Labor Day is unofficially known as the start of election season in the United States. While, of course, the cycle has seemed to be in full swing for over a year, now is the time when elections have moved to the central spotlight and all-consuming in the news cycle.

One important and top-of-mind matter is election security, from hacking to mail-in ballots to disinformation and voting machine integrity. Yet, it’s clear that our election system’s security posture is not where it should be.

This election season is expected to be as ugly, if not uglier, than 2016 and one loaded with controversy. In an era where opinions are formed in the digital space, bad actors are ready to use social media, fraudulent emails, and creative strategies to incite chaos or sway political opinions.

Presidential candidates, campaigns, voting officials, secretaries of state, donors and the general voting public must all be on guard as election day approaches.

Election Meddling Expected in 2020

The last presidential election was a wakeup call to the realities of how at risk our elections infrastructure is to cyberattack.

In 2016, the Democratic National Committee email leaks started in March 2016 when John Podesta, former White House Chief of Staff and Chair of Hillary Clinton’s presidential campaign, had his personal Gmail account compromised in a spear-phishing attack. A fraudulent email that appeared as a Google security alert contained a misleading link and directed Podesta to a fake login page to enter his Gmail credentials. From there, hackers were able to open the doors to nearly 20,000 pages of emails that were later secured and released by WikiLeaks, which many political observers believe had an impact on the Presidential results.

Attacks like this now happen every day in business, which we seemingly chalk up to another day, another spoofing or BEC attack. Increasingly, this cynicism is entering into our democracy, as far too many threat actors - both foreign and domestic - think it is either appropriate or advantageous to use digital trickery to influence an election. Morals, ethics, values and laws, be damned.
However, what’s most different now than four years ago is the mainstream awareness that elections are vulnerable to cyberattacks. But while the elevated awareness is helpful at reducing some risk, the absence of a well-funded national strategy composed of both human and advanced technical controls means that the U.S. response has not met the magnitude of the threat. As evidence, a recent survey by ProPublica published just before the 2018 midterm election found a third of counties overseeing toss-up congressional elections have email systems that could be vulnerable to hacking.

Email Remains a Prime Vulnerability

Email remains the primary vector for 90% of all cyberattacks and the main risk heading into the election season. And while most political campaigns are more aware of the risks represented by email borne attacks, they still lack the proper email security protocols to defend against today’s most common email threats. In fact, local, state and federal campaigns, secretaries of state offices and the ordinary voter continue to be susceptible to the same type of social engineering message that victimized Hillary Clinton campaign chairman John Podesta back in 2016. The only difference is that such messages have become even more difficult to identify and can easily defeat common email security controls.

Socially engineered spear phishing attacks remain the most effective way to breach an inbox. These emails are customized and targeted to specific individuals with the intent of inducing them to disclose their account credentials or click on a malicious link, and they often look so authentic that even trained security personnel cannot identify them. To make matters worse, it takes only one compromised administrator account to open an entire voter registration system to attack.

Remarkably in 2020, the vast majority of campaigns and government agencies involved in elections have chosen to put their email security in the hands of either secure email gateways, the DMARC authentication protocol and greater phishing awareness training, or a combination thereof. This strategy is akin to fighting a five-alarm fire with just one fire truck. While it can handle some of the flames, the fire will keep burning until greater reinforcements are brought in.

Defending Email in the 2020 Election

The reality is that today’s email phishing threats are extremely sophisticated - many of which are purposefully built without payloads (attachments, URLs, etc.) so to defeat all of the most common technical controls and the human eye. Further, all of the technical controls are focused primarily on sender identification or the “who” is sending the email. While this is important, spoofing the “who” to make it appear legitimate is easier than ever.

Thus, much like businesses, the election ecosystem requires advanced email security measures that seek to uncover the intent and content of messages as much as the sender. To do so requires email security with a mix of AI, computer vision and natural language processing to help discover and analyze both visual and contextual anomalies, such as altered logos and calls-to-action, that could easily prompt deception.

It’s important to know that adopting such technology doesn’t have to be a daunting and expensive task for campaigns and government agencies. In fact, such email security is often available at similar price points to legacy tools -- we simply need to make it more well known that such options exist, can be easily implemented and won’t require massive security teams to implement.

In 2020, relying on DMARC or Office 365 ATP or a session or two of phishing awareness training isn’t enough to significantly reduce risk. Far too many bad actors want to see chaos and disruption tear this country apart. Stronger email security can prevent this from happening, and it’s not too late to begin bolstering your mailbox protections today.

In addition, coming together and sharing intelligence, such as attacks or threats, with each other – even between rivals – campaigns will be better positioned to prevent another embarrassing and distracting breach. If we can’t learn from the powerful examples set in the 2016 presidential elections and learn how to address the threats, there’s a good chance we’ll repeat them again in 2020.

Now more than ever, the entire election ecosystem must come together to preserve our democracy. And it all begins by preventing deceptive email attacks.

To learn more about how IRONSCALES self-learning email security platform provides mailbox-level BEC protection & anomaly detection, visit IRONSCALES BEC Protection.

Eyal Benishti
Post by Eyal Benishti
September 9, 2020