Analysis | Campaign Cybersecurity Might Be The Weakest Link In The Midterms – The Washington Post

Analysis | Campaign cybersecurity might be the weakest link in the midterms – The Washington Post

Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! I think of myself as “pretty online,” but only learned of this copypasta over the weekend.
Below: The U.S. government sanctions an Iranian official over cyberattacks, and an Israeli campaign manager is arrested for trying to overwhelm their rival with phone traffic. First:
An official at the Cybersecurity and Infrastructure Security Agency (CISA) said last week that election security is light-years ahead” of where it was in 2016. But there’s one area lagging behind as the 2022 midterm vote looms: the cybersecurity of political candidates’ campaigns.
In the aftermath of Russia’s election interference in the 2016 cycle, Congress delivered hundreds of millions of dollars to state and local governments to spend on things like replacing less secure voting machines and giving cybersecurity training to election officials.
There’s been no comparable mobilization for campaign security. That’s noteworthy because Russian hackers breaking into the systems of the Democratic National Committee (DNC) and Hillary Clinton’s presidential campaign kicked off the big election security push in the first place.
And political campaigns — almost none of which have dedicated cybersecurity staffers, and are near-totally focused on dedicating every available dollar to victory — are highly vulnerable.
It’s not that agencies like CISA aren’t offering to help campaigns. But it’s a trickier proposition due to the pop-up nature of campaign operations and the tendency of those running for office to be skeptical of welcoming outsiders into the fold, Matt Masterson, CISA’s former top election security official, told me.
“There’s a natural paranoia that comes with campaigning,” said Masterson, now director of information integrity at Microsoft. “Inviting anybody in raises questions.”
That means what help campaigns do get usually comes from umbrella political parties and free or low-cost technology offerings, like Microsoft and Google services.
One organization, the nonprofit, nonpartisan Defending Digital Campaigns, helps organizations by connecting them with vendors who provide cybersecurity services to them at little or no cost. Last cycle, the nonprofit helped a little more than 180 campaigns, and it’s almost at that number for this cycle, Michael Kaiser, president and CEO of the four-member team there, told me. Another organization, U.S. CyberDome, also provides cybersecurity help to campaigns.
The year 2016 isn’t the only election cycle where hackers caused trouble for political candidates. In 2008, alleged Chinese hackers broke into the campaigns of both Barack Obama and John McCain and took internal documents. In 2020, hackers briefly took over the website of Donald Trump’s campaign. Hackers reportedly targeted the campaigns of Trump and Joe Biden in otherways, too.
Kaiser said he worries about not only nation-state threats, but also hacktivists and cybercriminals.
“Money is changing hands, things are happening quickly,” Kaiser said. “It’s a good environment for cybercriminals.” In fact, hackers siphoned credit card information from donors to the National Republican Senatorial Committee in 2016.
Campaigns can be insecure for other reasons, too.
“Most of them have lots of third party kinds of help, whether it’s data, fundraising, polling, digital ad buying, website building — they use a lot of other services that they don’t do in-house,” Kaiser said. “So there’s just a lot of vulnerable periphery around a lot of these campaigns, which is an obstacle because they don’t control the security beyond their own campaign to a greater degree.”
The RNC said last year that hackers breached a third-party provider, for instance.
So what kind of help are campaigns getting from others?
“CISA offers no-cost technical assistance upon the request of federal and nonfederal entities, which can include political campaigns and partisan organizations,” Geoff Hale, director of CISA’s election security initiative, said in a written statement. “CISA provides such technical assistance, to include web application scanning and penetration testing, on a nonpartisan basis to help an entity reduce cyber risk to their systems and networks.”
Those services include free, voluntary vulnerability scanning.
The DNC regularly holds cybersecurity training sessions and provides resources to campaigns and state parties on best security practices.
It’s not entirely grim news for political campaign cybersecurity. Campaigns have grown increasingly aware of cyberthreats and receptive to doing something about them, Kaiser said.
As for this cycle, “it’s not too late,” Kaiser said. With less than two months until Election Day, “this is the moment that everybody should be worried about.”
The sanctions announced Friday cover Iranian Intelligence Minister Esmail Khatib and his Ministry of Intelligence and Security (MOIS), the Treasury Department said. Hackers “sponsored by” Iran and the MOIS were behind a July cyberattack on government networks belonging to Albania, the Treasury Department said.
“Iran’s cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Treasury Undersecretary for Terrorism and Financial Intelligence Brian E. Nelson said. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.” 
Albania, a member of the NATO alliance, is still being targeted by hackers, officials said. This weekend, the country’s government had to turn off its Total Information Management System, which tracks people entering and leaving the country, CNN’s Sean Lyngaas reports. Albania’s Interior Ministry said the “same aggressors” behind the July cyberattack had carried it out, Lyngaas reports. The National Security Council condemned that cyberattack and said the U.S. government is “supporting” Albania’s work to recover and mitigate in the wake of the cyberattack.
Iran has denied that it was responsible for the July cyberattack and blasted Albania’s decision to sever ties with the country over the cyberattack.
Israeli officials arrested the campaign manager of former Israeli labor federation chief Ofer Eini after they apparently sent hundreds of thousands of text messages about payments they hadn’t made and directed them to call Eini’s opponent’s headquarters, overloading them with messages, the Times of Israel’s Ash Obel reports.
“The manager was investigated by the police anti-corruption unit Lahav 433 after he allegedly spread fake text messages in an attempt to flood his opponent Arnon Bar-David’s campaign office with phone calls ahead of the elections for the leadership of the organization in May,” Obel writes. “In the election, Bar-David defeated Eini, winning 77.7 percent of the vote and the presidency of the Histadrut, which represents the majority of workers’ unions in Israel.”
The campaign manager was arrested “on suspicion of harassment using a telephone, [and] disrupting elections,” Israeli police said. Their investigation is ongoing, they added.
Patreon security team layoffs cause backlash in creator community (CyberScoop)
Lawsuit filed against 49ers over ransomware attack that hacked identities of 20,000 (San Francisco Chronicle)
CISA preps solicitation for public feedback on incident reporting rule (The Record)
You never know what you might find under your oven…😂😇🐐
Thanks for reading. See you tomorrow.


Leave a Comment

Leave a Reply

Your email address will not be published.

How does Privileged Access Management work? – Cybersecurity Dive

Cyber security attacks on the rise, targeting school systems – WAFF

Elon Musk attorneys raise Twitter whistleblower complaint in court – The Washington Post

China's Cross-Border Data Transfer Security Assessment Measures Take Effect September 1 – Morgan Lewis