• United States



Contributing Writer

Presidential campaigns taking email security more seriously–not so much at the local level

Feb 10, 20205 mins
Communications SecurityCritical InfrastructureSecurity

DMARC now protects the email domains for most U.S. presidential candidates, according to a new report, but local election bodies lag behind and are vulnerable to spoofing.

election hacking security 2020 election security flag global breach by stuartmiles99 getty
Credit: StuartMiles99 / Getty Images

The 2020 election season got off to what could be a record-setting rocky start with delays in the reporting of the Iowa caucus results due to a poorly developed app. The failure of the mobile IowaReporterApp developed for the Democratic party by a company called Shadow, Inc., followed by revelations that the app was riddled with security errors, fueled further the flames of anxiety about the security of 2020 voting and election systems. (To be clear, the IowaReporterApp was not a mobile voting app but merely a means of collecting and reporting the results of the individual caucuses.)

Against the spectacular failure of the Iowa caucus and as the Democrats head into tomorrow’s New Hampshire primary having ditched the Shadow app, there are some signs that election-related security is otherwise headed in the right direction. For the first time, the 2020 U.S. presidential election hit a milestone because more than half of the candidates for president have domains that are protected from spoofing, according to a just-released study by identity-based anti-phishing company Valimail.

Of the 14 candidates currently in the race (including Donald Trump but excluding Joe Walsh, who dropped out last week), eight are protected by Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies set to enforcement. DMARC is an email authentication, policy and reporting protocol that builds on two other widely deployed email security protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mailprotocols (DKIM), that give domain owners control over who can send as them.

This milestone is notable because, just last May, Vailimail found that of the then-23 presidential candidates, only three were fully using DMARC, a finding consistent with the research of other organizations including the non-partisan Online Trust Alliance. “The major presidential campaigns are taking email security more seriously than they were a few months ago,” Seth Blank, vice president of standards and new technologies at Valimail tells CSO. “DMARC and authentication are critical. It is the only way to guarantee that only your campaign can send an email to you.”

The following candidates’ email domains are protected by DMARC

  • Joe Biden (D)
  • Mike Bloomberg (D)
  • Pete Buttigieg (D)
  • Tulsi Gabbard (D)
  • Amy Klobuchar (D)
  • Tom Steyer (D)
  • Elizabeth Warren (D)
  • Andrew Yang (D)

These candidates’ email domains are not protected by DMARC

  • Michael Bennet (D)
  • Bill Weld (R)

Of the seven unprotected domains, four, including Democratic frontrunner Bernie Sanders, have configured DMARC into what is called monitor-only mode, which doesn’t enforce the DMARC specification and still allows messages to be delivered that appear to come from that campaign’s domain but which are not authorized by the campaign. The other two campaigns have no DMARC at all, leaving them utterly vulnerable to spoofing.

These campaigns use DMARC in monitor-only mode:

  • Donald Trump (R)
  • Bernie Sanders (D)
  • John Delaney (D)
  • Deval Patrick (D)

The campaigns that are using monitor-only mode or not using DMARC at all are at significant risk. “Every year, email is the number one vector for cyberattacks,” Blank says. “The most potent strategy is protecting your email via DMARC.”

Election email security lacking at local level

While the picture for email security at the presidential campaign level appears to be improving, at the local level, email security seems to be overlooked: 142 of 187 domains used by election officials in the three largest counties (or parishes) in every state don’t use DMARC at all. Of the remaining jurisdictions, 42 use monitor-mode only, and 11 use invalid DMARC, leaving only 5.3% of those local domains protected by DMARC, Valimail’s research shows.

At the local level, “it appears to be awareness more than anything else,” that is a problem with adopting DMARC and other secure email technologies, Blank says. “There is an enormous amount of technology that exists [but local officials] don’t even know where to start and that there are tools that can help.”

Organizations such as the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) stand ready to help campaign officials learn what the best technologies are and how to deploy them. Last week the group issued summary guidance for what it calls “essential cybersecurity” for election officials. The three key technologies the M3AAWG advises campaigns to use are multi-factor authentication (MFA), email authentication and encryption.

The other key step election officials can take to protect themselves is to adopt Department of Homeland Security’s (DHS’s) Binding Operational Directive 18-01, which directs federal agencies to take specific steps to improve their email and web security by implementing DMARC, the STARTTLS command and HTTPS encryption. “After DHS put that out, the government went from incredibly poor adoption to incredibly good adoption” of email security practices, Blank says.

DHS has become a leader in helping not only federal organizations adopt better security practices but has also supported state and local officials in their efforts to secure online assets since 2017. Last week, the General Accountability Office (GAO) released a report criticizing the DHS’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency (CISA), for not yet completing its strategic and operations plans to help state and local officials safeguard the 2020 elections.

CISA has funded the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), which, according to the GAO report, has helped ten states and five local election jurisdictions assess their susceptibility to malicious emails. Blank thinks that DHS should push state and local officials to comply with DHS 18-01.

In response to the GAO report, a DHS spokesperson tells CSO that “for three years, we’ve been building partnerships, providing support and services including penetration testing, phishing assessments and preparedness exercises to state and local officials charged with securing our election infrastructure. As primary season begins and the 2020 election season gets underway, we are prepared and ready to support our partners across the election community.”

In the meantime, email is one of the weakest links in election, and campaign security Blank says. “There are known things to protect your security, and everyone must be doing them,” he says.