By Carolyn Crandall
May 18, 2016
It may not surprise you to see headlines like this in the news, “Foreign Hackers May Be Targeting Presidential Candidates: Spy Chief”. What however may be surprising is the inherent risk to voters, driven by the internet connected world that we live in today.
Well into the election season and heading to the big finale in November, both parties want to make sure there is a big turnout at the polls. But before that can happen there has to be a sizeable number of registered voters. I’m registered and I imagine you are too, but are we putting ourselves at risk?
That might be a strange question if it wasn’t for the recent massive Mexican data breach that put 93.4 million voter registration records on a public Amazon cloud. And the Mexico voter database breach wasn’t the only one in recent weeks. In the Philippines, about 55 million voter records were breached from Comelec—the nation’s election commission—and released publicly on the internet. The information included personal information such as name, address, e-mail address, passport information, height, weight and biometric information.
I have little doubt that criminal groups will be able to put this data to fraudulent use faster than you can say “I voted today”. And while these breaches may well be a factor of immature cybersecurity measures and poor security postures in those countries, that doesn’t mean you and I aren’t at risk.
On December 20 last year, researcher Chris Vickery contacted DataBreaches.net to say he had found a database with 191,337,174 million Americans’ voter information exposed due to a misconfiguration of the database. He admits he got quite a shock when he found his own information in it.
You may not realize this but the presidential candidates all have access to databases with all our records. So how secure are we in their hands? In December the Democratic National Committee database was hacked and information was suddenly available to all candidates. Bernie Sander’s team took advantage and used the opportunity to gather sensitive voter information from the Clinton organization. The DNC then took action to temporarily bar the Sander’s organization from access to their database—a move that might have had a significant impact on his campaign. So cyber-attacks are not only put our sensitive data at risk but now are affecting our political system.
Liberal group MoveOn.org also joined the fray, defending Sanders and attacking the DNC. “Given that it is the DNC’s responsibility to secure the voter data file, the DNC has failed in this regard—and punishing the Sanders campaign, when no evidence of malicious action has been presented, is unnecessary and misguided,” said the group’s director of analytics, Milan de Vries. “The DNC should immediately audit its vendor to ensure compliance. In the meantime, as it investigates the situation, it should restore full access to the Sanders campaign. If, in fact, the data is not secure, then access should be suspended for all campaigns until the problem is rectified.”
However, as has been the case in a number of breaches this year, the fault lay with the subcontractor, NGP VAN, who was charged with securing the database. After the breach the DNC immediately directed NGP VAN to conduct a thorough analysis to identify any users who accessed the data, what actions they took in the system, and to report on the findings to the Party and any affected campaign.
The voter file, managed by NGP VAN and maintained by the DNC, contains vital information used by campaigns to identify and monitor voters and potential supporters.
The Sanders campaign blamed NGP VAN for the breach. “Sadly, the vendor who runs the DNC’s voter file program continues to make serious errors. On more than one occasion, the vendor has dropped the firewall between the data of different Democratic campaigns. Our campaign months ago alerted the DNC to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor,” said Sanders communications director Michael Briggs.
The point here is that additional security solutions are available to detect threats that have by passed prevention systems and real time detection of attackers using deception based technology likely would have stopped this breach in its tracks. Some may feel that it wasn’t the fault of the DNC, nor the Sanders campaign that the database was left vulnerable—it is easy to fault and blame the subcontractor.
Taking a step back… Who’s fault really was it? In today’s environment security is not just the responsibility of the organization holding the data to provide assurances that their security posture is effective and reliable. It’s equally important that they determine how safe their ecosystem partner security systems are and that they have systems in place to validate the quality and performance of their systems.
Political organizations, like Mexico and the Philippines, clearly suffer from immature security postures, putting all of us at risk. In the USA, we have clear access to the most advanced security technology and hopefully, both parties and all candidates can agree this year that cybersecurity issues should be a top priority for political policy and in practice—and for everyone’s sake, not only after the election.