The ugly news about Russian interference in the U.S. presidential election forced the issue of cybersecurity into the political spotlight in 2016. Since this catalytic event, political leaders have grappled with cybersecurity awareness on a global stage — and not all have done so gracefully.

Bad actors, whether politically motivated or not, grow increasingly sophisticated as our world becomes more rooted in technology. However, it appears lawmakers aren’t prepared for this reality. One example: too many are in the dark about website encryption — 61% of world politicians’ websites aren’t HTTPS-secured.

With the 2020 presidential election approaching, cybersecurity deserves to be a core issue for candidates. But actions speak louder than words, especially in politics.

So, ahead of the October Democratic debate, we set out to assess the top 12 presidential candidates, including the incumbent, President Donald Trump, based on their cybersecurity awareness. Here’s how we did it.

Methodology

To investigate candidates’ cybersecurity awareness, we looked at both their words, in terms of the policies they’ve supported or any public stance they’ve taken, and the actions they’ve demonstrated in their own worlds, which we did by auditing a range of factors and grading their website security efforts based on a criteria similar to PCI security standards.

All information used in the audit is available publicly through resources such as Google, campaign websites, DNS lookup, news articles and websites that allow internet users to check if their personal data has been compromised by data breaches.

We also externally scanned each candidate’s website with our SiteLock Risk Assessment tool to collect more information regarding their cyber risk. No intrusive or disruptive technologies were used to ascertain their status on the various criteria.

Each factor we investigated falls into one of four buckets: the candidate’s cybersecurity platform, their cybersecurity actions, their privacy and data practices, and email security factors.

Cybersecurity platform:

  • Does the candidate have a proactive cybersecurity stance in their 2020 platform?
  • Does the candidate publicly support any cybersecurity bills/committees?
  • Has the candidate been involved in a past cybersecurity breach?
  • Has any email from the candidate’s campaign/domain been found on the dark web?

Cybersecurity actions:

  • Are all of the campaign’s web properties (main site, store site, email form) secured with a verified SSL certificate?
  • Do all campaign web properties use a cloud-based web application firewall (WAF) and a content delivery network (CDN)?
  • Is the campaign website built on a CMS such as WordPress or Drupal?
  • Is the candidate’s CMS/software up to date (main site, store site, and email form)?
  • Does the candidate use third-party software for their online store?
  • Is the default admin login URL accessible on their site?

Privacy and data:

  • Does the candidate have a published privacy policy on their website?
  • Does the candidate have a cookie disclosure on their website?
  • Does the candidate disclose data sharing in the privacy policy?

Email factors:

  • Is there a CAPTCHA included in all emails forms on their website?
  • Is there a CAPTCHA included on the logins for the online store?
  • Is the candidate using a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy?

The answers to these questions determined a point value for each factor, ultimately leading to a total score on a scale of 100 for each candidate, which was then translated to a letter grade. To earn an A, the candidate needed an exceptional score across all factors. In general, they’d have to be vocal about their plans to enact cybersecurity legislation and meet cybersecurity standards in a near-perfect fashion.

We disclosed the results to each candidate’s campaign team before publishing to provide a chance for them to respond to and act on the grade.

The results

To download the Cybersecurity Report Card, click the image.

None of the candidates we audited have mastered a fully secure online presence alongside a strong cybersecurity platform as a candidate, though a few came close.

Elizabeth Warren (A-), Cory Booker (A-) and Bernie Sanders (B+) led the pack. Meanwhile, Amy Klobuchar (C), Joe Biden (C-) and Andrew Yang (D+) brought up the rear.

Warren rose to the top of our cybersecurity awareness ranking because of her advocacy for stronger cybersecurity practices. Kamala Harris has also been vocal on cybersecurity legislation, and her support of cybersecurity proposals in Congress and as California Attorney General boosted her final grade.

Although President Trump appeared in the top five candidates, his lack of cybersecurity awareness platform for his 2020 candidacy and his involvement in a past public breach kept him from rising to the top. Trump International Hotels experienced three breaches between August 2016 and March 2017, during which Trump led the business.

When it comes to actual cybersecurity practices, candidates struggle most with email subscription form practices. Only one of the 12 candidates, Kamala Harris, included a CAPTCHA on the email form — a simple tactic that can prevent bots from bombarding the site owner with requests, driven by a malicious intent to steal email addresses. The average website encounters 62 attacks each day, according to SiteLock’s 2019 Website Security Report, making a CAPTCHA a vital defense. 

Additionally, 58% of the candidates’ websites use out-of-date software or CMS, putting the majority of them at risk of getting hacked. For example, an outdated WordPress site, the most popular CMS, is 10 times more likely to be hacked than up-to-date WordPress site, according to our data

Technically, anything short of perfect cybersecurity awareness practices should be viewed as a security flaw because it only takes a single vulnerability to fall victim to a bad actor. The fact that not one candidate can be credited with a perfect score proves that cybersecurity awareness is an overlooked issue.

Candidate Observations

As previously mentioned, we disclosed the results to each individual candidate’s campaign team before publishing to provide a chance for them to respond to and act on the grade. Although reaction was minimal, we did receive general feedback on the following:

  • Default admin login being publicly accessible  – Some candidates were able to provide evidence of alternative methods in place to help circumvent potential risk. In this case, we gave additional credits to those candidates and adjusted their scores accordingly.
  • Use of CAPTCHA on sign-up form – Some candidates felt this particular grading criteria did not present a significant security risk, and those who were using WAFs felt that they had enough protection in place. Although we agreed that CAPTCHA is not tied to any specific security risk, we do feel it’s part of good web hygiene so it remained part of the criteria with a lower weight assigned.

  • Campaign emails found on the dark web – Some candidates felt this was out of their control, and did not provide a specific attack vector as all email addresses have the potential to be enumerated. Although we agree this criteria is impossible to control, the amount of contact information available on any website provides a larger surface area for potential risk, such as a phishing attack. It remained a part of our criteria.

The impact of voter cybersecurity concerns

Nearly half of Americans (49%) don’t trust the federal government to protect their data, according to Pew Research Center. But citizens should be able to trust those in power to protect them against all security threats, whether physical or digital.

From Capital One to the City of Atlanta, cyberattacks are on the rise in both the private and public sectors. Educating voters on cybersecurity concerns will impact the way they vet the candidates, so candidates need to be educated and informed about the latest cyber trends to serve their constituents and represent their best interests.

But if a candidate’s cybersecurity awareness is currently lacking, it doesn’t mean they’re doomed. Technologies and training to support a comprehensive cybersecurity strategy are accessible to politicians, organizations or businesses of any size. 

On the road to November 2020, voters should continue to press candidates on the issue of cybersecurity. As our world becomes more connected, the need for a leader who will champion the issue only becomes more urgent. Keep a close eye on your 2020 candidates to see how they rise to the challenge.