exploited quite a number of users. We did
disclose that to the creators of the website. We never heard back. I actually tried to reach out to Andrew Yang's
campaign as well, just to let them know that, you know, even though you're not officially
developing this application, it is impacting potentially your voters. I didn't hear back
from him either. But that's one example of sort of the egregious findings that we did see.
I was hoping from a research perspective,
we'd find more examples like that. Luckily, as an American voter, we didn't find many of those
on their official campaign applications or product offering. Yeah, there's some interesting
things you dig in here. One of them is you looked at the top hosting platforms that they were using and it seemed like one organization
stood out from the crowd. Can you take us through what your research found here? Yeah, so we quickly
deemed that it seems like when you set up a digital campaign, you're not writing any of this software
or your applications yourself. You're leaning on third parties that provide an offering that does
that specifically. And I think with my CISO hat on, I think that's the right approach.
I don't want to necessarily write my own donation acceptance software or my mass emailing campaign.
Like there's a well-tried and true products that have been vetted by security professionals, are used across industries.
And that's the approach seemingly that these candidates took. I wouldn't be surprised even
though I haven't verified it, but I would guess that the DNC or some other organization like that
likely offered a, hey, if you're going to set up a campaign, here are some vendors that we
at least recommend. I'm sure it wasn't mandated. But if I had to guess, it was
sort of like the DNC offered a candidate in the box, and here's the vendors that you can go to.
And there's a litany of them. They offer different types of services from ActBlue
to Mobilize America, Action Kits. They offer different types of either platforms or
services to those candidates. And we applied the same or services to those candidates.
And we applied the same rigorous testing to those vendors.
So our product is designed to assess the risk of using a vendor.
So we just pretended I was the CISO of the DNC.
And it's like, okay, let's assess all these third parties that people seem to be recommending
to our candidates.
And again, luckily, there wasn't any glaring
holes. I was anticipating to find some large security vulnerabilities or just really poor
hygiene in these vendors, and they also have their act together. I look at a lot of other
companies in different sectors or different parts of this world, and that's just not true.
Like just a basic pen test
or a basic security assessment will find glaring holes. With the candidates and their third parties
that they chose, they are taking cybersecurity seriously as from what we can see externally.
I obviously have no insight into necessarily their policies or their training of employees,
but from what they expose externally, I would say that it does seem like
they learned their lessons from 2016. Yeah. And looking at your results here, I mean, pretty much
across the board, I think it's fair to say overall they got high marks.
Yeah. You know, there were some lower or higher ones. I always caveat our grading with
a B or an A is actually quite good.
We've proven that if you have a C, D, or F, you're five times more likely to be breached. We've
validated that internally and had an insurance underwriter validate that as well. So the
difference between a 97 and 94, I generally don't pinpoint on that much. All the candidates were
within the high B to A range. The same can
be said about their third parties. If there was like a C, D, or F, that's where I would really
raise the alarm. But I don't necessarily consider that much of a difference between a 97 and 94,
but we did define that in the report. Were there any particular areas where they needed some attention? It's a lot of general web security application development hygiene,
like how you redirect from an HTTP to an HTTPS site.
There's a really secure way to implement that.
For some of these candidates, they might have been missing old tags,
especially if you view it in an outdated browser.
Again, the exploitability of that at
scale or the importance of that is maybe not as impactful as, say, having a database open on the
internet or something like that. Again, the findings were rather hygienic. If you really
wanted to get in the weeds, there were some basically web application development processes
that they could improve on slightly.
And we're also happy to share this for any candidate that wants to join this platform.
I guess they're sort of ceasing their campaigns at this point.
But we're happy to share that and let them access the platform and have the full details of what are those hygiene findings that we're showing them.
You know, obviously, one of the things that takes place
in any political campaign is fundraising. You've got a lot of money exchanging hands there,
and that can put a target on your back. What sort of stuff did you see when you looked at the
various platforms that these candidates use for fundraising? So we didn't necessarily know how
they're storing that money or accounting for it.
It does seem like they're leaning on third parties such as ActBlue or ActionKit or BlueState.
These are sort of platforms that are able to take in money via either PayPal or some other sort of point-and-sale system to securely transact that.
I'm happy to say that no campaign attempted to implement that themselves.
That's not an easy task to properly, you know, securely parse credit card information,
enact the transaction, and follow through with that. So they leaned on third parties,
which is exactly what, if you or I were developing a website to try to accept
donations, you wouldn't write it yourself. And the candidates heeded that recommendation. So, I mean, it's one of the take-homes here that, you know, in this era,
after some of the things we went through in 2016, I guess the campaigns have taken notice and
they've adopted so many of these best practices. It seems like overall they're up to speed.
so many of these best practices, it seems like overall they're up to speed.
Yeah, I would say that a year ago, the parties were getting there, but they weren't there yet,
especially the minor ones. They were not taking cybersecurity as seriously as I'd hoped. In this 2020 election, late 2019 candidates, I would say overall the message was sent quite clearly to
them. And I would think that the DNC, who we've worked with in the past, had a lot to do with that.
I'm guessing there's legal reasons that they can't mandate exactly how you implement it, but they probably had strong recommendations of how to set up a campaign in a modern digital era.
With that said, we certainly don't conclude or assert that these campaigns are invulnerable to attacks, especially sophisticated attacks.
You know, it's my opinion that a Fortune 5 bank that invests billions of dollars into cybersecurity defense cannot necessarily declare their defenses are risk-free of a very sophisticated actor.
are risk-free of a very sophisticated actor.
It's impossible as a CISO to ever think that you've defended that level of attack and sophistication that varies from physical access to zero days to in-person human intelligence.
And that is potentially an attack vector for these campaigns.
So they do need to be aware that that's an attack vector.
I don't think anyone can ever conclude that they're safe from that.
But all signs point to that I can't necessarily test that level of attack.
All signs point to that they are taking it seriously.
And they're as well defended potentially as someone could be to that level of sophistication.
But by no means am I saying that there's not going to be a successful attack in the in the
following uh primary or general election but i i suppose uh in general as you mentioned for american
voters uh this is uh good news that uh at least the things you are able to look at the the proper
attention is being paid yeah i i would say from my research side and my,
you know, my offensive side, I wanted to find stuff just to, you know, appease our curiosity
and fun. But yeah, when I think about being an American and a voter, I am relieved that
it seems that the heat has been called by the candidates to take this seriously. And I,
you know, the scrutiny, we as voters and those of us in the cybersecurity realm need to continue applying that pressure for these parties and candidates to continue to take that seriously.
I think a lot of that came from, you know, the individual voter and those of us in the industry applying that historically
and then, you know, asking questions about cybersecurity and debates
and making that a first-order citizen in a modern campaign.
Our thanks to Paul Gilardi from Security Scorecard.
The research we discussed was titled
2020 Democratic Presidential Candidates Get Smart to Cybersecurity.
We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.