The Democratic National Committee’s (DNC) cybersecurity practices continue to “lag behind” those of its Republican counterpart despite investments the group has made since the 2016 presidential election, according to a new report.
“In aggregate, the DNC security scores lag behind the [Republican National Committee] RNC in almost all categories,” reads the report released Tuesday by the company SecurityScorecard assessing the cyber risk exposure of U.S. and European political parties.
“While SecurityScorecard believes the DNC has made significant investments in security since 2016, the organizational behavior at managing digital assets still lags behind the RNC,” the report states.{mosads}
The company noted that the RNC scored higher on cybersecurity in the spring of 2016 — before the DNC hacks and subsequent release of thousands of private emails by WikiLeaks in the run-up to the presidential election.
DNC Chief Security Officer Bob Lord described the cybersecurity findings of the report as “hygienic and not exploitable.”
“The DNC has spent the last two years completely overhauling its cyber infrastructure and we continue to welcome help from researchers and other organizations to help improve the security posture of the entire Democratic ecosystem,” Lord told The Hill.
A spokesperson for the RNC stressed that the organization is “constantly working to stay ahead of emerging threats.”
“Data security remains a priority for the RNC and we continue to proactively work with top IT vendors to stay abreast and monitor potential risks,” RNC press secretary Blair Ellis said.
The SecurityScorecard report scored the DNC, RNC, the Libertarian Party and the Green Party on their levels of exposure to cyber risk, finding that the Green Party was the most secure with a score of 92.5 out of 100, while the RNC ranked second with a score of 87.2 and the DNC ranked third with a score of 83.5. The Libertarian party was last in the rankings, with a score of 78.1.
For both the RNC and DNC, their scores were lower when ranked in terms of their network security, with both receiving scores in the 70s. The RNC only scored lower than the DNC on one security issue – patching, or the need to fix a network issue that would otherwise give hackers an opportunity to get into the system. An RNC official said that the group recognizes that vulnerability patching “constantly needs to be attended to.”
“We have a wide-ranging approach but includes industry-wide standard practices like: 2-factor identification and/or multi-factor identification, software and O/S patching, password management and good practices, security training and testing, device encryption, regular vulnerability scanning, etc.,” the RNC official said. “From a forward-looking and preventative standpoint, the RNC is in the process of developing an internal cyber security platform to disseminate information in real time to GOP state parties.”
The scores were compiled based on SecurityScorecard’s data on malware infections, hacker chat forums, emerging threats, endpoint security information and network security.
Overall, the report found that U.S. political parties are performing better on cybersecurity than European political parties.
The report noted that both the DNC and RNC scored well when compared to smaller U.S. political parties and to those in Europe. French political parties in particular scored low on defending against cyber risks, with some of its scores below 50 on the scale to 100.
“The political parties in France show systematically lower security ratings than all other political parties in other parts of Europe and the U.S.,” SecurityScorecard wrote. “Specifically, Application Security and DNS Health are the two lowest ranking scores, followed by Network Security. These specific scores indicate the political parties in France are not maintaining digital assets at the same level of hygiene as their European neighbors.”
Political parties in Spain, Poland and the United Kingdom also scored low in the report.
Mark Risher, the head of account security at Google, told The Hill that despite the scores in the report, it is “important that everyone recognize that everyone is potentially vulnerable and susceptible” to cyberattacks during elections, with all political parties targeted.
Risher said U.S. political parties face hurdles in addressing cyber risks due to a lack of awareness on how to address these risks, and difficulty in obtaining hardware to secure their systems due to campaign finance laws and ethics rules making it hard for companies like Google to offer cybersecurity assistance to political parties.
“Security is not a partisan issue,” Risher added.