European political parties left open to email-based cyber attacks
None of the political parties in the UK, Germany and Norway, all of whom have upcoming elections, have email authentication or protection against spear phishing in place, according to new research.
The study by secure email company Agari shows that while eight percent have published an email authentication policy, they've left the door wide open by setting their policy to 'none', which will not stop malicious emails from reaching intended victims.
This lack of security is leaving voters, supporters and the parties themselves wide open to targeted email attacks using identity deception and social engineering methods. As demonstrated in the past year with the attacks on the En Marche! party in the French Presidential elections and on the Democratic National Committee (DNC) during the US presidential elections, an email attack that results in leaks of sensitive data can hamper a free and fair election and may, ultimately, impact the results.
To cut the risk, Agari recommends that parties should implement email authentication with a 'reject' policy using the open standard DMARC. This prevents impostors from using the domains of the political parties to deceive internal campaign staff, volunteers and the public. The combination of these two security defenses would have prevented both the US DNC compromise and the French En Marche! Attack.
"This is a disaster waiting to happen," says Dr Markus Jakobsson, chief scientist at Agari. "It appears that in spite of the now infamous email attacks that have blighted two elections in recent months, political parties are still showing no signs of even acknowledging that they need email protection. DMARC allows organisations to make it impossible to spoof their email domains. In the absence of a DMARC policy and protection against identity deception, anybody can write an email that appears to come from an unprotected organisation and have it delivered to the unwitting victim-to-be."
Agari is responding to the findings by offering free DMARC attack protection for all parties in the upcoming UK, German and Norwegian elections using its Email Trust Platform, you can find out more on the company's blog.