U.S. Election Administrators Failed to Implement Phishing Protections: Study

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals.

Phishing, a type of cyber-attack where the victim is tricked into performing an action that eventually results in malware infection, data loss, or theft of credentials or money, has reportedly been involved in over ninety percent of the data breaches worldwide.

The U.S. elections have been targeted by phishing as well, with examples including attacks against election-sensitive organizations in 2016 and 2018, and phishing attempts targeting the current 2020 election cycle.

Looking to evaluate the email protections and controls that election administrators have implemented, Area 1 Security has analyzed 10,000 state and local election administrators’ susceptibility to phishing, and it has discovered that more than half of them use rudimentary or non-standard technologies for phishing protection.

The study also discovered that roughly a third (28.14%) of election administrators have basic controls to prevent phishing and that less than one-fifth of them (18.61%) use advanced anti-phishing controls.

According to the report, 5.42% of the election administrators use personal email addresses. Others independently manage their own custom email infrastructure, some using versions of the Exim mail server that are known to have been targeted in cyber-attacks.

Area 1 Security rates the implemented anti-phishing controls as advanced (when an independent email security service is used on top of cloud email controls), basic (cloud provider’s email controls only), limited (rudimentary cyber-security controls), non-standard (own email control based on open source software), and non-standard personal (use personal email/controls for personal email).

The rating system only takes into consideration publicly observable email security controls, but not additional internal controls that improve security but do not prevent phishing, business email compromise (BEC), or credential harvesting attacks. SPF, DKIM and DMARC policies are not taken into consideration either.

“Having robust DMARC policies ensures that organizations are protecting their brand and domain for outbound emails; but is insufficient and ineffective against inbound phishing attacks. We recommend that all organizations widely adopt and enforce DMARC policies as a matter of cyber-security hygiene,” the security firm notes.

In its report, which includes security ratings for election administrators in every U.S. county, Area 1 Security recommends that election administrators cease using Exim, especially in light of recently targeted vulnerabilities, or at least ensure that it is up to date. It also recommends the use of cloud email infrastructure and refraining from using personal emails for the administration of elections.

Related: U.S. Government Warns of Continuous Election Meddling Efforts

Related: Democrats ‘Gravely Concerned’ Over Foreign Interference in US Vote

Related: Threat to US Elections Not Limited to Russia in 2020