Cybersecurity risks increase during elections
On cybercrime, political parties must practise what they preach
It’s almost federal election time. That means many Canadian voters will be trying to guess if political parties will do what they say they will if elected. That’s a difficult guess. But what about judging a political party’s credibility on a policy issue by seeing if it practises what it preaches?
Here’s an easy example. Cybersecurity is in the news. It’s in the budget, too. A while ago, the federal government devoted hundreds of millions of dollars to the threat. And every day there’s news from the U.S. about past and present meddling in the political process. There are also serious worries about future elections and even the need for paper ballots to ensure that the meddling isn’t in cyberspace or a cloud somewhere.
Fans of detective novels and movies enjoy the denouement at the end when the culprit is exposed. Unfortunately, any unmasking in the event of meddling with Canada’s Oct. 21 election will likely reveal a culprit made up of ones and zeros — computer language.
Media coverage of elections often features stories about the ones and zeros in the party’s bank accounts. Donations must be recorded to the penny, and legislation defines exactly who and how much they can donate. All donations must be publicly reported.
This isn’t the case, however, for the public disclosure of cybersecurity audits of political parties. We have yet to see any commitment by any party that it will file the results of an audit performed by a reputable third party specializing in cyber-risk.
Political parties should use audits and other techniques to reduce cyber-risk because they have possession of your valuables as much as your bank does. You just don’t know it.
Bank robberies are relatively rare. Banks invest heavily in physical safeguards and security. They have processes in place to minimize the risk of theft. They also have insurance, mandated by the federal government in the highly unlikely case of a bank going bankrupt. Your money’s pretty safe.
But your information is not safe when a political party gets it. And you can be sure they have your name, address, voting preference, whether you took a sign last election or gave money, and information about your income, education and much more.
“So what?” you might say. You’re proud of the party you support and don’t mind everyone knowing. You’re also proud of what you earn and don’t mind people knowing that — very much. But knowing your street name, original name and married name, the names of your schools and more just might reveal many security question answers you’ve used at your bank. Many institutions ask the name of our pet, first school, mother’s last (maiden or married) name and so on.
Political parties are very likely storing this and other information about you, using a variety of tools including surveys and other forms of data collection.
Campaign teams are mainly volunteer armies. They’re spread across the country, often modifying party policy on the use of electronic devices and cloud services. This is like a chartered bank also using a few inexpensive storage lockers here and there. Bank robbers case the joint from across the street — watching activities and behaviours, carefully recording what people do. Casing the joint is even easier when it comes to cybercrime. Stealing data from campaign teams, including political candidates, might be as easy as borrowing a smartphone where lots of data is stored. It might involve borrowing a computer in the campaign office after volunteering to write a speech.
So, the threat can come from the outside, including accessing data from a parked car outside the campaign office — perhaps through a campaign’s compromised Wi-Fi network. Or the threat can be an inside job by what looks like another volunteer using the office washroom after putting up a few signs.
So what’s the solution? Make political parties practise what they preach. We have privacy laws. It’s a Criminal Code violation to sequester someone’s private information using a computer. In some jurisdictions, it’s a crime to move private information across a jurisdictional boundary — and that may be exactly what a party is doing by using the cloud. Yet the members of that party are campaigning on upholding privacy and other laws. They’re campaigning on keeping us safe from ordinary criminals, terrorists and bad actors in foreign countries.
Let’s have those political parties start with their own policies on storing our data. Each time a call is made or a door is knocked on, the electorate’s response is recorded. This data is stored on electronic devices we have very little knowledge of, including what the data is, where it’s housed, who has access to it and so on. Parties should publish their cybersecurity policies and subject themselves to audits that they publish.
Together, voters, political parties, charities and other non-partisan groups might be able to thwart cybercriminals and bad actors.