Freely subscribe to our NEWSLETTER

This is a follow up to SecurityScorecard’s 2019 report: Analysis of Cyber Risk Exposure for Political Parties, which highlighted the disappointing cybersecurity posture of political parties in the U.S. and abroad. In the previous report, the Democratic National Committee (DNC) received a ’C’ Security Rating. Statistically, those with a score of ’C’ or below are more than five times as likely to experience a data breach than those with an ’A’ or ’B’ rating.

"Campaigns have seen the consequences of hacks and breaches — invaluable, confidential information that can be leaked to defame and embarrass candidates while losing the trust of the American people. It’s clear that they do not want 2020 to be a repeat of 2016," said Paul Gagliardi, Head of Threat Intelligence and CISO at SecurityScorecard. "Through the SecurityScorecard platform, we had an ’outside-in’ view of each candidate’s security posture to see exactly what an attacker might see to determine how secure each candidate’s campaign is from cyber interference."

Key Findings:
• SecurityScorecard found that the overall cybersecurity posture of the Democratic candidates is positive: All candidates’ campaigns were graded at a ’B’ or above, whereas SecurityScorecard’s last report in 2019 found that the DNC overall had a ’C’ grade.

o The respective scores for each candidate’s campaign site includes:
– Joe Biden - ’A’
– Pete Buttigieg - ’A’
– Amy Klobuchar - ’A’
– Tulsi Gabbard - ’A’
– Tom Steyer - ’A’
– Bernie Sanders - ’B’
– Michael Bloomberg - ’B’
– Elizabeth Warren - ’B’

• This turnaround shows an increased focus on cybersecurity measures and candidate willingness to invest in good cyber hygiene.

• Each campaign utilizes third parties for critical technical functions. These third parties also exhibited clean external facing hygiene, although there is a risk for them becoming a target for sophisticated actors.

• Despite overall positive cyber posture, there were problematic findings with non-sanctioned websites and applications. For example, SecurityScorecard discovered a cross-site scripting (XSS) attack among a third-party community event management application supporting Andrew Yang, who has since dropped out of the race.

o This raises the question of how campaigns should communicate these flaws to their unsuspecting user base.

Methodology can be found in the report with the full list of all candidates.
Although all signs point to the candidates heeding the call of security experts, the cybersecurity landscape changes daily, with a balance needed of continual improvements and risk analysis. Campaigns seem to have concluded that outsourcing critical functions to third parties gives them a better chance at keeping their campaigns secure. However, third parties are just as vulnerable to attacks and breaches, so it is extremely important to remain vigilant and understand the posture of all third parties in the campaign’s ecosystem.
This report in no way concludes that attacks will not be successful against these candidates, whether that be now or in the future. The style of security assessment conducted by SecurityScorecard was non-intrusive and limited only to publicly-available assets. For this report, SecurityScorecard focused on the Democratic candidates and will be conducting a follow-up report diving into the cybersecurity posture of the Democratic, Republican and third-party nominees once they are chosen by their respective parties.