Opinion

In the Liberal leadership race, the cybersecurity risks are massive

In the Liberal leadership race, the cybersecurity risks are massive

The following first appeared in the Globe and Mail on January 28, 2025. 

If you set out to intentionally design a perfect target for a cyberattack, you couldn’t do much better than the Liberal Party of Canada’s leadership contest now underway.

Foreign adversaries like Russia and China are well incentivized to try: The political impact of a well-organized ransomware attack against the party or one of the candidates (to take just one example of the kind of attack that could be launched) could be enormous – not necessarily in tilting the scales toward one candidate or another, but in delegitimizing the winner. A prime minister with a credibility problem helps Canada’s adversaries.

This leadership contest is particularly vulnerable to cyber attack because it is being set up and run on such a short timeline and because of the kinds of organizations involved.

Organizations are cybersecure when cyber-aware employees operate in accordance with regularly-practised processes, supported by cybersecurity staff using thoughtfully integrated technologies.

Even if we assume that the Liberal Party of Canada is vigilant about cybersecurity, the individual campaigns of the leadership candidates almost certainly are not.

It’s not candidates’ fault, necessarily: These campaigns are building up frantically, working against unprecedented deadlines. They have had no time for the repeated cybersecurity awareness training that is most effective, let alone the implementation of strong processes.

There has been no time for fundraising, so the campaigns are not well-resourced, and are unlikely to spend money on cybersecurity technologies. We can bet that the campaigns are focusing on cobbling together the $350,000 entrance fee, not buying endpoint-protection software.

And then there’s the question of the staff operating these campaigns. Many of them are volunteers, working remotely, within ad hoc management structures. Many likely use their own devices, and cloud-based commercially available (if not free) e-mail, word processing, spreadsheet and productivity software.

All of this creates vulnerabilities.

The danger of a spear-phishing attack – where a sophisticated adversary sends a highly convincing socially engineered e-mail claiming to be from a manager or senior executive, requiring the disclosure of specific information or the downloading of malware – is very high.

This is what Russian hackers launched against Hillary Clinton’s campaign in 2016, and it seriously damaged her effort. And Ms. Clinton’s campaign was well-organized, had been under way for years, and had immense financial resources.

We should be particularly concerned about the lists of Liberal Party of Canada supporters who are entitled to vote for the leadership candidates. These lists will be generated by the Liberal Party and distributed to the campaigns, so that the campaigns can communicate with voters.

These lists are valuable – to the campaigns, but also to cyberattackers. They would provide ample information for further phishing attacks and disinformation campaigns. They must be kept secure.

So what do we do?

First, Liberal Party of Canada leaders and individual campaign managers must raise the cybersecurity alarm with their campaign workers. There’s no time for training or process implementation, so there should be strict rules: Every e-mail and text should be considered potentially fraudulent. E-mailed or texted requests for sensitive information should be confirmed with the sender by phone or in person. In addition, two-factor authentication should be adopted for all campaign workers.

Second, all Liberal Party of Canada supporters who have registered with the party – and whose names will be on the voter list – should be wary of e-mails, text messages and phone calls claiming to relate to the leadership race. Voters should never send money to a campaign without verifying information with the campaign directly. Information received online about the race should be verified by legitimate media sources or the campaigns’ websites.

Finally, the federal government and the private sector should offer help. The federal government’s Security and Intelligence Threats to Elections (SITE) Task Force will monitor the race, which is important. But actual in-the-field resources are needed, too. Private-sector firms with the necessary technical chops (like Microsoft, for example, which has significant expertise in securing elections) should offer free support; the leadership campaigns have few funds and no time to spare.

The stakes are high and the clock is ticking.

Charles Finlay is the Founding Executive Director of Rogers Cybersecure Catalyst, Toronto Metropolitan University’s national centre for training, innovation and collaboration in cybersecurity.

More from the Catalyst