Three years ago, Russian operatives spear phished the email account of Hillary Clinton's campaign chairman during the 2016 US presidential election. Even though that memory looms over candidates and the country, Agari analysis finds that 83 percent of the top candidates still have vulnerable email accounts—and even fewer have implemented the authentication necessary to prevent email impersonation. The blunt-force impact of campaigns not hardening their cybersecurity is severe: campaign impersonation, donor fraud, and worst of all, the possibility that it will be cybercriminals who decide the next President of the United States—not voters.
The weaponization of the email communication channel is one of the primary reasons I founded Agari, where our mission is to protect digital communications so that humanity prevails over evil. Nowhere is that mission needed more than in this upcoming presidential election.
To do our part to protect the integrity of the US presidential elections, Agari announced today we are making our next-generation Secure Email Cloud available to all presidential campaigns, regardless of party affiliation.
It's our way of ensuring candidates and their campaigns have the solutions they need to protect against sophisticated email attacks that can give hackers access to staff email messages and campaign strategies, or the ability to disseminate fake news. As it stands now the 83 percent of top candidates and their campaigns that remain unprotected can use our help.
2016 Redux—or Worse?
Little has changed since 2016. Russia’s intelligence services continue to target US government think tanks and NGOs in national security, defense, and foreign policy.
Meanwhile, campaigns continue to struggle with email security, primarily because very few candidates have dedicated staff or resources to implement the defenses this mission-critical communications channel requires. Today, over 90 percent of all presidential contenders rely on the security controls built into their email platforms—almost exclusively Gmail and Microsoft Office 365.
These controls are adept at ferreting out malicious links and malware, but they're powerless on their own against advanced phishing attacks that leverage personalized messages that are socially-engineered to manipulate recipients into revealing sensitive information or login credentials before thinking to confirm the email’s legitimacy.
A typical attack might involve an “urgent request” from a trusted advisor, supplier, or a senior campaign official asking the recipient to pay a vendor or forward confidential polling data or other sensitive information. The typical results can prove ruinous—derailing momentum and turning public opinion against the candidate. Fast-moving campaigns and their ad hoc ecosystems of advisors, pollsters, and policy analysts may prove easy targets for such attacks. And unfortunately, there's another email threat that could pose a far more grievous threat.
Presidential Imposters
Campaigns with domains that are unprotected by the email authentication protocol known as Domain-based Message Authentication, Reporting and Conformance (DMARC) could themselves be impersonated in phishing attacks targeting not their staff, but rather their most important outside constituents.
What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be ascribed to candidates?
And what happens when the negative publicity from phishing attacks leads constituents to avoid opening a campaign's legitimate email messages, including those focused on fundraising? With an average ROI of $38 for every $1 spent, email is the one digital channel no candidate can afford to see crippled. Yet only 11 of 12 Democratic and Republican candidates who top current polls have fully implemented DMARC at a reject policy to stop email-based impersonation attacks targeting their constituents.
While five candidates polling over 1% have implemented DMARC authentication at some level, four remain at a monitor-only policy—where email can still hit voter inboxes. Only one candidate, Massachusetts Senator Elizabeth Warren, has taken steps to ensure that fraudulent emails are rejected, meaning voters and potential donors should be wary of emails purporting to come from any other campaign.
Proven Protection from Email Attacks
When looking back at how Clinton campaign chair John Podesta fell victim to phishing emails that led to subsequent the release of sensitive information on WikiLeaks, it's hard for any American to feel anything but outrage.
Which is exactly why it's an honor to offer Agari’s next-generation Secure Email Cloud to any campaign that wants it. And should last week's news about FEC concerns that complementary cybersecurity services may violate campaign finance laws, we're happy to work with Congress, the FEC, or any governing authority to provide blanket protection against advanced email threats across the entire presidential field.
That's because Agari’s next-generation Secure Email Cloud can make the difference in thwarting spear phishing- and email-based identity deception attacks from malign actors out to undermine trust in our electoral process. In fact, two-thirds of the organizations that deploy Agari find that our solution combined with their cloud email provider's built-in security controls deliver everything they need to defeat and stay ahead of evolving phishing attacks that can impact their ability to execute on strategy.
The Agari solution suite has also been proven to reduce email-based impersonation scams from millions of attacks to near zero in a matter of weeks. It also automates incident response to help organizations detect and remediate breaches in mere minutes, before sensitive information can be exfiltrated. And our long history of protecting the Federal government includes keeping the Department of Treasury, the Department of Health and Human Services, the United States Postal Service, the US Senate, and other organizations safe from advanced, email-based attacks.
Given the threats our nation faces from spear phishing, brand impersonation, and other advanced email attacks, our goal isn't only to restore trust to inboxes. It's to help ensure trust in the 2020 elections.