Cybersecurity a concern for candidates on 2016 campaign trail
Experts say hackers likely to target front-runners, disrupt election
By Gary Stoller, ThirdCertainty
As the race to replace President Barack Obama heats up, so to will cyber attacks by, for and against the front-runners.
With the official start of the U.S. presidential primaries just underway, that scenario already has begun to unfold. And cybersecurity experts fully expect more to come.
In December, Democratic hopeful Sen. Bernie Sanders fired his national data director, Josh Uretsky, after staffers accessed data that belonged to Hillary Clinton’s campaign.
Free resource: Planning ahead to reduce breach expenses
And the loose-knit, but impactful hacking collective Anonymous already has fired off two major barrages against Republican front-runner Donald Trump. The most recent was a defacement of the 2016 Iowa Caucus website in response to former Alaska governor and 2008 Republican vice presidential candidate Sarah Palin’s boisterous endorsement of Trump.
Earlier, Anonymous hackers organized a Distributed Denial of Services (DDoS) attack that temporarily disrupted the website for Trump Tower New York after Trump spewed inflammatory remarks against Muslims.
Such attacks “will get worse and more personal,” predicts John McCormack, the CEO of cybersecurity company Forcepoint (formerly Raytheon Websense.) Look for candidates’ campaign apps to be hacked, Twitter feeds hijacked, and voters targeted with phishing attacks, he says.
In October, the InfoSec Institute, which provides information security training, evaluated the security of each Republican and Democratic candidate’s website.
The institute credited all candidates for using https, the widely used Web protocol for secure communications. However, InfoSec also found various security problems, including two candidates using unsecured WordPress sites that exposed lists of users and other information.
The most security-minded candidate: Republican Ben Carson, whose campaign website earned an “A” grade from InfoSec. The websites of Trump and Democratic candidate Hillary Clinton received a “B,” and those of Sanders and Republican candidate Jeb Bush a “C.”
Such nuances tend not to escape alert Anonymous operatives. Like most organized hacktivists, the collective has “an anti-establishment bent,” says John Dickson, a principal with software security consultancy The Denim Group, noting that Anonymous has endorsed Sanders.
“Trump seems to have gotten under their skin,” Dickson says. “It’s surprising that (Texas senator and Republican candidate) Ted Cruz hasn’t crossed their radar screens yet.”
Social media opens door to attacks
The presidential hopefuls from both major parties are expected to make unprecedented use of Twitter, Facebook, Instagram and other popular social media tools. This only widens the “attack service” for over-zealous supporters and ideologues, observes Bob Hansmann, director of product security at Forcepoint.
Besides attacking the candidates, hackers almost certainly will attempt to victimize individual voters, as they capitalize on current events to foist bogus donation campaigns on political donors, experts say.
Hansmann foresees a variety of cyber attack scenarios, which he categorizes as follows:
- Intentional outsider attacks. Source: hacktivist collectives, competing campaigns or nation-states with a range of motives.
- Accidental insiders. Source: Well-intentioned campaign staffers who share sensitive information in an unsecure manner via social media, cloud apps and personally owned mobile devices.
- Physical mistakes. Source: Inattentive staffers or supporters who leave a laptop or memory stick out in the open, even for a brief period of time, resulting in a proactive breach.
Some attacks, like Anonymous’ DDoS attack on the website of Trump’s signature New York skyscraper, cause only superficial damage and are easily repaired.
That attack was “in line with Anonymous’ modus operandi—strident statements, high-profile stick-in-the-eye attacks against the ‘bad guy,’ and then moving on to other focus areas,” Dickson observes. “They don’t have a history of focused, sustained attacks like that of a nation-state.”
But as in any war, small arms fire can be a prelude to a major assault. A flush of smear campaigns leveraging social media channels would not be surprising, for instance, Dickson says.
And Hansmann believes it’s possible that foreign governments could initiate cyber attacks with the intention of tilting the balance in favor of candidates they support, for whatever tactical reason. That objective must “have significant gains against the potential risk of disclosure,” he says.
Hansmann notes that an overt offshore cyber attack against an election system took place four years ago when IP addresses in foreign countries made thousands of requests for Florida absentee ballots to the Miami-Dade County elections website. The requests were rejected, and the motive remains unknown, he says.
Digital voting systems are a singular concern. In 2010, a security researcher in India was arrested after demonstrating the country’s voting machines could easily be hacked. Last year, Virginia’s State Board of Elections banned touchscreen voting machines used by more than 560 precincts. The machines, which had been used in elections for more than 10 years, were found to be insufficiently secured with poor password controls that left them susceptible to intrusion.
More on cybersecurity:
The federal government needs a cybersecurity marathon, not a sprint
Third-party vendors are the weak links in cybersecurity
Worsening IRS hack shows cybersecurity too low a priority