Scoring the Democratic Presidential Candidates on Cybersecurity

For months now, U.S. lawmakers have heard warnings about Russia interfering with this year’s elections. But the threat extends beyond voting machines and voter data to the campaigns in both parties. MSSPs increasingly play larger roles in cybersecurity for candidates and the voting process. A new report offers insights into how well MSSPs and others are performing on the candidate side.

President Trump is the incumbent and largely covered by national security agencies. But the Democratic candidates are pretty much on their own when it comes to cybersecurity, at least for the moment. SecurityScorecard scored their efforts in their latest report.

“The entire team entered the exercise thinking we would unfortunately find some significant holes in the candidate’s security,” said Paul Gagliardi, CISO and head of threat intelligence at SecurityScorecard.

In a previous report on national and foreign political parties, the SecurityScorecard team discovered major flaws and issues in many of them. Gagliardi said the team “expected that to extend” to this year’s crop of Democratic candidates’ campaigns as well.

“Fortunately for American voters, that was not the case and we were pleasantly surprised that there were no low-hanging giant flaws we could find across the campaigns,” he said.

SecurityScorecard’s Paul Gagliardi

“We should have expected this, but it was surprising to see modern campaigns choosing a subset of vendors and third parties to do all the heavy lifting. We’ve historically found large flaws in the political parties within software solutions that were seemingly developed in-house — for example, solutions to capture voter information,” Gagliardi added.

MSSP Insider talked with Gagliardi about the report findings and what they might mean in light of foreign interference in U.S. elections.

Channel Futures’ MSSP Insider: What are the highlights in the SecurityScorecard you released earlier this month?

Paul Gagliardi: We graded all candidates’ campaigns at a rating of “B” or above, whereas our last report in 2019 found that the DNC overall had a “C” grade. This turnaround shows an increased focus on cybersecurity measures and candidate willingness to invest in good cyber hygiene.

Each campaign utilized third parties for critical technical functions. These third parties also exhibited clean external facing hygiene, although there is a risk of them becoming a target for sophisticated actors.

However, there were problematic findings with nonsanctioned websites and applications. For example, we discovered a cross-site scripting (XSS) attack among a third-party community event management application supporting Andrew Yang, who has since dropped out of the race.

CFMI: How did the key Democratic candidates and the third-party vendors they use to support their online presence score?

PG: Of the two remaining candidates, Biden scored a 97 and Sanders scored an 89. While this is good overall, we want to see any presidential hopeful taking cybersecurity as seriously as possible, particularly given recent threats from nation-states and increased vulnerabilities as workforces move fully remote.

We looked into a number of third-party vendors, including:

• services and third parties such as Google, NGP, and Mailchimp, which candidates permitted to send email on their behalf.
• third parties such as Cloudflare, Cloudfront, and Fastly, which provide technical, defensive, and infrastructure services to host the campaign’s websites and platforms.
• other commonly used third parties, including ActBlue, Pantheon, Mobilize America and ActionKit.

The campaigns outsourced critical functions to expert third parties, which mirrors …