Not If...When: Data (In)Security Will Impact The 2012 Presidential Election Race
It’s election time, and with the Republican field narrowed down to Mitt Romney as the likely nominee, we have ourselves a Presidential race to watch.
When it comes to politics I’m probably at my most cynical, so it’s not what candidates are saying about the issues that catches my attention.
It’s the side shows – that’s where all the fun stuff happens – the negative adds, the personal scandals, the fears of voting failures and miscounts, the “facts” invented at debates and called out by fact checkers, and the outright lies. It’s all part of the program.
And we can’t forget the hacking. That part of today’s election process is one I’m always interested in. Last time around we saw Sarah Palin’s personal email exposed. We saw Obama’s campaign website traffic redirected to Hillary Clinton’s site.
We heard from the FBI that both Obama and McCain’s computers had been hacked by the Chinese who stole “serious amounts of files”. Secretary of State, Condoleezza Rice, was forced to publicly apologize after State Department employees obtained unauthorized access to Obama, Clinton, and McCain’s passport information.
We also saw a rash of research on vulnerabilities in electronic voting machines, where for a while it felt like everyone was jumping in with another approach to hack the vote.
So here we stand, unsure of what’s ahead, but with good reason to expect someone to try their hand at hacking some part of this election. And there are just so many options to choose from – email scams are popular and oh-so-easy to execute these days, dummy websites and the slightly more sophisticated website hijacking are other interesting options that could quickly turn a candidate’s public position on the issues right on its head.
Then there is social media – stolen Facebook and Twitter accounts sure could be used to say some embarrassing stuff. These are all lightweight hacks, but ones that could impact public opinion. There is also the potential for more substantial hacking activity.
Breaking into poorly protected government systems and revealing personal or financial information, stealing and posting lists of campaign donations, or disrupting or corrupting electronic voting systems – these tactics are available to those with expertise, funding, or both.
And our data and systems are no more secure than we were in 2008. It’s not that information security products haven’t improved over the past four years, they certainly have. But at the same time, attacker technology has improved as well, and if you factor in cost and adoption rates, attacker technology has evolved much faster.
Many tools of the trade for attackers are free and easy to get your hands on. There is no budgeting or procurement process, no certification or vetting for production worthiness. Attackers get the new tools as soon as they hit the virtual shelves, while security teams often have to wait years to update each different product in their security portfolio – and rarely then can they afford to buy best-of-breed.
If you’re just a bystander out there, enjoy the show. Hopefully this time around it’s uneventful, but let’s not act surprised when info on the candidates starts hitting the streets.
If, on the other hand, you’re one of the folks whose systems contain information about the candidates or about the election, take a moment to think about the bad guys. If they decided to target you, what would they want to take? How would they get to it? And how would you know what’s happening and prevent damage from being done?
If your systems are today’s hot targets, bring security right to those systems first. It may take some effort to work out everyone’s performance or reliability concerns with your new security initiative, but don’t let that get you down, the data is too important and the risks too great to fall into old (bad) habits.
Speaking of old bad habits, does ‘protect the network to protect the data’ ring a bell to anyone? BTW – that approach doesn’t work!