Archive 7 min read

Canadian Election Cybersecurity

Cybersecurity is a major topic when it comes to modern elections. With Canada probably going to the polls in the fall, discussion is heating up about the potential impact of cybersecurity this election cycle. The good news? Canada's election infrastructure is well protected. The challenge wil

Canadian Election Cybersecurity

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Hey, everybody. How are you doing today on this episode of the show? We're gonna talk about elections and cybersecurity. Now, it looks like we're gonna have a federal election here in Canada in the fall of 2019. Now, Canadian elections are a little bit different in that.

They only last 30 days. Now, we have had a few go into the forties, but not much further than that. And that was even a special circumstance. So we're quite a ways out to start talking about actual electoral um campaigning. But what we aren't too far out is to talk about the process itself and the challenges around it and sort of that eventual ramp up.

And one of the biggest topics this year is cyber security. Now, I wanted to clarify a few things in this video because we are seeing a little bit of the muddying of the waters now, not normal political muckraking and muddying, but just in understanding what exactly sort of the categories of, of challenges are around elections and cybersecurity.

Now, the communications security establishment or the CS E um which is uh one of Canada's um federal agencies and they're tasked with um, cybersecurity and signals intelligence. Um, but they are uh our federal government, um, cybersecurity area of expertise and they published a research report last year that detailed the threats to Canada's democratic process.

Now, it was a really well written paper, well researched. Um, and the good news here is that the actual mechanics of the electoral process are rather secure. We've got, um, the way we do votes, the way that votes are tallied, the way that they're automatically audited at a certain percentage, that's a really strong system and it's unlikely that anything is going to put that at risk.

So that is great news. As a Canadian, you can cast your ballot and be assured that it is going to count for the person you intended. Awesome. The second aspect of cybersecurity is that of the campaigns and the people working on those campaigns, including the candidates and all their volunteers.

Now, that's a significant challenge. We're going to dive into that in a second. And then the third one is the one that we discuss most often, which is great because discussion is the only way to tackle it. And that's a misinformation at scale. Now, from a pure cybersecurity challenge, the second area is far more interesting and that's the security of the candidates themselves and of the people on behalf of their campaigns.

Now, this is where it really becomes a challenge is because these are by definition sort of temporary organizations. There's a huge amount of volunteer sort of grassroots efforts. And they all need to be able to leverage technology in order to be efficient and to accomplish their stated goals.

We know over the last decade that technology plays an absolutely massive role within uh electoral campaigns in any democracy. So the challenge here is that there are also high profile targets. We saw it in the 20 16 election, we saw it in the eu elections in 2016 and 2017 where they are a target for cyber criminals to breach the organization in order to steal information to either leak it out for political motives or um extortion or any number of nefarious um end games.

So the idea here is to help campaigns understand the cybersecurity challenges and a lot of people go, oh, we'll go with standard cybersecurity awareness campaigns. We'll teach them this, that and the other thing, but those are highly ineffective. There's two major things that I think campaigns need to focus on to increase their cybersecurity.

And this doesn't matter which uh area of the spectrum you are. This is completely politically agnostic. The idea here is to set it up so that nobody is the result um has to deal with the results of a hack during the campaign or leading up to the campaign.

So first thing you need to do is be aware that you are a prime target for 50 by the very nature of political campaigns are relatively transparent, you know, who you're working for, you know, the key members in the campaign. So it is not unlikely it is not, um, unheard of for uh, people with militias intent to be able to gather the information.

They need to really target an email um, in a phishing attack. Now, the challenge is a lot of people go, oh, you know, you shouldn't click on links that are emailed to you. The only purpose a link has is to be clicked on. So I think it's far more effective to teach um political candidates and their campaign and anybody who's impacted by fishing to when you if you click on a link.

So for sure, give it that first look and if it looks suspicious, don't click on it. But most of the time you're not gonna be able to tell if you click on a link and then it prompts you to take an action, like download a file or enter your credentials.

Now you need to stop and think. So if you click on a link from an email and it asks you to enter your credentials, never do it manually. Go to the site that you know, you're supposed to be um referencing. So if somebody shares a document from Dropbox or Google Docs or something with, you don't click on and you click on the link and it comes through and it says, hey, give me your Google credentials.

Don't in a new browser tab type in your Google address, go there and log in that way you should see a request in your notifications that you've been granted access to that file, go that route. That's a better way. Same with Dropbox, same with pretty much everything.

If you click on a link and it asks you to enter your credentials. Do not. That's going to protect you from a huge amount of stuff. Similarly, if you click on a link and it asks you to download a file or to run a program or something on those lines, stop question.

Is this actually from a legitimate source? Is this the intended outcome? And again, there's normally ways you can do that opening up a new browser tab searching for the thing that you're looking for going through an authorized vehicle. Now, on the flip side, if you're a part of a campaign or working with the campaign, don't email them stuff to ask them for their credentials, be really aware of that because this is an operational security challenge that's going to protect your data.

Now, the second aspect of cybersecurity for campaigns is much, much trickier and that is stop sharing all the information with everybody you need to compartmentalize because right now the way it basically works is you're either on the inside or you're on the outside.

If you're on the inside, you've got access to everything, which means every single person. If one of those people gets breached if they get fished successfully, that means your entire campaign, your entire operation is at risk. There's nothing wrong with compartmentalizing information in order to reduce the potential blast radius of any sort of issue.

So if you have volunteers out there signing up um people to support your campaign, they don't need to be able to look up everybody. They can just simply enter new information. And if they enter new information and it's already there, sort that out in the back end, don't give your uh volunteers on the street the ability to look at the entire uh mailing list or the entire set of supporters information because they don't need that.

They just need to be able to enter information. That's a small example. But things like that are gonna be um throughout your campaign and you'll be able to, to successfully reduce and compartmentalize uh reduce that blast radius and compartmentalize the information without impacting your operations.

That's the really keys you need to compartmentalize without impacting operations because I understand the goal here is on a very, very tight timeline to get your candidate or your viewpoint across. Um So it's really, really difficult but reducing that blast radius by compartmentalizing is absolutely critical that plus that education around fishing is going to be the biggest +12 punch you can do for free to help your campaign move forward.

Now, of course, you want to have um a good email, um security system that's gonna be looking at um all those links and scanning them for malware, scanning them for um known bad sites, things like that. But from an operational, from an educational perspective, that's what you want to start with.

Um there's a lot more to come on this, but I think I just want to get that out there. Um So that people start thinking about it. Um And then the biggest issue is obviously missing around social media, around fake news and we'll tackle that in a future video.

But right now, I wanted to identify those three major areas of cybersecurity around an election. You've got the election itself. We know in Canada that is in good hands, we just need to continue to invest in the agencies that protect our elections and keep them well funded and well staffed.

The second is around the campaigns and themselves and the political parties and the volunteers that's a lot of operational security. We dove into that a bit in this video and the third is around misinformation and we'll cover that in an upcoming show. What do you think?

Let me know, hit me up online at Mark NC A uh in the comments down below. And as always by email me at Mark N dot C A, there's a lot to talk about here. Um And I think we absolutely need to talk about it because elections no matter which side you are on or who you support, they impact us all and they need to be fair and free.

Read next