By Peter Goldstein, CTO, and co-founder, Valimail
- Email security will prove to be the weakest link in election security. Email is implicated in more than 90 percent of all cybersecurity attacks, and election infrastructure is also vulnerable to email-based attacks. This means email security must be a priority for thwarting interference with the 2020 presidential election. But research shows the majority of U.S. states are overlooking this vulnerability. Only 5% of email domains associated with local election officials across the U.S. have implemented and enforced DMARC.
DMARC is a widely accepted open standard that ensures only authorized senders can send emails from a particular domain – it’s one of the most basic and highly effective means of stopping phishing attacks, which is why the Department of Homeland Security mandated its use for federal agencies in 2017. Yet below the federal level, governments remain vulnerable. In May 2019 we learned Russian hackers breached two county election systems in Florida via a spear-phishing campaign, and in November we learned of a phishing-based ransomware attack on Louisiana during an election cycle.
Because only a tiny percentage of counties and states have DMARC configured at enforcement, email is an easy way for malicious actors looking to disrupt our elections.
- Identity validation will be a major challenge across the entire security sector. Most companies think about cybersecurity in terms of encryption, sandboxing, network segmentation, etc., and overlook the core role of identity. In 2019 we saw enterprises and security vendors increasingly wake up to the importance of identity and access management (IAM) as an integral component of enterprise security, and for good reason. But granting access is just one slice of the cybersecurity “identity crisis.” Every person, phone, computer, and IoT device has an identity that must be authenticated in order to establish trusted communication. And validating identity is no easy task. Over Labor Day weekend we saw Twitter CEO Jack Dorsey’s Twitter account get hacked via SIM swapping (which was most likely initiated by an impersonation of Dorsey himself), and incidents of business email compromise (BEC) attacks and social media disinformation campaigns executed by bots are all examples of havoc wreaked when identity is not authenticated.
- Deepfake technology will be leveraged in more cyber attacks. In 2020, we’ll see deepfake technologies migrate from proof of concept and occasional attack tool to a more common tactic. Deepfake audio and video can make cyberattacks against individuals and organizations far more sophisticated and convincing, and therefore, more effective. In 2019, a fraudster used AI voice technology to impersonate the CEO of a German company, convincing an employee to transfer more than $200,000 to the bank of a Hungarian supplier – which was then immediately transferred to another bank in Mexico. It would be foolish to think cybercriminals all over the world didn’t take notice of this incident and start exploring how they too could leverage this type of technology to reap similar payouts (i.e. delivering messages via Google Voice). Scammers will add deepfakes to their toolkits, combining them with already proven successful techniques, such as phone number spoofing and email impersonation, to advance phishing and BEC techniques and propel increasingly targeted attacks. We predict losses from impersonation-based attacks could be in the billions of dollars in 2020, spurred by an increase in the use of deep fake tech.
- DMARC adoption will grow across industries. We’ll see a continued increase in Domain-based Message Authentication, Reporting, and Conformance (DMARC) adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using it has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020 – especially healthcare and government. Following the lead of the federal government’s civilian branches, the Department of Defense will soon be requiring all of its domains to enforce DMARC, resulting in an increase in the number of military domains protected. H-ISAC, a global nonprofit organization serving the health care sector, has urged health care companies to adopt DMARC as part of best practices for securing email, and as a result, we’ve already seen a rise in adoption rates in this vertical. This growth will continue throughout 2020.
- Major brands will lead the way with BIMI. Brand Indicators for Message Identification (BIMI) is an email standard that will change the way people interact with their favorite brands via email. BIMI provides a framework through which an organization can provide an authorized logo for display in the recipients’ inboxes alongside authenticated email from that organization. We predict BIMI will grow in popularity, especially among large enterprises and prominent brands that rely heavily on the trust and engagement of their customers. In fact, Google will be launching a BIMI pilot in 2020, which will help spur adoption. Research by Verizon Media has shown that BIMI can increase open rates and boost customer engagement, giving marketers a big incentive to support the email authentication that is a prerequisite for BIMI.
- AMP for email is lifting off in 2020. AMP, a Google-backed technology for accelerating web page load time, will take off in 2020. With AMP for Email, users will have expanded interactive capabilities within email messages, such as scheduling appointments, taking surveys and completing purchases – all without needing to open a browser. Retailers will likely be early adopters of this technology, and we can expect to see personalized emails leveraging previous purchases and items in shopping carts to be used to accelerate purchases and increase customer engagement. Customer satisfaction surveys will also likely be early use cases of this technology – consumers will receive a short survey after visiting their favorite coffee shop and be able to complete and submit the survey, all within their email.
- IoT/smart city security will continue to grow as a target for attackers. Securing cities must begin with preventing phishers from gaining access to computers where they could push out commands to IoT devices remotely. There are many challenges with IoT security, the least of which is authenticating device-server communications. Additionally, using default passwords and outdated encryption makes these systems easy to hack. In 2019 we read about some annoying and spooky incidents based on IoT hacking – but heading into the new year what we really need to be concerned about is hackers targeting energy grids and other major infrastructure to cause serious economic and social disruption.
- The use of AI will become more specialized. 2019 saw a lot of enterprises experimenting with artificial intelligence. Many of these experiments led to the realization that it requires a lot of time and expertise to implement AI successfully. In 2020, we will see some of those experiments start to pay off, as enterprises refocus their AI efforts on areas where it saves time and money — such as examining x-rays, automating customer service with chatbots, and simplifying driving via semi-autonomous vehicles. But other AI projects will be abandoned, as it becomes clear that AI is not the most effective approach — such as email security, where AI-powered security systems often miss phishing attacks and BEC scams; and identifying fake news, where AI-powered tools have also missed the mark thus far.
About the Author
Peter is an MIT and Stanford trained technologist who has worked in a variety of software verticals including security, enterprise, email, and video. He has built products and teams at a number of large technology companies such as RSA Security and Perot Systems, as well as at small startups like Tout, Securant, and Swapt.