Many fingers are pointing at Russia, which indeed possesses the motive, means, and opportunity. But the harsh reality facing candidates is that many individuals, organizations, and countries desire to influence elections. Achieving this goal through cyberwarfare is safer, less expensive, and potentially more effective than more traditional methods of election interference.
The overt and obvious act of releasing stolen emails is one approach; the DNC and En Marche! hacks are just the tip of the iceberg. Many more accounts have been compromised, and information surreptitiously used to hurt candidates and help their opponents.
Despite erroneous public perception, political parties and campaigns in Canada (and many other countries) do not have access to government IT and security resources. They are, in fact, at a significant disadvantage, requiring the majority of their office space and IT capability only a few months every few years. The majority of workers are volunteers with little training, and election laws restrict the total amount of money that can be spent for campaign purposes.
While federal limits vary by electoral district, a typical local federal election campaign must spend less than $200,000. This includes renting an office, heat, hydro, Internet, landline and mobile phones, equipment rental, purchasing signs and related supplies, printing and mailing literature, and a host of other expenses. There is little, if any, room in the budget for IT infrastructure and security expertise. The majority of communication levages free email accounts and personal devices, often with campaign software installed.
Since corporate and union donations are prohibited, and federal law limits personal contributions to $1500, fundraising is a challenge and dollars are scarce. Most local campaigns raise nowhere near their spending limit. National campaigns, such as for major federal political parties, have significantly higher limits, but face the same fundraising constraints. The support they provide to local campaigns is very limited. For example, if a federal party were to provide more secure devices, email accounts, or file repositories with two-factor authentication, local campaigns would have to pay for it.
The federal prohibition against corporate donations also applies to services. While companies such as Google can give schools free G Suite licences, extending the same offer to political parties, individual campaigns, or candidates would violate the Canada Elections Act.
Canadian politicians face a formidable cybersecurity challenge: They require email, file sharing services, and mobile device on a shoestring budget that are capable of withstanding attacks by rivals, hackers, and foreign governments. As recently demonstrated in France, the security of personal email accounts is paramount.
Meeting this challenge requires a multi-prong strategy. Mandatory security awareness training is a good starting point. Generally speaking, it provides the best return on investment in the security space. Email and other cloud service providers must be chosen carefully; it is time to stop pretending that all email providers are created equal. Third-party accreditation and multi-factor authentication should be mandatory.
The private sector has an important role to play. Anti-malware products are failing customers. Popular operating systems make it far too easy for malware to gain a foothold. Because most malware arrives via email and the web browser, features to better isolate these services from the rest of the operating system are required.
Government must also step up. Damage caused by cybersecurity attacks extends far beyond elections and the potential impact on the democratic process; they weaken our economy and country as a whole. Instead of wasting money on fake lakes, glowsticks, and partisan advertising, governments should offer incentives and grants to stimulate the development of innovative, effective, and affordable cybersecurity solutions.
Have a security question you’d like answered in a future column? Eric would love to hear from you.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…