The ugly news about Russian interference in the U.S. presidential election forced the issue of cybersecurity into the political spotlight in 2016. But in the intervening years, politicians haven’t been so smart about cybersecurity awareness and the readiness of their campaign sites when it comes to cyber protection, SiteLock reported.
Since the catalytic events of 2016, political leaders have grappled with cybersecurity awareness on a global stage — and not always gracefully, according to SiteLock. Ahead of the October Democratic debate in the U.S., SiteLock investigated the top 12 presidential candidates for 2020, including President Donald Trump, based on their cybersecurity awareness. The results: Elizabeth Warren and Cory Booker came out on top. Trump was in the top five. Andrew Yang brought up the rear.
Bad actors, whether politically motivated or not, grow increasingly sophisticated as our world becomes more rooted in technology. However, it appears lawmakers aren’t prepared for this reality. One example: Too many are in the dark about website encryption. Around the world, 61% of politicians’ websites aren’t HTTPS-secured.
With the U.S. 2020 presidential election approaching, cybersecurity deserves to be a core issue for candidates. But actions speak louder than words, especially in politics.
To investigate candidates’ cybersecurity awareness, the company looked at both their words, in terms of policies they’ve supported or any public stance they’ve taken, and their actions — auditing a range of factors and grading their website security efforts based on criteria similar to PCI security standards.
All information used in the audit is available publicly through resources such as Google, campaign websites, DNS lookup, news articles, and websites that allow internet users to check if their personal data has been compromised by data breaches.
The company also externally scanned each candidate’s website with the Sitelock Risk Assessment tool to collect more information regarding their cyber risk. No intrusive or disruptive technologies were used to ascertain their status on the various criteria.
Each factor investigated falls into one of four buckets: the candidate’s cybersecurity platform, their cybersecurity actions, their privacy and data practices, and email security factors.
SiteLock asked the following questions:
- Does the candidate have a proactive cybersecurity stance in their 2020 platform?
- Does the candidate publicly support any cybersecurity bills/committees?
- Has the candidate been involved in a past cybersecurity breach?
- Has any email from the candidate’s campaign/domain been found on the dark web?
- Are all of the campaign’s web properties (main site, store site, email form) secured with a verified SSL certificate?
- Do all campaign web properties use a cloud-based web application firewall (WAF) and a content delivery network (CDN)?
- Is the campaign website built on a CMS, such as WordPress or Drupal?
- Is the candidate’s CMS/software up to date (main site, store site, and email form)?
- Does the candidate use third-party software for their online store?
- Is the default admin login URL accessible on their site?
- Does the candidate have a cookie disclosure on their website?
- Is there a CAPTCHA included in all email forms on their website?
- Is there a CAPTCHA included on the logins for the online store?
- Is the candidate using a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy?
The answers to these questions determined a point value for each factor, ultimately leading to a total score on a scale of 100 for each candidate, which was then translated to a letter grade. To earn an A, the candidate needed an exceptional score across all factors. In general, they’d have to be vocal about their plans to enact cybersecurity legislation and meet cybersecurity standards in a near-perfect fashion.
The company disclosed the results to each candidate’s campaign team before publishing to provide a chance for them to respond to their grade.
None of the candidates audited has mastered a fully secure online presence alongside a strong cybersecurity platform, though a few came close, SiteLock said.
Elizabeth Warren (A-), Cory Booker (A-), and Bernie Sanders (B+) led the pack. Meanwhile, Amy Klobuchar (C), Joe Biden (C-), and Andrew Yang (D+) brought up the rear.
Warren rose to the top of the cybersecurity awareness ranking because of her advocacy for stronger cybersecurity practices. Kamala Harris has also been vocal on cybersecurity legislation, and her support of cybersecurity proposals in Congress and as California Attorney General boosted her final grade.
Although President Trump appeared in the top five candidates, his lack of a cybersecurity awareness platform for his 2020 candidacy and his involvement in a past public breach kept him from rising to the top. Trump International Hotels experienced three breaches between August 2016 and March 2017, periods during which Trump led the business.
When it comes to actual cybersecurity practices, candidates struggle most with email subscription form practices. Only one of the 12 candidates, Kamala Harris, included a CAPTCHA on the email form — a simple tactic that can prevent bots from bombarding the site owner with requests, driven by a malicious intent to steal email addresses. The average website encounters 62 attacks each day, according to Sitelock’s 2019 Website Security Report, making CAPTCHA a vital defense.
Additionally, 58% of the candidates’ websites use out-of-date software or CMS, putting the majority of them at risk of getting hacked. For example, an outdated WordPress site, the most popular CMS, is 10 times more likely to be hacked than an up-to-date WordPress site, according to the data.
Technically, anything short of perfect cybersecurity awareness practices should be viewed as a security flaw because it only takes a single vulnerability to fall victim to a bad actor. The fact that not one candidate can be credited with a perfect score proves that cybersecurity awareness is an overlooked issue.
As previously mentioned, SiteLock disclosed the results to each individual candidate’s campaign team before publishing to provide a chance for them to respond and act on the grade. Although reaction was minimal, Sitelock did receive general feedback on the following:
- Default admin login being publicly accessible — Some candidates were able to provide evidence of alternative methods in place to help circumvent potential risk. In this case, we gave additional credits to those candidates and adjusted their scores accordingly.
- Use of CAPTCHA on sign-up form — Some candidates felt this particular grading criteria did not present a significant security risk, and those who were using WAFs felt that they had enough protection in place. Although we agreed that CAPTCHA is not tied to any specific security risk, we do feel it’s part of good web hygiene, so it remained part of the criteria with a lower weight assigned.
- Campaign emails found on the dark web — Some candidates felt this was out of their control and did not provide a specific attack vector, as all email addresses have the potential to be enumerated. Although Sitelock agreed this criteria is impossible to control, the amount of contact information available on any website provides a larger surface area for potential risk, such as a phishing attack. It remained a part of our criteria.
The impact of voter cybersecurity concerns
Nearly half of Americans (49%) don’t trust the federal government to protect their data, according to the Pew Research Center. But citizens should be able to trust those in power to protect them against all security threats, whether physical or digital.
From Capital One to the City of Atlanta, cyberattacks are on the rise in both the private and public sectors. Educating voters on cybersecurity concerns will impact the way they vet the candidates, so candidates need to be educated and informed about the latest cyber trends to serve their constituents and represent their best interests, SiteLock said.
But if a candidate’s cybersecurity awareness is currently lacking, it doesn’t mean they’re doomed. Technologies and training to support a comprehensive cybersecurity strategy are accessible to politicians, organizations, and businesses of any size, the company said.
SiteLock’s other piece of advice? On the road to November 2020, voters should continue to press candidates on the issue of cybersecurity.