Canadian Election Cybersecurity

15 minute read | Last updated 12-Feb-2019 |  Security

Watch the episode on YouTube

Join the discussion on LinkedIn

Share on Twitter

Bad Robot Transcript

Hey everybody. How you doing today on this episode of the show. We’re going to talk about elections and cybersecurity. Now, it looks like we’re going to have a federal election here in Canada in the fall of 2019. Canadian elections are a little bit different in that they only last 30 days.

Now, we have had a few go into the 40s, but not much further than that. And that was even a special circumstance. So we’re talking about actual electoral on campaigning but we aren’t too far out is to talk about the process itself in the challenges around it and sort of that eventual ramp up in one of the biggest topics is your is cyber security now, I wanted to clarify a few things in this video because we are seeing a little bit of the muddying of the water’s not normal political muckraking and muddying but just didn’t understand what exactly sort of the categories of of challenges are around elections and cybersecurity now the communication security establishment or the CSE Federal In season they’re tasked with cybersecurity and signals intelligence.

I am but they are our federal government cyber-security area of expertise and they published a research report last year that detailed the threats to Canada’s Democratic process Now is really well-written paper well-researched and the good news here is that the actual mechanics of the electoral process are rather secure we’ve got on the way we do votes the way their votes are tallied the way that they’re automatically audited a certain percentage that’s a really strong system and it’s unlikely that anything is going to put that address.

So that is great news. You can cast your ballot be assured that it is going to count for the person you intended awesome. The second aspect of cybersecurity is that of the campaigns and the people working on those campaigns including the candidates in all their volunteers to dive into that.

I’m in the third one is the one that we discussed most often in which is great because the information at Now from a pure cybersecurity challenge, the second area is far more interesting enough the security of the candidates themselves and of the people working on behalf of their campaigns.

Now, this is where it really becomes a challenge because these are by definition for temporary organizations. There’s a huge amount of volunteer sort of Grassroots efforts and they all need to be able to leverage technology in order to be efficient and to accomplish their stated goals. We know over the last decade but technology plays an absolutely massive roll with in electoral campaigns in any democracy.

So the challenge here is that they’re all so high-profile targets. We saw it in the 2016 election result in the EU elections in 2016 and 2017 where they are at Target for cybercriminals to reach the organization in order to steal information to be there leaking out for political motives or extortion or any number of Nefarious and games.

So the idea here is to help campaigns understand the cyber security challenges in a lot of people go out. We’ll go with standard cyber security awareness. Champions will teach them this. Nothing but those are highly in effective. There’s two major things that I think campaigns need to focus on to increase or cybersecurity and it doesn’t matter which area of the spectrum you are.

This is completely politically agnostic the idea here is to set it up so that nobody is the results have to deal with the results of a hack during the campaign or leading up to the campaign. So first thing you need to do is be aware that you are a prime target for fishing by the very nature of political campaigns are relatively transparent, you know who you’re working for, you know, the key members in the campaign.

So it is not unlikely. It is not unheard of for a people’s motion tend to be able to gather the information. They need to really targeted email in a phishing attack. Now the challenge is a lot of people go while you know, what you should click on links that are emailed to you.

The only purpose of Link has has to be clicked on. So I think it’s far more effective to teach political candidates in their campaign in anybody who’s impacted by fishing to Winnie if you click on a link so for sure give it that first look and if it looks suspicious don’t click on it, but most the time you’re not going to be able to tell if you click on a link and then it prompts you to take an action like download a file or enter your credentials now you need to stop and think so if you click on a link from an email and asked you to answer your credentials never do it manually go to the site that you know, you’re supposed to be referencing so somebody shares a document from Dropbox or Google Docs or something with you.

Don’t click on any click on the link and it comes through and it says hey give me your Google credentials don’t In a new browser tab type in your Google address go there and log in that way. You should see a request in your notifications that you’ve been granted access to that file.

Go that route. The better way saying the Dropbox they was pretty much everything if you click on a link in and ask you that your credentials do not that’s going to protect you from a huge amount of stuff similar. Like if you cook on Lincoln and ask you to download a file or to run a program or something.

Question, is this actually from a legitimate source. Is this the intended outcome it again, there’s normally ways you can do that opening up a new browser tab searching for the thing that you’re looking for going through an authorized vehicle on the flip side. If you’re a part of a campaign or work of the campaign don’t email himself to ask them for their credentials really aware of that because this isn’t operational security challenges going to protect your data.

Now the second aspect of cybersecurity for campaigns is much much trickier and that is stop sharing all the information with everybody. You need to compartmentalize because right now, The inside or the outside. If you’re on the inside you get access to everything which means every single person. If one of those people gets breached if they get fish successfully that means your entire campaign your entire operation is at risk, there’s nothing wrong with compartmentalizing information in order to reduce the potential blast radius of any sort of issue.

So if you have volunteers out there signing up people to support your campaign, they don’t need to be able to look up everybody they can just simply enter new information and if they enter new information and it’s already they’re sort that out in the back and don’t give your volunteers on the street the ability to look at the entire mailing list of the entire set of supporters information because they don’t need that.

They just need to be able to enter information. That’s a small example but things like that are going to be throughout your campaign and you’ll be able to successfully reduced and compartmentalize a reduced that blast radius and compartmentalize the information without impacting our operations. That’s a really Keys you need to compartmentalize without impacting operations because I understand the goal here is on a very very tight timeline to get you.

Candidate or your view point across so it’s really really difficult but reducing that blast radius by compartmentalizing is absolutely critical for free to help your campaign before now course, you want to have a good email security system that’s going to be a looking at them all those links and scanning them for malware scanning them for known bad sites things like that, but from an operational from an educational perspective, that’s what you want to start with.

There’s a lot more to come on this but I think I just want to get that out there. So the people start thinking about it and I’m and then the biggest issue is all misinformation around social media around fake news and we’ll tackle that in a future video. But right now I wanted to identify those three major areas of cybersecurity around an election.

You got the election itself. We know in Canada that is in good hands. We just need to continue to invest in the agencies that protect our elections and keep them well funded in while staff at the second is around the campaigns and themselves in the political parties in the volunteers.

That’s a lot of Security with David about a bit in this video and the third is around misinformation will cover that in an upcoming show. What do you think? Let me know hit me up online at Market in the comments down below and as always by email me at Mark and nausea is a lot to talk about here.

And I think we absolutely need to talk about it because elections no matter which side you are on or who you support. They impact us all and they need to be fair and free. Hey everybody. How you doing today on this episode of the show. We’re going to talk about elections and cybersecurity.

Now, it looks like we’re going to have a federal election here in Canada in the fall of 2019. Canadian elections are a little bit different in that they only last 30 days. Now, we have had a few go into the 40s, but not much further than that. And that was even a special circumstance.

So we’re talking about actual electoral on campaigning but we aren’t too far out is to talk about the process itself in the challenges around it and sort of that eventual ramp up in one of the biggest topics is your is cyber security now, I wanted to clarify a few things in this video because we are seeing a little bit of the muddying of the water’s not normal political muckraking and muddying but just didn’t understand what exactly sort of the categories of of challenges are around elections and cybersecurity now the communication security establishment or the CSE Federal In season they’re tasked with cybersecurity and signals intelligence.

I am but they are our federal government cyber-security area of expertise and they published a research report last year that detailed the threats to Canada’s Democratic process Now is really well-written paper well-researched and the good news here is that the actual mechanics of the electoral process are rather secure we’ve got on the way we do votes the way their votes are tallied the way that they’re automatically audited a certain percentage that’s a really strong system and it’s unlikely that anything is going to put that address.

So that is great news. You can cast your ballot be assured that it is going to count for the person you intended awesome. The second aspect of cybersecurity is that of the campaigns and the people working on those campaigns including the candidates in all their volunteers to dive into that.

I’m in the third one is the one that we discussed most often in which is great because the information at Now from a pure cybersecurity challenge, the second area is far more interesting enough the security of the candidates themselves and of the people working on behalf of their campaigns.

Now, this is where it really becomes a challenge because these are by definition for temporary organizations. There’s a huge amount of volunteer sort of Grassroots efforts and they all need to be able to leverage technology in order to be efficient and to accomplish their stated goals. We know over the last decade but technology plays an absolutely massive roll with in electoral campaigns in any democracy.

So the challenge here is that they’re all so high-profile targets. We saw it in the 2016 election result in the EU elections in 2016 and 2017 where they are at Target for cybercriminals to reach the organization in order to steal information to be there leaking out for political motives or extortion or any number of Nefarious and games.

So the idea here is to help campaigns understand the cyber security challenges in a lot of people go out. We’ll go with standard cyber security awareness. Champions will teach them this. Nothing but those are highly in effective. There’s two major things that I think campaigns need to focus on to increase or cybersecurity and it doesn’t matter which area of the spectrum you are.

This is completely politically agnostic the idea here is to set it up so that nobody is the results have to deal with the results of a hack during the campaign or leading up to the campaign. So first thing you need to do is be aware that you are a prime target for fishing by the very nature of political campaigns are relatively transparent, you know who you’re working for, you know, the key members in the campaign.

So it is not unlikely. It is not unheard of for a people’s motion tend to be able to gather the information. They need to really targeted email in a phishing attack. Now the challenge is a lot of people go while you know, what you should click on links that are emailed to you.

The only purpose of Link has has to be clicked on. So I think it’s far more effective to teach political candidates in their campaign in anybody who’s impacted by fishing to Winnie if you click on a link so for sure give it that first look and if it looks suspicious don’t click on it, but most the time you’re not going to be able to tell if you click on a link and then it prompts you to take an action like download a file or enter your credentials now you need to stop and think so if you click on a link from an email and asked you to answer your credentials never do it manually go to the site that you know, you’re supposed to be referencing so somebody shares a document from Dropbox or Google Docs or something with you.

Don’t click on any click on the link and it comes through and it says hey give me your Google credentials don’t In a new browser tab type in your Google address go there and log in that way. You should see a request in your notifications that you’ve been granted access to that file.

Go that route. The better way saying the Dropbox they was pretty much everything if you click on a link in and ask you that your credentials do not that’s going to protect you from a huge amount of stuff similar. Like if you cook on Lincoln and ask you to download a file or to run a program or something.

Question, is this actually from a legitimate source. Is this the intended outcome it again, there’s normally ways you can do that opening up a new browser tab searching for the thing that you’re looking for going through an authorized vehicle on the flip side. If you’re a part of a campaign or work of the campaign don’t email himself to ask them for their credentials really aware of that because this isn’t operational security challenges going to protect your data.

Now the second aspect of cybersecurity for campaigns is much much trickier and that is stop sharing all the information with everybody. You need to compartmentalize because right now, The inside or the outside. If you’re on the inside you get access to everything which means every single person. If one of those people gets breached if they get fish successfully that means your entire campaign your entire operation is at risk, there’s nothing wrong with compartmentalizing information in order to reduce the potential blast radius of any sort of issue.

So if you have volunteers out there signing up people to support your campaign, they don’t need to be able to look up everybody they can just simply enter new information and if they enter new information and it’s already they’re sort that out in the back and don’t give your volunteers on the street the ability to look at the entire mailing list of the entire set of supporters information because they don’t need that.

They just need to be able to enter information. That’s a small example but things like that are going to be throughout your campaign and you’ll be able to successfully reduced and compartmentalize a reduced that blast radius and compartmentalize the information without impacting our operations. That’s a really Keys you need to compartmentalize without impacting operations because I understand the goal here is on a very very tight timeline to get you.

Candidate or your view point across so it’s really really difficult but reducing that blast radius by compartmentalizing is absolutely critical for free to help your campaign before now course, you want to have a good email security system that’s going to be a looking at them all those links and scanning them for malware scanning them for known bad sites things like that, but from an operational from an educational perspective, that’s what you want to start with.

There’s a lot more to come on this but I think I just want to get that out there. So the people start thinking about it and I’m and then the biggest issue is all misinformation around social media around fake news and we’ll tackle that in a future video. But right now I wanted to identify those three major areas of cybersecurity around an election.

You got the election itself. We know in Canada that is in good hands. We just need to continue to invest in the agencies that protect our elections and keep them well funded in while staff at the second is around the campaigns and themselves in the political parties in the volunteers.

That’s a lot of Security with David about a bit in this video and the third is around misinformation will cover that in an upcoming show. What do you think? Let me know hit me up online at Market in the comments down below and as always by email me at Mark and nausea is a lot to talk about here.

And I think we absolutely need to talk about it because elections no matter which side you are on or who you support. They impact us all and they need to be fair and free.