Election security’s weakest link: Email
As the country dives into the 2020 election season, it’s worth taking a look at how things are progressing. The Senate Intelligence Committee recently released a detailed report on the state of election security in the 2016 U.S. presidential election, and Valimail’s data on both state and local governments and 2020 presidential candidates reveals much about the critical area of email security and the role of phishing attacks in this area.
While voting machines can’t be targeted by spear phishing attacks, election officials can be. And by compromising officials’ accounts or computers, attackers might be able to tamper with the machines that manage voter rolls (the lists of who is allowed to vote).
It is well-known now that Russian state actors sent spear phishing emails to election officials in Florida with this exact purpose in mind. In fact, these attacks put the Russians in a position to change voter rolls in 2016.
Spoofing sender identity
Those emails, like more than 80% of all spear phishing attacks, were brand impersonations — in the Russian case, impersonations of a trusted vendor of electronic election systems. In other cases, spear phishers may impersonate a bank, a contractor, a political campaign, or even a government agency.
Spear phishers use impersonation because it’s so easy and so effective: Usually, there is no restriction on what they can put in the “From” field of the messages they send.
Authenticating email using a technology known as DMARC can help domain owners lock down use of their domains and cut off one very significant type of impersonation: When attackers use the exact domain they are impersonating in the “From” field.
With a DMARC policy configured for the domain and set to a policy of DMARC enforcement, inboxes that do DMARC checks — which is almost all of them worldwide — will reject or quarantine (move to a spam folder) any messages like this from senders who haven’t been authorized by the domain owner. That eliminates the most convincing, and hardest to detect, form of email sender impersonation.
Government and campaign vulnerabilities
Unfortunately, both elections and presidential campaigns remain vulnerable to such attacks.
Data from Valimail’s most recent research report on state and local government shows that only 1.3% of state and local domains (and only three of the U.S. states’ primary .gov and .us domains) are protected against impersonation, leaving the majority of America’s municipalities vulnerable to being spoofed.
Not that it’s all doom and gloom. Our analysis of state and local government domains shows that there’s been a significant uptick in the use of DMARC in the past year: 76% more domains have a DMARC record of any kind, and 171% more have DMARC at enforcement.
Progress on the campaign side has been even more striking, as the majority of the 23 major candidates’ domains have implemented DMARC. But that’s just a start, since only three of these domains are actually protected: Elizabeth Warren, Joe Biden, and Tulsi Gabbard. The majority of the campaigns can still be impersonated.
While the numbers have increased since our initial reports on the state/local situation and the presidential campaigns, there is still an enormous opportunity for these entities to protect themselves against identity-based email attacks by using DMARC.
Additionally, with the rise of identity-based email attacks driving ransomware in the public sector, DMARC protection can drive down the risks and associated taxpayer costs spent on ransomware and other losses.
While state and local governments face additional challenges due to the high number of subdomains that many of them use, the benefits will continue to outweigh the required effort. And for presidential campaigns, it could spell the difference between trust and failure.
For more details, download our latest report on the state of state and local email.