The unprecedented foreign hacking and misinformation campaigns that were reported around the 2016 U.S. election cast a cloak of doubt over the integrity of the country’s democratic process. The threat sent government officials on the federal, state and local level scrambling to ensure that the country’s voting machines, voter registration systems, pollbooks, results-reporting websites and other election technology is ready for the midterm elections.
Over the past few months, about a dozen technology companies have announced programs offering state and local election offices or political organizations free services to help them fend off looming threats, including email protection, extra security for cloud applications, basic antivirus coverage, multi-factor authentication tools and several other types of products. As elections in the U.S. are run by the states, securing a federal election requires a massive coordinated effort. The federal government has been playing a greater role to this end since 2016, but can only do so much without overstepping its bounds. In this gap, some companies saw a role they could play, and some of them decided to step in for free.
But those steps seem to be very disjointed. There is no coordination to make sure officials and campaign members understand their options. There is no overarching plan describing the private sector’s role. One official called the phenomenon a “free-for-all” that has “inundated” the government officials across the country who are responsible for running elections.
The companies, keen to highlight the show of patriotism and their desire to protect democracy, say the products are helping, though. And outside observers also express optimism about the cybersecurity industry’s interest in providing a public service.
“There is an obvious motivation from a business perspective because there will be so much money being spent on cybersecurity in the future. But I think by coming out early and coming out strong those companies are showing that they can be a helpful partner when it comes to securing our elections,” said Maurice Turner, senior technologist at the Center for Democracy & Technology.
Motivated to fill in the gaps
Executives interviewed by CyberScoop generally said after seeing constant reports of potential interference by malicious actors, they wanted to pitch in.
“When we see adversaries coming in and exploiting our systems and causing confusion and really making things more difficult for the state to offer elections that are trusted, we really just wanted to get involved and give back,” said Mark Kuhr, CTO and co-founder of Synack, a bug bounty company.
Synack is offering states free vulnerability assessments and red team engagements via a crowdsourced set of independent security researchers who are focusing on finding flaws in voter registration systems. Kuhr noted that he and CEO Jay Kaplan used to work at the National Security Agency and that the company generally has a “very patriotic group of folks.”
While offering election-related help is a new phenomenon for some companies, for others it’s an extension of previously existing programs intended to serve the public interest.
Cloudflare’s “Athenian Project” offers free protection against distributed denial-of-service (DDoS) attacks aimed at state and local government websites that deal with elections. Jigsaw, a subsidiary of Alphabet, is offering the same type of protection to political campaigns and organizations through “Project Shield.” Both of these programs were previously available to media, human rights and other special interest organizations, safeguarding them from attempts to immobilize websites with fake traffic.
“The key from our offering, this set of services, was those types of websites shouldn’t get pulled offline and that there should be a prevention of cyberattack on those types of websites,” said Alissa Starzak, Cloudflare’s head of public policy. “It shouldn’t be a question of whether you can pay for services.”
Dan Keyserling, head of communications at Jigsaw, echoed that sentiment, saying that the point of Project Shield is to ensure public access to information in the face of malicious interference.
“We have observed DDoS attacks in growing in frequency and intensity especially in the context of elections,” Keyserling said. “It’s important that we provide defenses against some of the most common forms of cyberattack. And we’ve observed DDoS attacks being used essentially as a form of censorship.”
DDoS attacks have already appeared this election season. An apparent attack disrupted election-night reporting of a mayoral primary in Knox County, Tennessee, in May. And a number of DDoS attempts have been reported targeting congressional campaigns. Given the high visibility, experts say it’s a no-brainer to accept free DDoS protection.
“I think it’s important low-hanging fruit,” said Turner of CDT, which put out an election field guide on DDoS mitigation. “DDoS protection offers protection against what could potentially be a very embarrassing or damaging event. A highly visible DDoS attack is something that most regular voters would be able to see.”
Given the diverse patchwork of state and local election jurisdictions that make up the country’s overall election infrastructure, though, not everyone has accounted for the low-hanging fruit, Turner explained.
“A lot of this is going to be sort of basic cybersecurity, but I believe that we’re at a point now when it comes to cybersecurity and the election space that a lot of these basics haven’t really been covered yet,” Turner said. “Any of these services can provide value to a jurisdiction that doesn’t have any of these kinds of protections.”
But even observers who praise this overall trend raise questions about the sustainability of doing it for free. Matthew Rhoades, managing director of cybersecurity and technology program at the Aspen Institute, said that while the offerings are good step now, it’s likely not the end game.
“I think in the wake of 2016 and the understanding of our continuing vulnerabilities in this area that each of these companies felt a moral imperative to step in,” Rhoades said. “What I’m heartened by is that they all plan to continue at least for the next few years. I think 20 years from now there might be a question as to whether they’ll still do this for free.”
We’re helping, really
While all the companies contend that they are filling real gaps, they offer few details about states’ engagement with their products.
Jigsaw’s Keyserling said Project Shield has had “interest from across the U.S., from up and down the political spectrum.” Starzak said that Cloudflare has had engagements in 19 different states, ranging from the local to statewide level. Synack’s Kaplan said 10 states have engaged in its program.
“We see ourselves as a gap-filler and really helping them go after areas of high risk with independent researchers that want to contribute and make the problems go away,” Kuhr, the Synack CTO, said. “These [state and local] security teams are tremendously overworked.”
Chris Bray, a senior vice president at cybersecurity company Cylance, said he saw a need for basic protection after he was called in to do a security assessment for a local campaign. The company announced in August that its commercial anti-virus program would be available for free through Election Day — that’s for everyone, not just campaigns or election offices. The rationale is that not everyone involved in an election officially works for an election-related organization.
“So many of them are powered by volunteers who are regular citizens and they don’t have an official affiliation with the campaign,” Bray said. “It’s like, ‘If you’re a volunteer, you’re not good enough and we only give it to people who are bonafide campaign workers on the payroll.’ We didn’t want to do that.”
While any U.S. resident could have gotten Cylance’s software for free, Bray said the company has seen registrations from “quite a few emails” with domains related to elections or campaigns. “The downloads have exceeded our expectations and it’s been rewarding for us and for me personally,” he said.
Of about a dozen states CyberScoop contacted to ask about their use of these offerings, only two responded. The Wisconsin Election Commission is using Cloudflare “for some website caching,” a spokesperson said. A spokesperson from Colorado declined to name which services the state is using, but said that the companies’ offerings “absolutely provide value.”
The oncoming ‘free-for-all’
It’s unclear if anyone in the industry itself has attempted to coordinate the rush of free offerings. None of the companies interviewed by CyberScoop indicated that they’ve huddled with any of their peers to make sure they’re each adding value to election security.
The federal government has been observing this trend, but hasn’t publicly gotten involved to help coordinate. A top cybersecurity official at the Department of Homeland Security said the industry’s surge of action may have overwhelmed election officials as much as it has helped them, but the future could bring more harmonization.
“Any time there’s an opportunity, space or a gap, nature abhors a vacuum, so everyone kind of flows into it one after the other, or, as I would call it right now, in a ‘free-for-all’ fashion,” Chris Krebs, undersecretary of DHS’s National Protection and Programs Directorate, told CyberScoop. “What I think we’ll see, and it takes some time, is probably a more coordinated approach to this service package offering. Not all the companies working together, but you’ll see a bunch of them probably partnering together.”
One of the challenges is that many election offices might lack the technical literacy to understand the offers being made to them. Coordinating to make sure jurisdictions understand their options could be key, as Krebs elaborated on Lawfare’s Cyberlaw podcast.
“One thing that I’m seeing … is that the election officials downrange are being inundated and they can’t really contextualize this service or that service,” Krebs said on the podcast. “So we need a more coordinated, almost holistic approach.”
Krebs hinted on the podcast at the possibility of DHS using its private-sector coordinating mechanisms — now primarily used for actual election technology vendors — to better coordinate the practice of offering free services.
Rhoades, of the Aspen Institute, similarly said that the offices and campaigns on the receiving end would benefit from some coordination on the companies’ part.
“I think the overall system will be better off if someone is looking holistically at this and trying to figure out which gaps each company can’t fill individually and how to shore those up,” he said.
It’s not like state and local election offices were previously helpless without these free tools. DHS has been leading the federal government’s efforts to coordinate with the nation’s more than 8,000 election jurisdictions on cybersecurity issues, ever since it declared election systems as critical infrastructure in early 2017. DHS’s assistance includes cyber-hygiene scans, phishing campaigns, penetration testing and distribution of network sensors, among other things. Separately, Congress appropriated $380 million in election-related grants earlier this year that states have largely said they will use for security improvements.
But the department says it takes no issue if the jurisdictions don’t take up its own assistance, as long as they’re doing something.
“It’s important to highlight that there are multiple different ways to get at this problem, whether you take a DHS service, or whether you have your own in-house capability, or whether you’re working with a cybersecurity vendor. Just working with DHS, for instance, is not dispositive of good security,” Krebs told CyberScoop.
Companies didn’t offer many specifics when asked about the prospect of working together. Kaplan, of Synack, similarly posed the idea of having the government step in to be a facilitator.
“I think there’s definitely more to come, and it would be great to see the government taking a more proactive approach of pulling these companies together and creating more of a public-private partnership,” he said.
The closest mention of coordination came from Jigsaw’s Project Shield. Keyserling said that while there’s no “formal partnership,” Jigsaw shares threat information that it gleans from the organizations it protects “with our friends at other tech companies all the time.”
The companies largely expressed enthusiasm about continuing their offerings for future elections, but said it’s too early to say what the efforts might look like, say, for 2020. They are still learning how to identify elections offices’ and campaigns’ needs, which vary greatly.
“We have some states that are incredibly capable on the tech side. … And then we have smaller municipalities that have barely thought about it at all and they sort of recognize it’s a big issue out there,” said Starzak, of Cloudflare. “I think we have to come up with a more robust scheme to address the challenges for all of those players, from the very sophisticated to the not-so-sophisticated and give them an easy playbook.”
Observers like Rhoades say the hope is that companies are paying close attention to how the free offerings are used.
“In the wake of this upcoming election there will be both some lessons learned and hopefully, if everyone is going to continue doing this, it would be great to find a way for a coordinating mechanism among them as well,” Rhoades said. “I think each company will still do what they do well, and that’s what they should do.”