New York, NY, May 21, 2019 – SecurityScorecard, the leader in security ratings, has announced the release of the company’s Analysis of Cyber Risk Exposure for U.S. and European Political Parties, which provides an analysis of the cybersecurity posture of political parties across the U.S. and EU ahead of influential elections. SecurityScorecard found the two major U.S. political parties, Republican National Committee (RNC) and Democratic National Committee (DNC), fared well compared to smaller U.S. political parties and European political parties as a whole. With that said, SecurityScorecard discovered indicators of poor security hygiene in almost all political parties.
Offensive cyber operations, from information campaigns to computer network exploitation, are being used to influence foreign and domestic elections through political parties and candidate campaigns. Key tactics demonstrated during the 2016 U.S. elections proved that once an attack is executed, political parties and candidates lack a solid incident response plan to remediate and respond to the attack. Given this lack of visibility into a political party’s overall cybersecurity posture, the door is open for smaller, less focused entities, such as political activists and organized crime, to carry out similar actions as nation state governments.
“Political elections are a top target for nation states as well as possibly organized crime and political activists looking to influence outcomes for geopolitical gains. From influencer campaigns to exfiltrating data to sell on the Dark Web or to other countries, the end game is clear - sabotage and financial gain,” said Jason Cassey, CTO of SecurityScorecard. “Through the SecurityScorecard platform, we were able to gain meaningful insight into the overall cyber hygiene, behavior and incidents of political parties to provide insight into the real dangers associated with upcoming EU and U.S. elections.”
Key Findings:
● France ranked lowest in total aggregate scores, as well as in Application Security and DNS Health.
● Sweden tops the charts in total aggregate scores, as well as in Application Security, DNS Health and Patching Cadence.
● Poland ranked lowest in Network Security.
● Spain ranked lowest in Patching Cadence.
● DNC security scores lag behind the RNC in almost all categories.
● Libertarian Party ranked lowest in total aggregate scores, as well as Application Security, DNS Health.
● DNC ranked lowest in Network Security.
● RNC ranked lowest in Patching Cadence.
In aggregate, the DNC security scores lag behind the RNC in almost all categories. This same trend was observed in the Spring of 2016 prior to the Presidential elections and the reported DNC hacks and WikiLeaks releases. While SecurityScorecard believes the DNC has made significant investments in security since 2016, the organizational behavior of managing digital assets still lags behind the RNC.
“We saw a clear separation in performance between the two primary parties in the US and all other parties studying both here in the US and in western Europe,” Casey said.
“Two US parties were incredibly responsive during the disclosure and reporting process. A severe vulnerability with a smaller party was mitigated within 12 hours of disclosure. One of the larger US party's senior security personnel was actively engaged with the report’s researchers and detailed findings within 24 hours of disclosure.”
Casey added: “The recent FEC ruling could have a positive impact on party security as it removes some campaign finance obstacles for the donation of time and materials to parties around cybersecurity protection. Our research raised the question of whether smaller organizations can even run an affective defense, this ruling could make it easier for small parties to get access to a sophisticated defense.”
Methodology:
The SecurityScorecard threat intelligence engine continuously collects information from the public internet in order to identify digital assets, such as IP addresses and threat intelligence signals, that are analyzed for vulnerable conditions and then attributed to an organization.
All information is collected externally, non-intrusively. Collected data is contextualized to business or organizational entities in order to generate a numerical score in the form of a percentage. The percentage maps to a grading scale of A through F in the same format as academic grading systems.
For each country analyzed in this study, the calculations took into account the number of political parties, total score, the category with the lowest factor score and the ‘Top Issues’. ‘Top Issues’ are defined as cases where the quantity of identified issues greatly exceeds the typical/average quantity for similarly sized organizations.
About SecurityScorecard
Headquartered in the heart of New York City, SecurityScorecard's vision is to create a new language for measuring and communicating security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security and Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack Yampolskiy and Kassoumeh recognized the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Partners, Boldstart Ventures, AXA Venture Partners among others. For more information, visit securityscorecard.com.
