Presidential wannabes doing well on cybersecurity, experts say

The good news from a new report by a cybersecurity firm on the online presence of the Democratic presidential candidates is that they all deserve good grades for their defenses against cyber attacks.

The less good news is that the review, released Thursday by a New York company that conducts information security assessments, rivals any doctor's report you've ever read for arcane and obscure lingo. And that's all the more remarkable given how one of the most bluntly dramatic aspects of the election security narrative four years ago were the cyberattacks on the Hillary Clinton campaign and the Democratic National Committee.

Overall, Security Scorecard found the 14 candidates whose websites and applications were studied (several no longer in the race) all deserved a B or better. Or as the report puts it with masterful bureaucratic understatement, their "cybersecurity posture is positive."

While Russia's efforts to hack into voting systems of almost half the states in 2016 prompted most of the anxiety about an even more aggressive interference effort this year — and $805 million in federal spending on better voting equipment and hardened election security — the vulnerabilities of computer systems serving the candidates and political parties has garnered much less attention.

Sign up for The Fulcrum newsletter

Under the company's threat-scoring analysis, a grade of A or B means that a site is five times less likely to experience a data breach than those with scores of C, D or F. (The DNC received a "C" in a report by the same firm a year ago.).

The report notes that the campaigns all use third parties for some technical functions but "these third parties also exhibited clean external facing hygiene." In plain language, that means they have implemented sufficient cyber safeguards.

Of all the remaining Democrats, the campaign of former Vice President Joe Biden's received the highest mark of 97 out of 100. (The same score was awarded to two dropouts, Sen. Michael Bennet of Colorado and former Rep. John Delaney of Maryland.)

The lowest grade awarded to someone still running, an 86, went to Sen. Elizabeth Warren of Massachusetts. (Author Marianne Williamson, who's left the race, received the same.)

The only other candidates with B grades were Sen. Bernie Sanders of Vermont and former Mayor Mike Bloomberg of New York.

The one problem the authors discovered was a "cross-site scripting (XSS) attack" in an event management application that was used by the campaign of tech entrepreneur Andrew Yang, who has since dropped from the race. Such attacks occur when someone sends malicious code to a website using a web application. The company did not detail the intrusion further or explain what it means in plain English. It said it attempted to notify the campaign but got no response.

The report says that while the Democratic candidates are doing better than their 2016 counterparts with cybersecurity they cannot rest on their laurels. "Instead, it is a balance of continual improvements and risk analysis," the report concludes.

Special counsel Robert Mueller's report on interference in the last presidential race concluded that Russian agents stole thousands of emails from the accounts of Clinton campaign staffers, including chairman John Podesta, and from servers at the DNC and the party's House campaign organization.

Since then some former top party officials have created a cybersecurity nonprofit, U.S. CyberDome, to help presidential campaigns ward off attacks. And some private companies have been allowed by the Federal Election Commission to offer free cyber aid to presidential and congressional candidates.