As of 100 days leading up to November’s presidential election, the Office of the Director of National Intelligence (ODNI) issued a warning that Russia, China, and Iran were all likely to interfere, and doubled down with intelligence officials warning that foreign hackers were already probing U.S. voting systems. While not surprising following the high-profile hack of Hillary Clinton’s emails by the Russians in 2016, it remains alarming nonetheless.
In addition, the voter fraud debacle of the 2020 election still haunts the political landscape and U.S. citizens’ consciousness even today. When it comes to the principles of our country and government, integrity is so important – it’s our way of ensuring that candidates and their campaigns have the solutions they need to protect against sophisticated email attacks that can give hackers access to staff email messages and campaign strategies, or the ability to disseminate fake news.
Cybersecurity evangelists continue to sound the horn about the rate at which data breaches and email attacks plague all sectors across all countries of the world. The blunt-force impact of campaigns not hardening their cybersecurity can be severe: campaign impersonation, donation scams and fraud – and worst of all – the possibility that it will be cybercriminals who decide the next President of the United States—not voters. But are presidential campaign heads and security teams doing enough?
Unfortunately, as the presidential campaign season drags on, it seems little has changed since those two prior elections. Post the issuance of the ODNI’s announcement in late July, Mark Montgomery, Senior Director at the Foundation for the Defense of Democracies, echoed that Russia, China, and Iran were “. . . actively working to destabilize the U.S election process through cyber malicious activity.” He continued, “Their ultimate aim is to undermine the American public’s trust in the democratic process, and a hack like this serves exactly this purpose.”
2016 & 2020 Redux or Worse?
Political campaigns still remain largely unprepared primarily because very few candidates have dedicated staff or resources to implement the defenses this mission-critical communications channel requires. On top of that, campaigns are short-lived and span a wide attack surface with multiple volunteer centers, varying IT infrastructure which logs into centralized National Convention websites, myriad remote devices in different locations, and ad hoc ecosystems of advisors, pollsters, and analysts.
This is what makes political campaigns the perfect target for supply chain attacks and phishing ploys that leverage personalized messages socially engineered to manipulate recipients into revealing sensitive information or login credentials before thinking to confirm the email’s legitimacy.
The majority of presidential campaigns rely solely on the security controls built into their email platforms—almost exclusively Google Workspace (Gmail) and Microsoft Office 365 (Outlook). While these off-the-shelf email security packages are quick and easy to run and their inherent controls are adept at ferreting out malicious links and malware, they are still not as robust in protecting against advanced phishing attacks like Business Email Compromise (BEC), spear phishing, and more.
Politicking & Mimicking
Campaigns with domains that are unprotected by the email authentication protocol known as Domain-based Message Authentication, Reporting and Conformance (DMARC) could themselves be impersonated in phishing attacks targeting not their staff, but rather their most important outside constituents. So, what happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be ascribed to candidates?
And what to do when the negative publicity from phishing attacks leads constituents to avoid opening a campaign's legitimate email messages, including those focused on fundraising? With an average ROI of $40 for every $1 spent, email is the one digital channel no candidate can afford to see crippled.
Yet, according to legal services provider, LLCBuddy as of June 2024, out of 21,075 commercial and governmental domains, 20.3% had DMARC policies set up. And the legislative and judicial branches of the federal government were seriously falling behind with DMARC adoption, with just 17.3% and 13% of their domains respectively implementing DMARC standards to block fake or spoofed emails.
Proven Protection from Email Surreptition
Falling victim to phishing emails is an inevitability not only reserved for employees and civilians, but it can dupe unsuspecting high-ranking government officials too. Just this past August, Former President Donald Trump’s campaign reported that some of its internal communications had been hacked by “foreign sources hostile to the United States. . .” – specifically, by a threat actor writing from an AOL email account who identified himself as “Robert”.
Following this, Trump’s campaign spokesperson, Steven Cheung, corroborated the claim by issuing this response: “These documents were obtained illegally from foreign sources hostile to the United States, intended to interfere with the 2024 election and sow chaos throughout our Democratic process.” He also cited a Microsoft report stating that an Iranian group affiliated with the Islamic Revolutionary Guard Corps, or IRGC, “sent a spear phishing email in June [2024] to a high-ranking official on a presidential campaign, which coincides with the close timing of President Trump’s selection of a vice presidential nominee.”
Examples like this – and a deluge of similar schemes received by enterprises too – underscore why augmenting your cloud email provider's built-in security controls with Fortra’s Email Security solutions, like Cloud Email Protection, is requisite. They can deliver everything organizations need to defeat and stay ahead of evolving phishing attacks, which have the ability to impede their strategy execution and subtract from their bottom line. This includes spear phishing attacks and impersonation attempts from malign actors that undermine trust in our electoral process.
The Fortra Email Security solution suite has also been proven to reduce email-based impersonation ploys from millions of attacks to near zero in a matter of weeks. It also automates incident triage and response to help organizations detect and remediate breaches in mere minutes, before sensitive information can be exfiltrated. And our long history of protecting the government includes keeping the Department of Health and Human Services, the United States Postal Service, and other federal agencies safe from advanced, email-based attacks and data breaches.
Given the threats our nation faces from spear phishing, brand impersonation, advanced email attacks and more, our goal isn't only to restore trust to inboxes; it's to help ensure trust in the 2024 election.
