Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Scheme
Updated at 1:01 p.m. ET
Government agencies and political actors across the country remain vulnerable to a spoof email scam like the one blamed on Iran by the U.S. spy boss, cyber-analysts said.
Most state and political website domains don't use a security protocol that constrains the ability for an attacker to send emails that pretend to have originated from their organization, according to a report Thursday by a San Francisco tech firm, Valimail, which analyzed a group of prospective targets.
One way attackers compromise their targets is by making them believe a message is coming from an organization or a person they know, even though an email actually is originating elsewhere — as was the case with the Iran intimidation emails.
"We take a lot on faith when we open and click on emails sent by political campaigns and PACs," wrote Valimail's Dylan Tweney. "That's because, for the most part, the domains used by these organizations are not protected from spoofing through the industry-standard authentication technologies."
One domain not protected by the protocols described in the report is www.donaldjtrump.com, President Trump's campaign site, the report says.
Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray warned on Wednesday night that more emails like those they've attributed to Iranian influence-mongers could appear in Americans' inboxes following the acquisition of voter data by the Iranian and Russian governments.
The leaders asked Americans who may receive such a message not to take it seriously and not to share it — an implicit acknowledgment that there may not be anything the U.S. intelligence community can do now to stop the intimidation scams short of exposing them.
The leaders vowed that the intelligence community would remain on guard for this and other interference in the election — and Americans should be confident their votes would count.
"Early, unverified claims to the contrary should be viewed with a healthy dose of skepticism," Wray said. "We encourage everyone to seek election and voting information from reliable sources—namely, your state election officials. And to be thoughtful, careful, and discerning consumers of information online."
Commentators noted how swiftly the United States was prepared to go from detecting the intimidation emails, which targeted voters in Alaska and Florida, to attributing the scheme to Iranian influence specialists and then announcing it publicly.
This Proud Boys spoofed email campaign in Florida that the US Government has just publicly attributed to Iran is probably the fastest ever public disclosure of attribution intelligence ever made by the US. It took literally hours for press conference vs months/years in the past..— Dmitri Alperovitch (@DAlperovitch) October 22, 2020
The FBI and other agencies today have the benefit of years of preparation to defend the 2020 election based on the bitter lessons of the 2016 race, in which Russia launched a wave of "active measures" aimed at helping elect Trump.
The FBI and the Cybersecurity and Infrastructure Security Agency have been posting regular bulletins about their intelligence on election security and CISA has launched a dedicated website: Rumor Control.
Iran, for its part, rejected the American accusation that it has been interfering in the 2020 race to cause mischief, but there didn't appear to be much doubt in officialdom or cyber-world about U.S. officials' technical ability to attribute the scheme.
Careful reaction in Washington
Members of Congress united behind the need for Americans to be confident in the election and some of them offered cautious praise for the comparatively quick work of the intelligence community, which in 2016 had infamously struggled to apprehend what was happening and respond accordingly.
That year, following months of full-blown cyber-hellraising, the intelligence community ultimately identified Russia as the culprit in a then little-seen written statement.
Critics of the 2016 case also blamed Senate Majority Leader Mitch McConnell, R-Ky., because they said he did not go along with a bipartisan statement by congressional leaders announcing the Russian interference and declaiming it. McConnell and his office have rejected any blame for what many other critics, and some insiders, called bungling by President Obama's administration.
By contrast Ratcliffe and Wray appeared on their own on Wednesday in a short-notice press conference and Ratcliffe said Trump had instructed him to keep Americans informed.
If the muscle movements of government have speeded up since then, however, the announcement on Wednesday still was not free of politics. Critics rejected Ratcliffe's characterization of the Iranian scheme as one aimed at hurting Trump.
The emails received by Alaska and Florida Democrats purported to come from the white supremacist Proud Boys — whose email domain, per the Valimail report, was not secured in a way to forestall that — and threatened voters registered as Democrats by claiming the senders knew they hadn't voted for Trump.
Ratcliffe's implication was that the Iranian scheme sought to damage Trump by tying him with white supremacy and voter intimidation. Skeptics didn't see any such intention and detected an attempt by Ratcliffe to try to allow Trump to play the victim.
"From the briefing, I had the strong impression it was much rather to undermine confidence in elections and not aimed at any particular figure," said Senate Minority Leader Chuck Schumer, D-N.Y., on MSNBC on Wednesday night.
Ariane Tabatabai, the Middle East fellow at the Alliance for Securing Democracy, said she thinks this sort of campaign was focused more on stoking polarization and creating chaos, rather than furthering one candidate over another.
"There's this assumption that Iran is really trying to push one candidate and that is Vice President Biden," Tabatabai said. "But the ultimate objective is actually to undermine faith in democratic institutions and our elections."
Tabatabai also noted how hard it is for national security officials to put the cat back in the bag when it comes to disinformation campaigns; it's much easier to spread bad information than to correct it in the public record, and it's much easier to stoke polarization than to quell it. It's unclear whether federal or local government officials will even reach every single person who received an intimidating email, for instance.
"Even if you tuned into the news conference and you took in all the information that was given to you, you may not necessarily connect the dots," she said. "You may have even forgotten the content of the email. But the perception that it left — the sort of bitter taste that it left in your mouth — would still be there."
Next steps unclear
Still uncertain is what, if any, action the United States might take against Iran in retaliation for the interference.
Nathaniel Herz of NPR member station Alaska Public Media reported that Sen. Dan Sullivan, a Republican running for reelection, called for some kind of action against Tehran.
"I think looking at ways to retaliate in a time and place of our choosing would be very appropriate, and certainly what I'll be pressing for," Sullivan told Alaska Public Media.
In a prepared statement, Al Gross, Sullivan's Democratic-endorsed independent opponent in the November election, accused Sullivan of "hiding in the corner while Iran and Russia have made it clear they intend to meddle in our election."
In emails and social media posts Tuesday, more than a dozen Alaskans reported that messages were sent to people in Anchorage, Eagle River, Soldotna, Kenai, Homer, Haines, Juneau, Sitka, Petersburg, Ketchikan, Bristol Bay, Denali Park, Palmer and the Fairbanks area, Hertz reported.
Google said on Thursday that automated filters stopped about 90% of approximately 25,000 emails sent to Gmail users as part of the Iranian scheme. Plus there was a small amount of activity, the company said.
"Additionally, this morning we removed one video file on Drive and one video on YouTube with fewer than 30 views, and terminated the associated Google accounts," the company said. Google said it was in contact with the FBI and planned to continue helping with information and election security.
The precise total number of American recipients isn't clear, but Ratcliffe and Wray suggested that Americans should be prepared for more.
The leaders of the Senate Intelligence Committee, Marco Rubio, R-Fla., and Mark Warner, D-Va., urged all Americans to remain on their guard.
"To the American people and the media, we reiterate the need to be skeptical of sensationalist, last-minute claims about election infrastructure," the senators said in a joint statement. "State, local, and federal officials, and partners in social media and tech, should be proud of joint efforts to shut down Iranian and Russian efforts."
NPR's Miles Parks contributed to this report