Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking.
About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates.
“The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races.
A majority of candidates received good grades overall, with 55 percent of House candidates and 81 percent of Senate candidates receiving an A grade for website security, meaning they had trusted digital certificates and no known vulnerabilities in their security protocols.
Voter registration web applications also earned strong marks, with 70 percent receiving an A or higher.
The findings come amid warnings from U.S. officials that Russia will continue to interfere in U.S. elections. In advance of the 2016 presidential election, Russian hackers probed the IT systems of 21 states, including Illinois, where they breached a voter registration database.
The IT security resources of campaigns vary greatly – big Senate campaigns are generally better equipped to fight off hackers than House candidates in sparsely-populated districts. To try to fill the void, tech companies like Alphabet Inc. are offering candidates free cybersecurity services.
A domain slips through the cracks
Special Counsel Robert Mueller’s June indictment of 12 Russian military officers for hacking Democratic organizations during the 2016 presidential campaign brought an eerie realization for Franklin. The indictment revealed that the Russian hackers had used a domain that mimicked a prominent donation platform in an apparent effort to steal log-in credentials from Democratic operatives. Franklin’s research team came across the domain in 2016 but did not realize it was malicious.
“It goes to show you how hard detection actually is,” Franklin told DEF CON attendees.
The sprawling research project includes the tedious and ongoing task of contacting all of those with vulnerable websites. Franklin urged political organizations to set up a direct line for vulnerability disclosure if they don’t have one. “Responsible [vulnerability] disclosure is very important in the field of elections,” he said.
Franklin’s presentation was one of several election-security-related discussions at DEF CON. A “voting village” at the conference, where white-hat hackers could tinker with voting equipment, was a high-profile test of government officials’ ability to collaborate with security researchers.