Election security is too important to ignore
Valimail has been publishing factual research on the state of the email ecosystem for three years now. Our reports are based on our deep, daily analysis of tens of millions of DNS records — in other words, it’s public data; we’re just bringing aspects of it to light.
Criminals do the exact same type of scanning of public DNS records that we do to find vulnerabilities, yet some organizations may feel that we are making a vulnerability more visible. We’re sensitive to these concerns, and that’s why we don’t name specific organizations or domains in our reports. Instead, we focus on broad industry trends, and whenever possible, reach out with private communications to affected organizations prior to the release of the research.
For years, many have debated whether it is better to stay silent or be open about security flaws. Which provides better security in the longer term? Our belief, in keeping with the consensus of most other cybersecurity professionals, is that it’s better to be open. In short, if security gaps remain a secret only known to criminals, that only benefits the criminals. As a society, we are better off when vulnerabilities are known and publicly disclosed, so we can take effective action.
When it comes to election security, we believe that the stakes are simply too high and urgent not to share this information. There were well-documented attempts to interfere in the fundamental mechanisms of the 2016 and 2018 elections in the U.S., and the most significant hacks (and attempts) were based on flawed email security. Sometimes, it’s important to be very clear about the stakes — and the solutions. That’s why we recently published our report, “Email remains a weak link in U.S. election infrastructure.”
In addition to publishing research, we’ve been working closely with government at the federal and state levels. We’ve helped several federal agencies and state governments to improve their email security postures, starting with automated management of their DMARC, SPF, and DKIM records, enabling some of them to reach DMARC enforcement in record time. We have also worked with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Center for Internet Security to make knowledge about DMARC and how to implement it effectively more widely available. For instance, we offered a webinar on email security best practices to MS-ISAC members, and we contributed an article to CIS Quarterly’s September 2019 issue on how state governments can protect themselves against phishing.
Valimail is also committed to elevating the security of the email ecosystem as a whole, which is why we’ve devoted substantial time and resources to industry groups like M3AAWG (where we are on the board of directors and hold multiple chairmanships) and to supporting standards development, such as BIMI (we’re chair of the working group developing this standard), ARC (a standard we co-authored and championed), and DMARC 2.0 (we hold the position of secretary for the DMARC working group in the IETF).
Partially in response to these known vulnerabilities, DMARC enforcement was mandated by the Department of Homeland Security, through BOD 18-01, which proved massively effective in improving the federal government’s immunity to being spoofed. Federal domains went from less than 20% protected by DMARC to more than 80% protected by DMARC at enforcement in a little more than a year. This is far above average for most industries seeking to implement DMARC at enforcement. The government’s speed at implementing DMARC with enforcement is a testament to how quickly it can be accomplished when organizations are motivated, focused, and have the appropriate resources.
Political campaigns, after being nearly universally unprotected in 2018, have also advanced a lot; 14 out of the 18 current major-party candidates for President have DMARC records, and 5 have DMARC at enforcement.
State and local governments have not been so quick to move, however. This is due to a combination of factors, including lack of funding, lack of awareness, and the fact that these governments’ IT departments have a long list of priorities to tackle, of which email security is only one.
This problem is fixable. Pretending it doesn’t exist won’t make it go away. In fact, the Cybersecurity and Infrastructure Security Agency (CISA), a newly created organization within DHS, has issued guidelines on DMARC’s relevance to cybersecurity for state and local governments that state clearly the importance of DMARC enforcement.
We believe in this mission so much that we are offering our services at zero cost to qualifying boards of elections and national political campaigns. We can help state and local governments establish and manage their SPF, DKIM, and DMARC records with minimal management overhead, and we have the industry’s best track record at getting customers to DMARC enforcement.
If you are in (or work with) an election commission, board of elections, registrar of voters, or similar organization in state or local government, please get in touch and find out how we can help protect you from email spoofing that could lead to election compromise. Valimail is here to help.