Email Voted a Weak Link for Election Security, with DMARC Lagging

dmarc election security

Most counties are not protected from impersonation-based spearphishing attacks.

As the 2020 Presidential election looms closer in the United States, a key focus will be on securing election infrastructure to prevent tampering. In a recent analysis, researchers found that email remains a potential weak link, with most counties failing to implement DMARC protections.

DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that flags messages where the “from” field in an email header has been tampered with. It ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder.

DMARC policies are designed to be incremental, from a simple reporting-only system to a strict policy where messages failing authentication are rejected without being delivered or seen by the intended recipient.

According to Valimail, only 5 percent of the country’s largest counties are using DMARC correctly. The firm analyzed the 187 domains used by election officials in the three largest counties (or parishes) for every state in the U.S., to determine whether each domain is protected from impersonation attacks by a correctly configured DMARC record with a policy of enforcement (p=quarantine or p=reject).

A full 124 of these domains (66 percent) have no DMARC records, while 34 percent (63 domains) do have DMARC. Of those with DMARC, 11 domains (6 percent of the overall total) are incorrectly configured, 42 domains (23 percent) are correctly configured but not at enforcement, and just 10 domains (5 percent) are correctly configured and at enforcement. That leaves only 10 that are protected from exact-domain impersonation attacks.

“This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails,” said Seth Blank, director of industry initiatives at Valimail, in a posting this week. “In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy — free and fair elections — is at stake.”

The concerns are not just theoretical: Spearphishing for instance was the vector by which the Democratic National Committee’s email system was compromised in 2016. And, the Louisiana state government’s computers were taken offline recently by a ransomware attack that most likely originated with a spear-phishing email message.

The ripple effects of these attacks can be significant. Blank noted that while most voting machines are air-gapped for security, the electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the internet.

“An attacker might send an email to an election official that spoofed the identity of a voting machine vendor and posing as an ‘urgent software update’ that they needed to install,” Blank explained. “[Also], it does not require a stretch to imagine attackers impersonating election officials via spoofed domains in order to spread disinformation, conduct voter misdirection or vote-suppression campaigns, or even to inject malware into government networks.”

Disturbingly, six swing states (Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin) have a complete lack of protection among their three largest counties, Valimail found.

Blank noted that states can direct funding toward implementing DMARC across state and local infrastructure. That’s thanks to the Help America Vote Act (HAVA), which disbursed nearly $400 million in federal funding for election security last year.

“The lack of DMARC enforcement at the state and local levels is of course not the only vulnerability in U.S. election infrastructure,” he noted. “However, it is a very serious one.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles