Experts have been warning for months that hackers could try to disrupt Tuesday’s election by penetrating local voting systems. But another target could prove easier to hack: U.S. media outlets offering election night results.
Upguard, a Mountain View, California, company that assesses how well companies are protecting themselves from hackers, has found that three major news organizations – The Associated Press, The Wall Street Journal and CBS News – tallied “pretty abysmal” scores on key criteria to thwart breaches.
All three are key sources of election night results, with the AP perhaps the largest provider of election tabulations in the country. Upguard ranked 20 media companies in its survey.
The scorecard comes amid an uptick of hacks on journalists and news organizations. Targets have including BuzzFeed, which Upguard ranked among the five most secure media but still suffered a breach Oct. 5.
A week earlier, Newsweek saw its website mysteriously crash.
Hackers, both domestic and in foreign countries, namely Russia, have already changed the course of this election campaign with high-profile penetrations of computer systems and thefts of internal emails and documents.
A hack of servers storing information for the Democratic National Committee, revealed in June, led to DNC Chairwoman Debbie Wasserman Schultz stepping down in late July, hit by charges that she’d tilted the party nomination battle from Vermont Sen. Bernie Sanders toward Clinton. Another hack led her successor as interim chairwoman, Donna Brazile, to lose her gig as a Democratic pundit on CNN in mid-October, when leaked emails showed that she’d passed town hall questions to Clinton ahead of time.
Breaking into a major news outlet on Election Day and passing off misinformation could feed into “the general trend of making a mockery of democracy and the sense of unreality – that things don’t matter,” said Greg Pollock, vice president of product at Upguard.
After conducting drive-by external assessments, much as a hacker would do, Upguard gave a score of cyber risk preparedness. The scores were modeled on the credit ratings people get for financial health.
On a scale up to 950, Upguard gave CBS the lowest score (334), and a little higher to The Wall Street Journal (376) and The Associated Press (378).
Those are the kind of scores we see for companies with major security failures.
Greg Pollock, vice president of product at Upguard
“Those are quite bad scores. Those are the kind of scores we see for companies with major security failures,” Pollock said.
CBS and The Wall Street Journal did not respond to requests for comment.
A spokeswoman for The Associated Press, a nonprofit news agency that has built a reputation as a trusted source of global and domestic news, declined to comment about its security measures.
“Given the extraordinary interest in the presidential election and thousands of other state and local contests, we would add that AP has been working diligently to ensure that vote counts will be gathered, vetted and delivered to our many customers on Nov. 8,” said Lauren Easton, a spokeswoman for the cooperative, whose members are U.S. newspapers and broadcasters
Upguard looked at more than 20 criteria that Pollock said were commonly accepted as “best website security standards.” They include whether a firm uses basic standard encryption between its own servers and the computers of those visiting the website, and whether it hides information about its own servers from those outside its firewalls.
Asked about the AP, Pollock looked and said: “They are using a Windows server called Microsoft-IIS/7.5. As a hacker, I can go and Google vulnerabilities of IIS/7.5.
“Essentially, it just gives me a lot of information about what bugs to place if I wanted to break into the site or do a denial-of-service attack. The fact that it’s not obscured gives me an indication that they are not using good practices internally.”
Upguard did not assess McClatchy, a company based in Sacramento, California, that owns newspapers in 29 U.S. cities.
Other cybersecurity experts said they expected imminent problems for media companies.
I’ll be amazed and shocked if we don’t see attacks tomorrow.
Bobby Kuzma, system engineer at Core Security
“I’ll be amazed and shocked if we don’t see attacks tomorrow,” said Bobby Kuzma, a system engineer at Core Security, a Roswell, Georgia, a company that offers network security.
“There’s so many bits of infrastructure involved with getting news to press (or website, as it is today), that extensive vulnerabilities are likely to be the rule, rather than the exception. With decreasing budgets and revenue streams, that cybersecurity spending would take a backseat to other priorities is not shocking,” Kuzma added.
He said media companies might see distributed denial-of-service attacks, which use multiple computers to bombard a site with data, freezing it, or “subtler defacements and misinformation during the election.”
In cybersecurity, many companies fail to take sufficient steps until faced with a crisis, Pollock noted: “In the absence of actually getting breached, companies just default to ignoring these problems.”
Upguard rankings and scores
The Washington Post (731)
Fox News (574)
Huffington Post (511)
The New York Times (480)
USA Today (470)
The Associated Press (378)
Wall Street Journal (376)
CBS News (334)