The Democratic National Committee’s computer networks still contain hackable vulnerabilities more than two years after a devastating breach that upended the 2016 election and dealt a major blow to the Hillary Clinton campaign, according to a new report out this morning.
And the Republican National Committee is doing only moderately better, according to the report from the company SecurityScorecard.
Heading into the 2020 cycle, the results provide a stark warning about the cyber insecurity of the highest profile U.S. political organizations even after years of concerted efforts to improve digital safeguards and an intense focus in Washington on the need to secure campaigns and elections.
And while SecurityScorecard found significant improvements since the last presidential campaign cycle, when the DNC was penetrated by Russian hackers -- who compromised vast troves of information and coordinated its release to damage Hillary Clinton's campaign -- these fixes may not be sufficient to keep either organization secure this time around.
“They’re doing better, but a focused adversary is still going to be able to get in there and they’re still going to be able to get interesting information,” SecurityScorecard Chief Technology Officer Jasson Casey told me.
Security Scorecard rates organizations’ digital protections based on information that’s available on the public Internet, such as how often they patch their software and whether public-facing internet tools are encrypted. The company makes most of its money by helping large organizations vet the cybersecurity of their partners and suppliers without conducting an intensive internal security audit.
A DNC official who reviewed the latest results told me that this kind of external assessment doesn’t capture all the work the organization has done to improve cybersecurity since 2016, but didn’t dispute that there are still improvements to be made. The official, who spoke on the condition of anonymity to express himself freely also criticized the report for lacking specific details about some of the vulnerabilities it claimed to find.
“I think we need to improve our security posture and we’ll take feedback in whatever form it comes,” the official said. “Our adversaries are hard at work, nonstop. We’d just like to have more detail.”
The results could raise questions about the vulnerability of a crowded field of Democratic presidential candidates who typically have much less time and far fewer resources to devote to security than the DNC — but are equally juicy targets for Russian hackers, Casey noted. SecurityScorecard plans to start assessing the cybersecurity of those campaigns in the next couple of months, he told me.
The DNC and RNC now are about as well defended as the average company that is serious about cybersecurity, Casey said. But the report identified weaknesses, including gaps in encryption at both organizations that hackers might be able to use to steal employees’ log-in credentials.
And what’s good enough for a company may not be good enough for a major political party that holds vast troves of data that a U.S. adversary could use to game the 2020 election. Russian hackers in 2016 were able to crack into the DNC, the Democratic Congressional Campaign Committee and the Clinton campaign with just a few spearphishing emails. If political targets are better protected this cycle, that could mean hackers achieve their goals by just working harder.
“That’s the lesson of the last two to three years,” Casey said. “They’re not doing a poor job right now but there are still a lot of improvements to be made.”
But we also shouldn’t presume another breach is inevitable, said Amit Yoran, a former Homeland Security Department cybersecurity official who’s now CEO of the cybersecurity company Tenable. Most high-profile breaches result from bad security rather than great hackers, he said, and improvements like the ones the DNC has made so far can actually go a long way toward locking them out. “I think good cyber hygiene makes a tremendous difference, so things aren’t hopeless,” he said.
“Nothing here is smoking-gun bad,” Yoran said of the report. “There’s no negligently bad behavior or ‘Oh, my God’ moments. [But] there are always things that need to be improved.”
Correction: A previous version of this story misstated that the Republican National Committee was breached during the 2018 cycle. It was the National Republican Congressional Committee that was breached.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: U.S. technology stocks dipped sharply Monday as companies started complying with a Commerce Department ban on supplying components to Huawei, the Chinese telecom giant that U.S. officials say could be a spying tool for Beijing.
“With $105 billion in global sales last year, Huawei has a vast web of customers and suppliers on nearly every continent” and “the markets punished many of those suppliers Monday, including Intel, Broadcom and Qualcomm, as well as Micron and semiconductor manufacturer Cypress,” my colleagues Jeanne Whalen, Greg Bensinger, Ellen Nakashima and Hamza Shaban reported.
Also on Monday, “the Commerce Department slightly eased the timing of the restrictions, saying it would allow some transactions to continue for 90 days, to facilitate ‘certain activities necessary to the continued operations of existing networks and to support existing mobile services,’” my colleagues reported.
Confused by all the Huawei news? Here’s a helpful explainer from the Associated Press’s Frank Bajak and Michael Liedtke and a handy timeline from the Carnegie Endowment for International Peace.
PATCHED: A bipartisan group of lawmakers is asking Secretary of State Michael Pompeo and Director of National Intelligence Daniel Coats to help ensure U.S. spying and hacking capabilities aren’t being exported to countries with spotty human rights records, Ellen reported Monday.
The request comes after a Reuters report about former hackers for U.S. intelligence agencies who took contract jobs hacking for the United Arab Emirates — and helped the gulf nation spy on a BBC host and the chairman of Al Jazeera among others.
“In a letter Monday coordinated by Rep. Tom Malinowski (D-N.J.), the lawmakers expressed ‘deep concern’” about the allegations, Ellen reported. The letter was also signed by Intelligence Committee chairman Adam B. Schiff (D-Calif.) and Foreign Affairs Committee chairman Eliot L. Engel (D-N.Y.) among others.
Dutch Ruppersberger (D-Md.) last week added a requirement for the State Department to report on how it vets requests to provide those hacking services to a State Department spending bill.
PWNED: DHS is warning companies that commercial drones manufactured in China may be stealing their data.
“The combination of the sensitive data collected by drones and the requirement of Chinese citizens to support ‘national intelligence activities’ makes the Chinese-made technology a significant risk to U.S. companies,” Cyberscoop’s Sean Lyngaas reported.
“The report does not name any specific manufacturers, but nearly 80% of the drones used in the US and Canada come from DJI, which is headquartered in Shenzhen, China,” CNNs David Shortell reported.
“Be cautious when purchasing [drone] technology from Chinese manufacturers as they can contain components that can compromise your data and share your information on a server accessed beyond the company itself,” according to the DHS advisory quoted by Cyberscoop.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: