MPs who are leaving the protection of parliament for the campaign trail will render the election significantly more vulnerable to hacking, leading security researchers have warned.
According to Dr Udo Helmbrecht, executive director of the European Union’s Agency for Network and Information Security (ENISA), hackers have their best opportunity to intervene in democracies in the weeks running up to the election because parliament’s information security services are no longer overseeing their accounts. If hackers want to disrupt a democracy, elections are the time to do it, he said.
As MPs head out on the campaign trail after Wednesday’s dissolution of parliament, they are no longer granted the special status of MPs and hence lose the protection of Westminster’s IT security infrastructure. This gives attackers increased opportunities to obtain data and gain access to sensitive networks.
Dick O’Brien, a threat researcher at security firm Symantec, said: “The nature of elections means that politicians are ripe for attack. Governments are well secured, political parties not so much. And then a campaign expands from a core party into a much more ad hoc organisations.”
With thousands of parliamentary candidates nationwide, any one can be a weak spot that allows organised attackers a bulkhead from which to penetrate party machinery.
“If you look from a politician’s perspective or from a party’s perspective, you have different areas of concern,” said Helmbrecht. “In Germany, the Bundestag was hacked. This was not a weakness in the classic infrastructure – it was naive treatment by parliamentarians.”
One legislator who has been independently hacked can infect an entire network if they aren’t careful. “If you plug insecure devices into a parliamentarian infrastructure, it gets infected,” Helmbrecht said.
“You have three areas: one is parliamentarian, where you have professional IT skills.” Against the national security apparatus protecting state IT networks, hacking attacks tend to require extraordinary means to pull off.
“Then you have party’s infrastructure themselves,” Helmbrecht said. Political parties, unlike parliaments and governments, tend to lack the resources for a full IT department, instead relying on commodity cloud services such as Google Apps. It was this reliance on general hardware that rendered the Democratic National Committee susceptible to “phishing” in the runup to the US election: because the Clinton campaign communicated using Gmail, the hackers (known as Cozy Bear and Fancy Bear, and strongly suspected to be Russian state actors) were able to craft convincing login screens, eventually tricking Clinton aide John Podesta into handing over his password.
Helmbrecht’s third area is at the level of individual parliamentary candidates. While candidates have links to the head offices of their parties, many of them operate their own IT on a largely self-administered level, hence the plethora of different website templates, email address styles and so on that an election throws up. “That’s where you see people using resources, cloud services, and email, that they really wouldn’t use in a more permanent organisation,” said O’Brien. “That really opens up the surface for an attack.”
The researchers were speaking against the background of a report from Symantec showing that nation state-level attacks have shifted from economic espionage to more overt political sabotage. O’Brien said: “I think the decline in economic espionage is motivated by the agreement between the US and China, and that seems to be holding.