Valimail, an enterprise email security firm, announced that it will offer its email protections for free to relevant government workers and campaigns through the 2018 midterms. That offer covers state election boards, voting system vendors and major party U.S. election campaigns, including congressional, statewide and gubernatorial candidates. The company will also offer the same email fraud prevention service, known as Valimail Enforce, to the Democratic National Committee and Republican National Committee at no cost through the 2020 U.S. presidential election.
“Bad actors are trying to disrupt our elections and sow chaos in our democracy,” Valimail CEO and co-founder Alexander García-Tobar said in a statement. “They are targeting email because it is one of the weakest points in digital communications.”
As Valimail observes, spear phishing attempts in which an attacker tricks their target into opening a malicious email are a particular problem. In a spear phishing attack, a hacker can compromise a target’s login credentials by getting them to click on a fraudulent link or just by pretending to be someone they aren’t and obtaining usernames, passwords and other sensitive information. (The suspected Russian government-affiliated attackers who compromised a Gmail account belonging to Hillary Clinton’s 2016 campaign chair John Podesta used spear phishing to achieve their goals.)
Spear phishing attacks often employ email spoofing, a strategy in which the attacker disguises their true identity and makes an email look like it’s coming from a trusted domain. Citing its own research, Valimail notes that 90 percent of cyberattacks originate in spear phishing and two-thirds of those employ a fake “from” address to target potential victims.
Valimail Enforce prevents this kind of attack with an email authentication system that only allows authorized senders to use a domain name. The company’s email authentication service employs standards like SPF, DKIM and DMARC and is Federal Risk and Authorization Management Program (FedRAMP) authorized, making it easier for government entities to adopt its security tools.
Though no states and campaigns have signed on to the new offering yet, Valimail has been talking with the National Association of State Election Directors and the Department of Homeland Security, the federal agency tasked with coordinating security for election systems — now designated as critical infrastructure — among the states. Valimail follows companies like Cloudflare and Synack in offering its services at no cost to help secure election systems.
Due to the state and local-led nature of U.S. elections, it’s very difficult to ensure that security measures can be uniformly implemented and enforced across the board. It’s too late for the patchwork of post-2016 election security efforts to provide any kind of comprehensive assurance for the 2018 midterms, but private tech companies are stepping in to fill some of the gaps. At the very least, getting some security relationships in place and educating state and local officials on potential precautions should be a useful stepping stone to more secure elections by 2020.