• by Ray Schultz , Columnist, December 5, 2019

The U.S. could be careening toward a 2020 election disaster.

Only 5% of the nation’s largest counties now protect election officials from email impersonation, according to a new Valimail study.

The remaining counties are “vulnerable to impersonation, meaning their domains could become the unwitting vectors for cyberattacks and misinformation campaigns,” writes Seth Blank, director of industry initiatives for Valimail.

Blank notes that spear phishing played a role in the 2016 election as the vector by which the Democratic National Committee’s email system was compromised.

Moreover, spear-phishing attacks targeted election officials in Florida during the 2018 election season. However, there is no proof that this affected the election results.

 “In the corporate world, these cyberattacks result in the loss of funds or proprietary data,” Blank writes. “But when it comes to elections, the bedrock of democracy -- free and fair elections -- is at stake.” 

Valimail analyzed the 187 domains used by election officials in the three largest counties (or parishes) for every state in the U.S.

It determined that 124 of these domains--66%--have no DMARC (Domain-based Message Authentication, Reporting, and Conformance) records.

The remaining 63 domains do have DMARC. But 11 of those domains are incorrectly configured, and 42, while correctly configured, are not at the enforcement level.

In the end, only 10 domains are protected from impersonation. They are:

• St. Louis County County, Missouri  
• Jefferson County, Colorado
• Clackamas County, Oregon
• Hartford County, Connecticut 
• Lyon County, Nevada
• Kanawha County, West Virginia
• Mecklenburg County, North Carolina
• Clackamas County, Oregon
• Hamilton County, Ohio
• Washington County, Rhode Island

Good for them, but it’s a sad commentary on our election preparedness that only 10 counties are fully protected.  

Worse, six swing states have “a complete lack of protection” among their three largest counties, Blank says: Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin.

What’s the possible harm? For one thing, “an attacker might send an email to an election official that spoofed the identity of a voting machine vendor and posing as an “urgent software update” that they needed to install,” Blank continues.

For another, “malware could be delivered via spear-phishing emails that, if clicked on, would shut down the county’s network and disrupt the smooth functioning of an election,” he adds.

Blank notes that the Louisiana state government’s computers were taken offline during a recent election week by a ransomware attack. This probably originated with a spear-phishing email message

Help is available — through funding provided through the Help America Vote Act (HAVA).

But Blank argues that “while HAVA disbursed nearly $400 million in 2018, it has not been used to improve email security.”

He explains that the email domains evaluated in the four states receiving the largest HAVA grants, more than $20 million apiece — California, Texas, Florida, and New York, which each received more than $20M — are not protected.