In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign chairman John Podesta’s email account, email security has become a critical issue as the 2020 election cycle revs up.
It was only three years ago that Podesta was fooled by what appeared to be an “account alert” from his email provider, Google. The malicious link, and the resulting leak of damaging campaign emails on WikiLeaks helped derail Clinton’s bid for the presidency.
Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security, primarily because very few candidates have dedicated staff or resources to implement critical email security defenses. The Department of Homeland Security offers training, but it tends to be designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that are just starting to rev up for the primaries.
In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders rely on the easily-bypassed security controls that are built into their email platforms—almost exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection, they are not enough to stop the advanced email attacks that are likely to target prominent candidates in the run-up to the election. Perhaps even more troubling, only one presidential candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email purporting to come from the campaign or the candidate themselves out of voter inboxes.
This information was collected on April 29, 2019. For an up-to-date status on top candidates, see agari.com/election2020
To be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials. But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a vendor or forward confidential polling data or campaign information. Fortunately, much of this can be stopped by advanced email security controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others.
Despite the ease of implementing advanced email protection, the Agari Cyber Intelligence Division finds that only 3% of the current crop of US presidential candidates with an email-receiving domain or campaign website have implemented a solution to stop advanced threats.
A vast majority of candidates are relying on the basic controls built into their cloud-based email platform. All this means is that these candidates are open to attack in the form of phishing and account takeovers—threats that could derail an entire campaign, smear a presidential candidate, and turn the wave of support against a leading presidential contender.
Of the candidates polling over 1%, according to data from Real Clear Politics, the situation is not much better. One two candidates— Massachusetts Senator Elizabeth Warren and Former Massachusetts Governor Bill Weld—have put an advanced security solution in place to protect their staff from the email threats that could cause major headaches should they be successful.
Even with heavy investments on security and employee phishing training, 96% of corporate data breaches begin with an email, with more than 4,000 records are stolen every single minute. With these numbers, imagine what these criminals could do to a presidential bid.
The rapidly-evolving nature of campaign operations and their ad hoc ecosystem of advisors, pollsters, policy analysts, and other members of a candidate’s braintrust make them easy targets for world-class hackers—both foreign and domestic. As the race heats up and the press focuses more on our top contenders, so will nation-state actors who want to target the 2020 election and the United States democracy.
And unfortunately, these are not the only types of email threats that candidates should fear.
In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, and more.
To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and presidential election campaigns.
Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so critical to campaign success.
What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and emailed to rival campaigns, the media, and key voters—including independents in battleground states?
And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent, impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign.
When implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose as trusted brands or individuals—including political candidates and their campaigns.
In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and 92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others.
Out of all candidates with polling averages above 1%, only five have DMARC records assigned to their domain. These include:
But only Warren has a p=reject policy to stop unauthenticated emails from being delivered. Because a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate i still vulnerable to email-based impersonation—including current President Trump.
As such, voters should be wary of any email purporting to come from a candidate other than Elizabeth Warren. No other candidates have implemented the protocols necessary to keep fake email out of voter inboxes—a fact that should be remediated sooner rather than later to ensure voter trust throughout the election process.