It's too late to truly secure US election infrastructure for the 2018 fall midterms: that would require a massive security overhaul nationwide. But a number of election jurisdictions around the country have signed up for free website and user-account protection services being offered this election season by a handful of security companies, including big-name vendors like Google and Microsoft.
State and local election jurisdictions and campaigns traditionally are cash- and resource-strapped when it comes to technology, and especially security. So the freebie, cloud-based election security services available now from Cloudflare, Google, Microsoft, Akamai, Synack, Thycotic, and McAfee, give them a shot at putting some protections around their Web-based systems.
There are over 10,000 election jurisdictions nationwide, and the ones who've opted in for these new free security services remain the minority. Cloudflare, one of the first vendors to offer free election security services with the December 2017 launch of its Athenian Project service, says some 72 election jurisdictions from 19 states have signed up for the DDoS mitigation and firewall protection service, while Akamai says 10 state and county election bodies including the states of Arizona and Virginia are on board for its free DNS-based Enterprise Threat Protector with Akamai Cloud Security Intelligence.
That leaves plenty of other state and local election systems theoretically at risk of attack either in the coming days before the election or on Election Day itself, unless they have other security measures in place.
While voting machines have been proven as painfully easy marks for hackers thanks to the work of researchers participating in DEF CON's Voting Village the past two years, security experts say Web-based systems are the most likely and easiest targets for attack during the elections.
States' election-reporting websites, states' voter roll websites, and candidate websites all are at risk of disruption via distributed denial-of-service (DDoS) attacks, as well as hacking and data-tampering by nation-state or other attackers. Rather than tamper with a voting machine, an attacker could remotely penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers.
While the wave of gratis security services from the security industry this election year are a welcome assist, it's just a first step in updating and tightening security of election systems. There realistically won't be any major improvements in security until at least 2020, experts say.
"You can make meaningful change in two years" before the 2020 presidential election, notes Patrick Sullivan, director of security strategy at Akamai. "A lot of that is ... leveraging cloud services is easier than" replacing on-site security infrastructure, he notes.
The state of Idaho runs Cloudflare's Athenian Project service for its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site, which includes voter registration. Idaho deployed the service three weeks prior to its May primaries and got an immediate wakeup call about threats to the sites: three days before the primary, it saw some 27,000 blocked domain requests by Cloudflare in one 24-hour period, according to Chad Houck, Deputy Secretary of State for Idaho.
The spike came amid a website defacement attack on Idaho's state legislative services and state judicial services websites - which don't use the Athenian Project service. One theory was the attackers may have targeted a wide swath of the state's domains in the attack.
Free security offerings for elections aren't all altruistic, of course. Some of the free offerings - Akamai's and Synack's, for example - expire after the fall elections, although jurisdictions can become paying subscribers thereafter. The security vendors get a shot at new customer prospects who've had a chance to test-drive their security services for free.
Even so, it's a start. "A rising tide raises all boats. Being able to offer campaigns and [elections] enabling cybersecurity and knowledge can only be useful in raising" the bar, says Priscilla Moriuchi, director of strategic threat development at Recorded Future and former threat manager for East Asia and Pacific for the National Security Agency (NSA).
As long as it's a reputable security company that's offering the pro bono services or security education for the right reason, it can help improve security, she says. "But if companies are offering it to solidify their own reputation, then it may be doing more harm than good," she says. "As long as they're making sure it's the right [security] advice and tailored for" the election office, she says.
Matthew Prince, CEO of Cloudflare, sees his company's free service as a first step in locking down election infrastructure.
"In the long term, my hope is that [Project Athenian] will help make those systems that much stronger," says Matthew Prince, CEO of Cloudflare.
Who's Offering What
Here's a rundown of some of the free security services now available for US election officials and campaigns:
Microsoft last week joined a wave of security vendors offering versions of their security services for free to election jurisdictions and campaigns. Its free AccountGuard, available to federal, state, and local candidates and campaign offices as well as think tanks and political organizations that use Office 365, includes a threat and attack detection and notification service for both corporate Office 365 accounts as well as for personal accounts for Hotmail. Microsoft also is offering up best practices guidance, materials, and workshops covering threat modelling, secure coding, phishing awareness, and identity management, for example.
Tom Burt, corporate vice president of customer security & trust at Microsoft, acknowledged that the service only covers its own ecosystem of customers, and there are other vectors for attackers to hack election systems. "We know our colleagues in the industry are working diligently to take similar steps, and we’re enthusiastic about their work. As we expand Microsoft AccountGuard, we will look for opportunities to coordinate with their efforts," he wrote in a blog post.
Google's Alphabet Jigsaw group offers free cloud-based security services under its so-called Protect Your Election tools for candidates, campaigns, publishers, journalists, NGOs, and election monitoring websites. It includes Project Shield, a DDoS mitigation service, as well as account protection services like its free password manager Smart Lock, Password Alert for Chrome that flags a possible password compromise, and personalized security recommendations.
But Google's Advanced Protection Program to add extra security to a Google account isn't totally free: it requires the purchase of two physical security keys. The keys run from $20 to $50 or so apiece.
Cloudflare's Athenian Project is akin to its enterprise-class service: DDoS mitigation, firewall, site access management, and load balancing. It's also a service offered in perpetuity and not just for the election season. Project Athenian protects public-facing websites as well as internal sites. In addition to Idaho, the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C., all use it.
Akamai's free Enterprise Threat Protector with Akamai Cloud Security Intelligence service is a recursive DNS service. "The focus here is on just using DNS as a security chokepoint," Akamai's Sullivan says. It detects phishing and other malicious domains, and is available for free through Nov. 30, 2018.
Synack, co-founded by two former NSA cybersecurity experts, offers pro bono penetration testing services to US states. Synack's Secure Election Initiative service roots out vulnerabilities in voter registration databases and online voter registration websites, and provides remediation help as well. The company says it's working with "a number of different states" but can't provide details on them at this time.
User access management firm Thycotic last month released the Cybersecurity Election Protection Toolkit for US election candidates and their teams. The kit includes a digital edition of Cybersecurity for Dummies, an incident response template, and a poster template for campaign offices to display and educate staffers on how to protect their credentials and practice secure online behavior. There's also a tool to check password strength.
Most recently, McAfee announced it's now offering a free 12-month license of McAfee Skyhigh Security Cloud to US state election officials for securing voter data stored in cloud-based systems such as Amazon AWS and Microsoft Azure. That includes detecting misconfigured AWS 3 buckets as well as compromised user accounts.
Cylance, meanwhile, says its Cylance Smart Antivirus is now available for free to anyone, including campaigns, through November 2018.
And today, Valimail said it will offer its Enforce email anti-fraud service for free through the November elections for US campaign offices, state Boards of Elections, and voting machine and equipment vendors. It's also providing pro bono fraud protection to the Democratic National Committee and the Republican National Committee through the 2020 presidential election.
- Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains
- The ABCs of Hacking a Voting Machine
- White House Cybersecurity Strategy at a Crossroads
- 8 Steps Toward Safer Elections
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.