Like most Americans, we’ve been dismayed by the recent attacks on our country’s election infrastructure.
Since 2016, hackers have targeted Democratic and Republican candidates alike, as well as think tanks and large-scale organizations such as the Democratic National Committee. They've tried to hack election systems in various states. Such attacks have intensified in 2018, as we approach the midterm elections. And it is likely that there are significant attacks that have gone unreported in the press.
Fortunately, it appears that none of the attacks have succeeded in disrupting an election or destroying public confidence in the integrity of the elections. But that is a risk we cannot continue to take.
What many of these attacks have in common is email — specifically, fake email. Attackers send spear phishing messages to individual targets, and in almost every case, the attackers make those messages appear as if they come from a trusted sender, such as a coworker, an executive, or a partner organization.
In one case, which came to light last year, we learned that hackers from Russia targeted election officials by posing as an election systems vendor.
Valimail has the ability to stop the most pernicious and hardest-to-detect form of fake email attacks, the exact-domain impersonation. So we decided this week that we could no longer stand idly by. We are offering our Valimail Enforce service, for free, to any major-party midterm election campaign, state Board of Elections, or election systems vendor.
With Valimail’s ability to deploy DMARC and get it to a policy of enforcement quickly — often as fast as a week or two — we are confident we can quickly prevent hackers and fraudsters from impersonating any election organization’s domain. We can also ensure that trusted third-party senders — and only those trusted and designated by the election organization — will be able to send on an organization’s behalf, improving deliverability and stopping fakes. We are also FedRAMP Authorized, meaning we meet the stringent criteria required by the U.S. federal government for cloud services. And we are SOC 2 Type 2 certified and Privacy Shield certified, so campaigns and election officials can be confident that our system is secure and safe from disruption.
The Valimail Enforce service will remain free of charge for these critical election organizations through the 2018 elections, and through the 2020 Presidential elections for the DNC and RNC.
Stopping fake email is not the only thing that needs to be done in order to protect the integrity of the U.S. election system. But it’s a critical step, and we are pleased to help U.S. election organizations take care of it.
Our official press release follows.
Valimail Declares War on Fake Emails in U.S. Politics
FedRAMP-Authorized Valimail Platform Now Available Pro-Bono to Critical Midterm Elections Infrastructure, Political Parties, and Campaigns
SAN FRANCISCO, August 29, 2018 — Valimail, the world's only provider of fully automated email authentication, announced today that it will provide its email anti-fraud service free of charge to any major-party U.S. election campaign, State Board of Elections, or voting system vendor.
“Bad actors are trying to disrupt our elections and sow chaos in our democracy. They are targeting email because it is one of the weakest points in digital communications,” said Alexander García-Tobar, the CEO and co-founder of Valimail. “The upshot is that the public can’t trust whether an email comes from a legitimate campaign or some Russian hacker. Worse, these fake emails are a major tool for hackers to compromise campaigns’ digital networks, voter databases, and even election commissions around the country.”
Spear phishing emails have been a major vector of election interference going back to the 2016 presidential election up to the current midterm election cycle, with recent attacks directed at Republican and Democratic candidates alike.
As with corporate cyber-attacks, most attackers targeting election officials or campaigns begin their attacks with fake emails. Such messages, which appear to come from a trusted coworker or organization, are the easiest and most effective way to execute a social engineering campaign that subsequently leads to account compromise, malware installation, or fraudulent bank transfers. Over 90 percent of cyber-attacks begin with spear phishing, and two-thirds of spear phish use fake “From:” addresses. At least 6.4 billion fake email messages like this are sent every day, Valimail research shows.
The Valimail Enforce service will be free through the November 2018 midterm elections for any U.S. campaign for congressional, Senate, gubernatorial, or statewide office, provided that the candidate is the designated Republican or Democratic nominee.
The service will also be available for free through 2018 for any state Board of Elections and for any vendor of election systems (such as voting machines, electronic pollbooks, and vote tabulators).
Valimail is also offering fraud protection through Valimail Enforce to the Democratic National Committee and Republican National Committee, free of charge through the November 2020 Presidential election.
Valimail Enforce, the only FedRAMP-Authorized email anti-impersonation service, prevents this type of impersonation by ensuring that only authorized senders can use a campaign’s domain name in their email messages. With Valimail Enforce in place and configured to an enforcement policy, fraudsters trying to trick people won’t be able to impersonate campaigns.
“These rampant fake email attacks are a threat to the democracy we live in and love,” said García-Tobar. “They are also preventable. It’s time to put a stop to these offensive attempts to derail American democracy.”
In addition to FedRAMP Authorization, Valimail Enforce is also SOC 2 Type 2 compliant and Privacy Shield certified, giving customers and campaigns assurance that the service is hardened against attack and built for stability, security, and reliability. The Valimail service provides 5 nines of availability. In addition, Valimail is the only email anti-impersonation solution that does not utilize any personally identifiable information (PII), such as the contents of email messages.
To enroll in Valimail’s free domain protection service, campaigns should contact firstname.lastname@example.org.