Escalated concerns over the security of the 2018 midterm election in the wake of revelations of Russian cyberattacks on US election systems and vulnerabilities in voting machines have pressured many state, local, and municipal election agencies into doubling down on securing their websites.
Some 70 different election agencies across 19 states so far have signed up for a new, free Web security service called the Athenian Project, from Cloudflare with an assist from the Center for Democracy & Technology, which is helping with outreach to state boards of elections and municipalities. Cloudflare first announced the project in December.
Among the latest organizations to add the free security service are the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C. In all, 10 state government websites have adopted it.
Matthew Prince, CEO of Cloudflare, which secured the websites of Donald Trump's and Bernie Sanders' campaigns during the 2016 presidential election, says the Athenian Project is a "full enterprise-class service" with all the features Cloudflare sells to big organizations, which pay millions of dollars a year for its service. That includes DDoS mitigation, firewall, site access management, and load balancing, and it's a service offered in perpetuity – not just for the election season.
"There's a full firewall service that sits in front of the apps and prevents SQL injection, credential-stuffing, cross-site request forgery, and dictionary attacks against login access," Prince explains. "The service can also take legacy applications and apply MFA [multifactor authentication] even if the underlying [app] doesn't support [that]," he says.
Project Athenian is a website security service only: It doesn't secure electronic voting machines, for example. "It's for services on the Net," such as public-facing voter registration websites and election information sites, as well as internal sites.
The goal of the free service is to help shore up security in local election systems. "Local election officials are way undersourced and don't have much budget, but they are responsible for really providing the infrastructure of US democracy," Prince says.
The state of Idaho is one of the most recent adopters of the free service. Its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site – which includes voter registration – both use the Cloudflare service.
Chad Houck, Deputy Secretary of State for Idaho, says the state's main security concerns for the sites are distributed denial-of-service (DDoS) attacks, which could hamper site availability, and website defacements. The state got the service online three weeks prior to its May primary elections and immediately started tracking attack attempts on the sites. "We were seeing a baseline of 250 blocked domains a day," he says.
Then just three days prior to primary election day, Idaho's state legislative services and state judicial services websites – which don't use the Project Athenian service – were hit with major website defacements. "A bad actor had written a 'manifesto' in Italian" on the home pages, Houck says. "We immediately went and dove into our systems to see if anything had been compromised, and the first thing we looked at was the dashboard from Cloudflare: In a 24-hour period, it had blocked 27,000 domain requests."
The high-profile primary in Idaho was likely a foreshadowing of what the state will face in the general election: Houck says he's definitely expecting an increase in attack attempts this fall.
Tip of the Iceberg
So far, the US hasn't had the intensity or volume of cyberattacks on its election systems that other nations have suffered, Prince says. "We help protect candidates and elections in many parts of the world, and 2016 was relatively modest" in the US, he says.
But Prince expects an uptick in attacks and threats to US election systems – not just Russian hackers, but other hackers around the world as well as from within the US. His team spotted attackers during the special election in Alabama earlier this year – where the Athenian Project service was in use – attempting to knock offline some election websites.
The main threats to US election systems, experts say, are disabling or sabotaging voter registration systems. Prince says the most likely goal of attacks will be to disrupt or undermine the process. "We've seen attacks on voter registration systems or spam to grab information to undermine voter rolls," he says.
Information on polling-place locations is a target as well, he notes, as well as servers from counties that collect votes and send them to the official secretary of state office. "It's more about undermining the space in the democratic process itself," Prince says. "You don't have to change the results to undermine the US political process: Just make people doubt the process has integrity."
Cloudflare's free service can only protect sites from incoming attacks: If a server already is compromised with malware, for instance, that's another issue. "If there's command-and-control traffic going through those systems, [however], we can often see that," Prince says.
He says he hopes other security companies will also offer free security tools and services to election agencies – malware scanning and risk assessment would be helpful, for instance. "It would be terrific if a coalition of technology and security vendors would offer their time and services and expertise to ensure that these systems are protected," Prince says.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.