As Election Day looms, federal officials, private companies, and information security experts are urging voters to be on guard for misleading information, especially from sites like Facebook, YouTube, and Twitter, where viral information can whipsaw across the country in the blink of an eye.
But one disinformation vector may be hiding in plain sight: email.
A report released late last month by Valimail, an email security vendor, warns that the vast majority of political action committees, states, counties, and election systems vendors have failed to implement a basic email security protocol known as DMARC, or Domain-based Message Authentication, Reporting and Conformance. DMARC is deployed at just 7% of the largest counties’ domains, 3.3% of state’s domains, 12% of those of election systems vendors and 15% of those of campaigns and political action committees, according to the report.
The findings suggest it would be easy for malicious actors to send emails that employ direct-domain spoofing, a technique where hackers modify an email header so that it appears to come from a known domain—and in this case, one with identifiable links to the election. That could make it easier for them to launch phishing attacks and mass mailing disinformation campaigns.
While DMARC is recognized as an industry standard, it requires technical savvy to implement and it can mistakenly block legitimate email, which makes many IT administrators skittish about deploying it, said Dylan Tweney, author of the Valimail report.
“Campaigns and state and local government have a lot of IT and security priorities. Often, implementing email authentication isn’t one of them,” said Tweney. “It doesn’t tend to achieve a greater risk recognition until it causes problems for them. And even if they have implemented it, it can prove challenging for IT.”
The entities singled out in the Valimail report also face a basic problem of misaligned incentives. The benefits of DMARC largely accrue to third parties, not the domain that expends resources to implement it.
That is why it is important for governments or third parties to ensure that these entities implement public-interest security measures, said Megan Stifel, Executive Director, Americas, at the Global Cyber Alliance, a non-profit that offers free DMARC training to governments, non-profits, journalists, and law enforcement. (Disclosure: The author assists GCA part-time on research projects).
“DMARC implementation takes time and competence,” said Stifel, who cited resource constraints as another big obstacle for local entities supporting elections. “With something known to be as effective as DMARC, it would make sense for Congress to give money and constrain its use to only DMARC implementation.”
Stifel suggested that vendors that help organizations implement DMARC should in turn offer free or discounted services to public-interest organizations.
Government policy has proven effective when it comes to DMARC deployment. In 2017, the Department of Homeland Security mandated that federal agencies adopt DMARC. The order rapidly expanded DMARC usage across federal email domains, which had previously been low.
The order did not extend beyond the federal government. Nonetheless, DHS’s Cybersecurity and Infrastructure Security Agency regularly encourages state and local election officials to employ DMARC. For the 2020 election, it also maintains a “Rumor Control” page that explicitly warns of the risk of email-based disinformation. CISA, which is tasked in part with securing elections and was formed after the 2016 election, did not respond to a request for comment.
Email-based disinformation threats have received more attention since the U.S. government outed an Iranian-backed email campaign that impersonated The Proud Boys. Shortly thereafter, The Wall Street Journal found that local election officials had been targeted by an opaque email-based disinformation campaign.
Yet, the Valimail report underscores a distinct threat, even if the overall pattern of email abuse is well-known. One scenario involves the use of email-based disinformation to target voters as the clock winds down on Election Day.
When combined with other databases, bad actors could use spoofed email to spread confusion in swing districts with last-minute information about polling sites, voting hours, or the candidates.
Direct-domain spoofs could prove especially disorienting because most anti-disinformation guidance urges voters to trust known sources. If timed properly, it would be difficult for election officials to reassure voters before the polls close.
In the longer-term, that type of campaign could also play up the perception that the election had been compromised, even if it had little material effect.
Existing email filters could block some of the emails, said Tweney, but a large percentage would get through because email security filters are trained to identify suspicious links or attachments.
A purely text-based email campaign, by contrast, would have an easier time slipping by.
Tweney told The Record that it was unrealistic for the entities surveyed by Valimail to update their email security before Election Day, but he stressed it was important to shed light on this issue for future elections. In the interim, Americans will have to be on guard for misleading information in their inboxes, he said.
According to Rita Reynolds, the Chief Technology Officer for the National Association of Counties (NACo), U.S. counties are better prepared to deal with Election Day disinformation threats than four years ago. In addition to other cyber-security best-practices, they regularly exchange information through NACo’s Tech Xchange. Most counties have also taken advantage of the support offered by the Multi-State and Elections Information and Analysis Center.
“While no county can ever say they are 100% cyber proof, counties are definitely in a better place security-wise than they were four years ago,” said Reynolds.