Email is being “significantly overlooked” as threat vector in securing election infrastructure, a recent report said.
While voting officials such as county auditors, clerks, or boards of elections regularly communicate with the public via email and real-time election results are sent to the media by email, in many states and counties in the U.S. it is highly vulnerable to cyber attacks, according to a study by the San Franciso-based Valimail. The software company makes an automated cybersecurity solution that blocks phishing emails and protects against business email compromise.
Valimail's research linchpins on DMARC technology (Domain-based Message Authentication, Reporting & Conformance) status for each of 187 domains used by election officials in the three largest counties or parishes for all 50 states. A correctly configured DMARC record with a policy of enforcement determines the authenticity of an email, wrote Seth Blank, Valimail’s industry initiatives director, in a blog post. Hackers are less likely to go after a brand with a DMARC record, he said.
“A DMARC enforcement policy prevents unauthorized senders from using the domain in the “From” field of their messages, cutting off one of the most devious impersonation vectors used by attackers,” Blank wrote.
Here’s what Valimail found:
- 124 of the 187 domains (66%) have no DMARC records.
- Of the 63 domains with DMARC, 11 are incorrectly configured, 42 domains (23%) are correctly configured but not at enforcement, and just 10 domains (5%) are correctly configured and at enforcement.
- By comparison, nearly 80% of the federal government’s domains are protected from impersonation, according to Valimail’s latest quarterly research.
The 10 domains protected from exact-domain impersonation attacks:
- St. Louis County County, Missouri
- Jefferson County, Colorado
- Clackamas County, Oregon
- Hartford County, Connecticut
- Lyon County, Nevada
- Kanawha County, West Virginia
- Mecklenburg County, North Carolina
- Clackamas County, Oregon
- Hamilton County, Ohio
- Washington County, Rhode Island
The data showed that six so-called swing states have a complete lack of protection among their three largest counties:
- Arizona
- Florida
- North Carolina
- Pennsylvania
- Michigan
- Wisconsin
While the absence of DMARC enforcement at the state and local levels is but one vulnerability in U.S. election infrastructure, it’s still a significant opening for hackers, Blank said. A spoofed email impersonating an election official could spread voter disinformation, misdirect voters, suppress the vote or infect government networks with malware, according to Blank. “While there are other types of impersonation, exact-domain impersonation (putting the exact domain of a spoofed organization into the “From” field of a phishing email) is particularly difficult for email recipients to detect and often go uncaught even by many email security solutions,” he wrote.
Valimail is urging all state and local election officials to configure their domains with DMARC at enforcement, Blank said, calling the move “both feasible and effective.” A notable barrier is a lack of government funding to underwrite improving email security. For example, while the federal government under the Help America Vote Act (HAVA) disbursed nearly $400 million in 2018, none of it has been used to improve email security. According to Valimail, the email domains evaluated in the four states receiving the largest grants under HAVA -- California, Texas, Florida, and New York, each of which has received more than $20 million -- are not protected.
“The low rates of state and local deployment of this open standard is a clear warning sign that best practices to protect democracy are missing in many key places,” Blank wrote. “It is time to direct funding toward implementing such best practices, with DMARC at the top of the list, across state and local infrastructure,” he said.
