3 Cybersecurity Threats Facing Campaigns in 2020
By Sean J. Miller
Cyber threats are a growing market this cycle. Security vendors, some free or low-cost, are stepping up to provide services for campaigns and groups to help protect themselves from hacking, which could come from a lengthening list of foreign adversaries.
Still, awareness and adoption remain uneven, particularly down-ballot.
Now, the industry vulnerabilities that exist aren’t just being probed by Russians. Other state actors are trying their hands at election inference, according to Matt Rhoades, co-founder of the non-profit group Defending Digital Campaigns, Inc.
“We know that the Chinese play this game. But if you’re a Republican too, you know that the Iranians are now fully invested in this kind of effort, and they’re going to be targeting Republicans, especially, who have been hardcore on things like the Iranian nuclear deal,” Rhoades said last month during a panel at the George Washington University’s GSPM. “You have to look past just Putin.”
The tactics that the state actors could use are established, with some new twists. Here are three threats campaigns face.
Two-factor identification is now considered a best practice baseline when it comes to personal cybersecurity, but there’s already a foil for that protection. Now, practitioners have to worry about SIM swap attacks.
The threat, also called SIM jacking, is that an attacker can successfully impersonate a victim to their cell phone provider. Once the attacker convinces the provider to activate a new SIM card, they can receive the victim’s calls, data and text messages.
“Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts,” the FTC warned last month.
Seth Blank, who heads email industry group M3AAWG’s new election security special interest group, calls the problem identity deception at scale.
“If you can steal who someone is digitally, you can act as them,” said Blank, who works for anti-phishing provider Valimail. “You have to take advantage of the best practices because the threats are going to change every day, and you need to be up to date.”
A recent analysis of the email programs of the then-2020 presidential field found that almost half were vulnerable to having their domains spoofed. When that happens, an attacker can send phishing emails posing as the campaign.
The analysis from Twilio, which has counted the DNC as a client, said the vulnerability came from the campaigns lacking either a Domain Messaging Authentication Reporting and Conformance (DMARC) record, or having failed a DMARC check for their emails.
“These are the basic mechanisms a candidate has from having their domain spoofed,” Len Shneyder, a VP at the cloud communication services provider, told C&E. “Ensuring that your digital brand as a candidate is locked down and making it more difficult to spoof would be critical in my mind.”
Shneyder adds in his report: “An added benefit of DMARC is the ability to receive forensic reports from mailbox providers to better understand who may be attempting to spoof your brand.”
The phishing attack that John Podesta suffered in 2016 on the Clinton campaign is a nightmare that could be experienced by other practitioners in 2020. That’s because email remains the top method for hackers to penetrate a network or compromise an individual, according to Blank of M3AAWG.
The other threats may be more newsworthy, he said. “But there’s a body of evidence that actually says that email is the vector — 91 percent of cybercrime starts with email. Yes, mobile’s [hot mics] a vector. But today, if you’re sitting in your inbox and someone says, ‘hey, there’s a problem with your machine you need download this patch,’ and the email looked no different, and [you click on it], you just let a threat in. You’re screwed, and you may not know for a very long time or ever.”