Waterloo Region Record

Cybersecur­ity risks increase during elections

On cybercrime, political parties must practise what they preach

- BRENNEN SCHMIDT AND ALLAN BONNER Brennen Schmidt is principal of the ALIAS Technology Group. Dr. Allan Bonner is a crisis manager based in Toronto.

It’s almost federal election time. That means many Canadian voters will be trying to guess if political parties will do what they say they will if elected. That’s a difficult guess. But what about judging a political party’s credibilit­y on a policy issue by seeing if it practises what it preaches?

Here’s an easy example. Cybersecur­ity is in the news. It’s in the budget, too. A while ago, the federal government devoted hundreds of millions of dollars to the threat. And every day there’s news from the U.S. about past and present meddling in the political process. There are also serious worries about future elections and even the need for paper ballots to ensure that the meddling isn’t in cyberspace or a cloud somewhere.

Fans of detective novels and movies enjoy the denouement at the end when the culprit is exposed. Unfortunat­ely, any unmasking in the event of meddling with Canada’s Oct. 21 election will likely reveal a culprit made up of ones and zeros — computer language.

Media coverage of elections often features stories about the ones and zeros in the party’s bank accounts. Donations must be recorded to the penny, and legislatio­n defines exactly who and how much they can donate. All donations must be publicly reported.

This isn’t the case, however, for the public disclosure of cybersecur­ity audits of political parties. We have yet to see any commitment by any party that it will file the results of an audit performed by a reputable third party specializi­ng in cyber-risk.

Political parties should use audits and other techniques to reduce cyber-risk because they have possession of your valuables as much as your bank does. You just don’t know it.

Bank robberies are relatively rare. Banks invest heavily in physical safeguards and security. They have processes in place to minimize the risk of theft. They also have insurance, mandated by the federal government in the highly unlikely case of a bank going bankrupt. Your money’s pretty safe.

But your informatio­n is not safe when a political party gets it. And you can be sure they have your name, address, voting preference, whether you took a sign last election or gave money, and informatio­n about your income, education and much more.

“So what?” you might say. You’re proud of the party you support and don’t mind everyone knowing. You’re also proud of what you earn and don’t mind people knowing that — very much. But knowing your street name, original name and married name, the names of your schools and more just might reveal many security question answers you’ve used at your bank. Many institutio­ns ask the name of our pet, first school, mother’s last (maiden or married) name and so on.

Political parties are very likely storing this and other informatio­n about you, using a variety of tools including surveys and other forms of data collection.

Campaign teams are mainly volunteer armies. They’re spread across the country, often modifying party policy on the use of electronic devices and cloud services. This is like a chartered bank also using a few inexpensiv­e storage lockers here and there. Bank robbers case the joint from across the street — watching activities and behaviours, carefully recording what people do. Casing the joint is even easier when it comes to cybercrime. Stealing data from campaign teams, including political candidates, might be as easy as borrowing a smartphone where lots of data is stored. It might involve borrowing a computer in the campaign office after volunteeri­ng to write a speech.

So, the threat can come from the outside, including accessing data from a parked car outside the campaign office — perhaps through a campaign’s compromise­d Wi-Fi network. Or the threat can be an inside job by what looks like another volunteer using the office washroom after putting up a few signs.

So what’s the solution? Make political parties practise what they preach. We have privacy laws. It’s a Criminal Code violation to sequester someone’s private informatio­n using a computer. In some jurisdicti­ons, it’s a crime to move private informatio­n across a jurisdicti­onal boundary — and that may be exactly what a party is doing by using the cloud. Yet the members of that party are campaignin­g on upholding privacy and other laws. They’re campaignin­g on keeping us safe from ordinary criminals, terrorists and bad actors in foreign countries.

Let’s have those political parties start with their own policies on storing our data. Each time a call is made or a door is knocked on, the electorate’s response is recorded. This data is stored on electronic devices we have very little knowledge of, including what the data is, where it’s housed, who has access to it and so on. Parties should publish their cybersecur­ity policies and subject themselves to audits that they publish.

Together, voters, political parties, charities and other non-partisan groups might be able to thwart cybercrimi­nals and bad actors.

Newspapers in English

Newspapers from Canada