Cybersecurity a concern for candidates on 2016 campaign trail

Experts say hackers likely to target front-runners, disrupt election

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As the race to replace Pres­i­dent Barack Oba­ma heats up, so to will cyber attacks by, for and against the front-run­ners.

With the offi­cial start of the U.S. pres­i­den­tial pri­maries just under­way, that sce­nario already has begun to unfold. And cyber­se­cu­ri­ty experts ful­ly expect more to come.

In Decem­ber, Demo­c­ra­t­ic hope­ful Sen. Bernie Sanders fired his nation­al data direc­tor, Josh Uret­sky, after staffers accessed data that belonged to Hillary Clinton’s cam­paign.

Free resource: Plan­ning ahead to reduce breach expens­es

And the loose-knit, but impact­ful hack­ing col­lec­tive Anony­mous already has fired off two major bar­rages against Repub­li­can front-run­ner Don­ald Trump. The most recent was a deface­ment of the 2016 Iowa Cau­cus web­site in response to for­mer Alas­ka gov­er­nor and 2008 Repub­li­can vice pres­i­den­tial can­di­date Sarah Palin’s bois­ter­ous endorse­ment of Trump.

Ear­li­er, Anony­mous hack­ers orga­nized a Dis­trib­uted Denial of Ser­vices (DDoS) attack that tem­porar­i­ly dis­rupt­ed the web­site for Trump Tow­er New York after Trump spewed inflam­ma­to­ry remarks against Mus­lims.

Cam­paign inse­cu­ri­ty

Such attacks “will get worse and more per­son­al,” pre­dicts John McCor­ma­ck, the CEO of cyber­se­cu­ri­ty com­pa­ny For­ce­point (for­mer­ly Raytheon Web­sense.) Look for can­di­dates’ cam­paign apps to be hacked, Twit­ter feeds hijacked, and vot­ers tar­get­ed with phish­ing attacks, he says.

In Octo­ber, the InfoS­ec Insti­tute, which pro­vides infor­ma­tion secu­ri­ty train­ing, eval­u­at­ed the secu­ri­ty of each Repub­li­can and Demo­c­ra­t­ic candidate’s web­site.

The insti­tute cred­it­ed all can­di­dates for using https, the wide­ly used Web pro­to­col for secure com­mu­ni­ca­tions. How­ev­er, InfoS­ec also found var­i­ous secu­ri­ty prob­lems, includ­ing two can­di­dates using unse­cured Word­Press sites that exposed lists of users and oth­er infor­ma­tion.

The most secu­ri­ty-mind­ed can­di­date: Repub­li­can Ben Car­son, whose cam­paign web­site earned an “A” grade from InfoS­ec. The web­sites of Trump and Demo­c­ra­t­ic can­di­date Hillary Clin­ton received a “B,” and those of Sanders and Repub­li­can can­di­date Jeb Bush a “C.”

Such nuances tend not to escape alert Anony­mous oper­a­tives. Like most orga­nized hack­tivists, the col­lec­tive has “an anti-estab­lish­ment bent,” says John Dick­son, a prin­ci­pal with soft­ware secu­ri­ty con­sul­tan­cy The Den­im Group, not­ing that Anony­mous has endorsed Sanders.

Trump seems to have got­ten under their skin,” Dick­son says. “It’s sur­pris­ing that (Texas sen­a­tor and Repub­li­can can­di­date) Ted Cruz hasn’t crossed their radar screens yet.”

Bob Hansmann, Forcepoint director of product security
Bob Hans­mann, Raytheon Web­sense direc­tor of prod­uct secu­ri­ty

Social media opens door to attacks

The pres­i­den­tial hope­fuls from both major par­ties are expect­ed to make unprece­dent­ed use of Twit­ter, Face­book, Insta­gram and oth­er pop­u­lar social media tools. This only widens the “attack ser­vice” for over-zeal­ous sup­port­ers and ide­o­logues, observes Bob Hans­mann, direc­tor of prod­uct secu­ri­ty at For­ce­point.

Besides attack­ing the can­di­dates, hack­ers almost cer­tain­ly will attempt to vic­tim­ize indi­vid­ual vot­ers, as they cap­i­tal­ize on cur­rent events to foist bogus dona­tion cam­paigns on polit­i­cal donors, experts say.

Hans­mann fore­sees a vari­ety of cyber attack sce­nar­ios, which he cat­e­go­rizes as fol­lows:

  • Inten­tion­al out­sider attacks. Source: hack­tivist col­lec­tives, com­pet­ing cam­paigns or nation-states with a range of motives.
  • Acci­den­tal insid­ers. Source: Well-inten­tioned cam­paign staffers who share sen­si­tive infor­ma­tion in an unse­cure man­ner via social media, cloud apps and per­son­al­ly owned mobile devices.
  • Phys­i­cal mis­takes. Source: Inat­ten­tive staffers or sup­port­ers who leave a lap­top or mem­o­ry stick out in the open, even for a brief peri­od of time, result­ing in a proac­tive breach.

Some attacks, like Anony­mous’ DDoS attack on the web­site of Trump’s sig­na­ture New York sky­scraper, cause only super­fi­cial dam­age and are eas­i­ly repaired.

That attack was “in line with Anony­mous’ modus operandi—strident state­ments, high-pro­file stick-in-the-eye attacks against the ‘bad guy,’ and then mov­ing on to oth­er focus areas,” Dick­son observes. “They don’t have a his­to­ry of focused, sus­tained attacks like that of a nation-state.”

Polit­i­cal motives

But as in any war, small arms fire can be a pre­lude to a major assault. A flush of smear cam­paigns lever­ag­ing social media chan­nels would not be sur­pris­ing, for instance, Dick­son says.

And Hans­mann believes it’s pos­si­ble that for­eign gov­ern­ments could ini­ti­ate cyber attacks with the inten­tion of tilt­ing the bal­ance in favor of can­di­dates they sup­port, for what­ev­er tac­ti­cal rea­son. That objec­tive must “have sig­nif­i­cant gains against the poten­tial risk of dis­clo­sure,” he says.

Hans­mann notes that an overt off­shore cyber attack against an elec­tion sys­tem took place four years ago when IP address­es in for­eign coun­tries made thou­sands of requests for Flori­da absen­tee bal­lots to the Mia­mi-Dade Coun­ty elec­tions web­site. The requests were reject­ed, and the motive remains unknown, he says.

Dig­i­tal vot­ing sys­tems are a sin­gu­lar con­cern. In 2010, a secu­ri­ty researcher in India was arrest­ed after demon­strat­ing the country’s vot­ing machines could eas­i­ly be hacked. Last year, Virginia’s State Board of Elec­tions banned touch­screen vot­ing machines used by more than 560 precincts. The machines, which had been used in elec­tions for more than 10 years, were found to be insuf­fi­cient­ly secured with poor pass­word con­trols that left them sus­cep­ti­ble to intru­sion.

More on cyber­se­cu­ri­ty:
The fed­er­al gov­ern­ment needs a cyber­se­cu­ri­ty marathon, not a sprint
Third-par­ty ven­dors are the weak links in cyber­se­cu­ri­ty
Wors­en­ing IRS hack shows cyber­se­cu­ri­ty too low a pri­or­i­ty

 


Posted in Cybersecurity, Featured Story