The Democratic National Committee’s (DNC) cybersecurity fortifications still trail that of its Republican colleagues despite improvements in the organization's practices since Russian hackers infiltrated its network in 2015 and 2016, a new report said.
“Key tactics demonstrated during the 2016 U.S. elections proved that once an attack is executed, political parties and candidates lack a solid incident response plan to remediate and respond to the attack,” SecurityScorecard’s newly released Analysis of Cyber Risk Exposure for U.S. and European Political Parties, said. Despite upgrades in the DNC’s cybersecurity practices, the “organizational behavior at managing digital assets still lags behind the ,” the report reads.
This is not good news. SecurityScorecard, which compared the cybersecurity frameworks of four political parties in the U.S. and 25 in 10 European countries, pointed to the DNC’s similarly inadequate protections ahead of the 2016 Presidential elections, the reported hacks and the WikiLeaks disclosures. With the 2020 elections only 18 months away, the specter of foreign meddling grows with each passing day as do concerns over the persistent gaps in cybersecurity protections.
"The DNC has spent the last two years completely overhauling its cyber infrastructure and we continue to welcome help from researchers and other organizations to help improve the security posture of the entire Democratic ecosystem," DNC Chief Security Officer Bob Lord told The Hill.
Measuring Cybersecurity: The Process Explained
Scores were determined based on risk categories -- application security, DNS health, network security and patching -- and signal collection -- web application identification, network security, DNS configuration, malware infections, leaked credentials, endpoint security, patching, hacker forums and emerging threat identification. In aggregate, U.S. political parties, including the Green Party and the Libertarian Party, ranked fourth in SecurityScorecard's audit, behind Italy, Germany, Northern Ireland and Sweden, which finished first. In terms of risk exposure, the Green Party topped the other three organizations, scoring 92.5 out a possible 100, followed by the RNC at 87.2, the DNC at 83.5 and the Libertarians at 78.1. Both the RNC and DNC scored significantly lower for their network security. In particular, the report pointed to the RNC’s inattention to issuing patches to fix system vulnerabilities. The group recognizes that patching “constantly needs to be attended to,” an RNC official told The Hill.
“We have a wide-ranging approach but includes industry-wide standard practices like 2-factor identification and/or multi-factor identification, software and O/S patching, password management and good practices, security training and testing, device encryption, regular vulnerability scanning, etc.,” the RNC official told The Hill. “From a forward-looking and preventative standpoint, the RNC is in the process of developing an internal cyber security platform to disseminate information in real time to GOP state parties.”