Every campaign plan for this cycle has changed dramatically because of COVID. In-person activities are curtailed for the foreseeable future. In their place, candidates and groups are moving to virtual town halls, virtual rallies and relying more on texting, paid media and email.
While it’s exciting to see this pace of change unfold in real-time, we know the internet isn’t a bucolic scene from a Norman Rockwell painting. The campaigns will need to double their efforts to secure their communication apparatuses to mitigate the ability of nation-state actors, cybercriminals, and anyone else who might be tempted to meddle in our elections.
It should come as no surprise that while email is one of the most cost-effective tools for reaching the widest audience, it’s also rife with abuse.
To secure the 2020 election, campaigns need to adopt email authentication standards to thwart the ability of criminals and nation states to spoof their sending domains, deliver misinformation that imitates a legitimate campaign and prevent phishing attacks against voters.
During the summer of 2019, it was found that nearly half the then candidates hadn’t set up, or set up incorrectly, the email authentication on their sending domains.
A motivated bad actor could cast doubt, aspersion, and undermine a campaign through targeted phishing attacks posing as that campaign because the domains from which they sent their email were not properly protected.
The thing about elections is that you don’t have to hijack voting machines or break into ballot boxes to cause a major disruption. You merely have to suggest there might be impropriety to throw the whole thing into turmoil.
But beyond the security aspects of email, campaigns should pause and consider how they plan on turning up the volume on their socially distant campaigns while still following established best practices and not burning out recipients. How much is too much? The answer to that lies in testing and measuring, but also in obtaining clear concise opt-in before sending a voter a text or an email.
For instance, organizations such as mine have created guidelines that address how political messaging should be sent via text (SMS). In short, it all starts with clear, concise opt-in—this happens to be good and reliable guidance for email as well—and this guidance is also in line with the Cellular Telecommunications Industry Association (CTIA) guidance for one to many communications.
The process should look something like this:
- Campaigns should obtain permission from recipients before they send them any kind of message across any platform or device.
- Campaigns should have clear, easy op-out instructions and provide confirmation.
- Campaigns need to make sure the platforms they are using, and specifically, the domains and email addresses they are using to deliver communications are secured by leveraging email authentication standards, like DMARC, DKIM, and SPF.
- IT professionals in those campaigns need to deploy multi-factor authentication (MFA) across mission-critical systems, and any service or account used as part of campaign coordination (personal ones also) to deter bad actors bent on brute forcing their way in and taking control of their systems and accounts. (This same guidance is also what we recommend to follow as they prepare for November.)
The stakes are high and the tools at the disposal of today’s campaigns are potent. Ironically the methods and technology to secure campaigns and their messaging aren’t new. In many cases, they’ve been around for some years.
The foreign interference in our 2016 election should’ve been a wake up call especially given the prominent role played by email phishing—unfortunately we haven’t seen industry-standard approaches to messaging security become widely adopted in response to the 2016 election.
Campaigns function on a compressed timeline. Unfortunately, the rest of the world’s expectations, at this moment, are not aligned: nothing is fast, nothing arrives on time, but that’s ok.
There are new priorities and among them should be security in all of its forms. From food, to shelter, to the way our democratic process unfolds, we need improved security to make sure that our elections aren’t undermined in the virtualized rush to the finish line.
Len Shneyder is co-chair of the Election Security Special interest Group at the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG), an internet industry trade group working to combat botnets, malware, spam, viruses, DoS attacks and other online exploitation. He’s also VP of industry relations at Twilio.