Threats to 2019 election rising, CSE warns
Agency says political parties, media vulnerable
OTTAWA • Cyber threats to Canada’s federal election in 2019 are coming fast and furious, surprising even the intelligence agency tasked with monitoring and combating the issue, and politicians and political parties are the target, a House of Commons committee heard on Thursday.
CSE, Canada’s foreign signals intelligence agency, said the threats include “social media botnet amplification” and the use of social media by adversaries to reach their audience. Botnet amplification involves using dummy accounts on social media to amplify a specific message or user.
“There are more threats and in fact, the velocity of these threats is increasing faster than we expected,” said André Boucher, the assistant deputy minister of operations at the Canadian Centre for Cyber Security, which is overseen by the CSE.
Last week, Facebook deleted more than 800 political pages that were breaking anti-spamming rules on the platform as governments and tech firms try to get a handle on misinformation campaigns being waged on the web.
The main threat isn’t to the systems that run the country’s elections, like voting machines and Elections Canada voter lists, but to the politicians themselves. A 2017 report by CSE warned that, because Canadian elections are conducted by paper ballot, political parties and the media are more vulnerable to cyber threats.
“I have every confidence that voter lists will be adequately protected by the measures and technology in place. It’s enough, we believe,” said Boucher.
At the hearing, Boucher warned that both state actors and contractors hired by nation states are responsible for the activity the agency is seeing. Although no specific countries were named, former FBI director James Comey warned Canadians to be wary of Russian President Vladimir Putin and “his thugocracy.”
The trouble for parties, politicians and voters is that a single weak spot can cause immense damage. For example, John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign, had his personal email account compromised by a hacking group affiliated with Russian intelligence services. That led to a series of embarrassing news stories for the Clinton campaign.
Although the consequences for the Podesta hack were mainly political, a similar kind of attack could leave party voters lists or other personal information vulnerable. In the spring, the committee heard testimony from security expert Chris Vickery about how common it is for hackers to find personal information sitting on an unsecured server, virtually waiting for bad actors to discover it.
Nathaniel Erskine-Smith, the vice-chair of the committee and Liberal MP, asked the representatives from CSE if there should be regulations governing political parties that are holding sensitive personal information to help avoid hacks.
Boucher gave no definitive recommendation either way, but warned that creating these kinds of rules isn’t a silver bullet. When there’s a standard like that, there’s a race to the bottom, said Boucher. With a regulation, people will try to reach the lowest minimum standard and no more. CSE has briefed the political parties on how to secure their systems and has released general guidelines for strong passwords, mobile security and social media tips on its website.
In an interview after the committee, Erskine-Smith argued that, at the very least, two-factor verification should be mandatory — that’s a system where users are required to provide an extra piece of information along with their password, for example, a security code sent via text message.
“I take the point that it might be a race to the bottom. But if no one’s at the so-called bottom yet, that’s a greater concern,” said Erskine-Smith. “We need to make sure people are meeting a minimum threshold to prevent against malicious activity.”
Erskine-Smith said he has confidence that all the parties are seized with the issue and working to prevent any breaches.