Application Security

8/28/2018
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free Cybersecurity Services Offer a First Step to Securing US Elections

Some key security vendors - including Microsoft, Google, Cloudflare - are offering pro bono services and tools for election jurisdictions and campaigns this election season. But will it help?

It's too late to truly secure US election infrastructure for the 2018 fall midterms: that would require a massive security overhaul nationwide. But a number of election jurisdictions around the country have signed up for free website and user-account protection services being offered this election season by a handful of security companies, including big-name vendors like Google and Microsoft.

State and local election jurisdictions and campaigns traditionally are cash- and resource-strapped when it comes to technology, and especially security. So the freebie, cloud-based election security services available now from Cloudflare, Google, Microsoft, Akamai, Synack, Thycotic, and McAfee, give them a shot at putting some protections around their Web-based systems.

There are over 10,000 election jurisdictions nationwide, and the ones who've opted in for these new free security services remain the minority. Cloudflare, one of the first vendors to offer free election security services with the December 2017 launch of its Athenian Project service, says some 72 election jurisdictions from 19 states have signed up for the DDoS mitigation and firewall protection service, while Akamai says 10 state and county election bodies including the states of Arizona and Virginia are on board for its free DNS-based Enterprise Threat Protector with Akamai Cloud Security Intelligence.

That leaves plenty of other state and local election systems theoretically at risk of attack either in the coming days before the election or on Election Day itself, unless they have other security measures in place.

While voting machines have been proven as painfully easy marks for hackers thanks to the work of researchers participating in DEF CON's Voting Village the past two years, security experts say Web-based systems are the most likely and easiest targets for attack during the elections.

States' election-reporting websites, states' voter roll websites, and candidate websites all are at risk of disruption via distributed denial-of-service (DDoS) attacks, as well as hacking and data-tampering by nation-state or other attackers. Rather than tamper with a voting machine, an attacker could remotely penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers.

While the wave of gratis security services from the security industry this election year are a welcome assist, it's just a first step in updating and tightening security of election systems. There realistically won't be any major improvements in security until at least 2020, experts say.

"You can make meaningful change in two years" before the 2020 presidential election, notes Patrick Sullivan, director of security strategy at Akamai. "A lot of that is ... leveraging cloud services is easier than" replacing on-site security infrastructure, he notes.

The state of Idaho runs Cloudflare's Athenian Project service for its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site, which includes voter registration. Idaho deployed the service three weeks prior to its May primaries and got an immediate wakeup call about threats to the sites: three days before the primary, it saw some 27,000 blocked domain requests by Cloudflare in one 24-hour period, according to Chad Houck, Deputy Secretary of State for Idaho.

The spike came amid a website defacement attack on Idaho's state legislative services and state judicial services websites - which don't use the Athenian Project service. One theory was the attackers may have targeted a wide swath of the state's domains in the attack.

Free security offerings for elections aren't all altruistic, of course. Some of the free offerings - Akamai's and Synack's, for example - expire after the fall elections, although jurisdictions can become paying subscribers thereafter. The security vendors get a shot at new customer prospects who've had a chance to test-drive their security services for free.

Even so, it's a start. "A rising tide raises all boats. Being able to offer campaigns and [elections] enabling cybersecurity and knowledge can only be useful in raising" the bar, says Priscilla Moriuchi, director of strategic threat development at Recorded Future and former threat manager for East Asia and Pacific for the National Security Agency (NSA).

As long as it's a reputable security company that's offering the pro bono services or security education for the right reason, it can help improve security, she says. "But if companies are offering it to solidify their own reputation, then it may be doing more harm than good," she says. "As long as they're making sure it's the right [security] advice and tailored for" the election office, she says.

Matthew Prince, CEO of Cloudflare, sees his company's free service as a first step in locking down election infrastructure.

"In the long term, my hope is that [Project Athenian] will help make those systems that much stronger," says Matthew Prince, CEO of Cloudflare.

Who's Offering What

Here's a rundown of some of the free security services now available for US election officials and campaigns:

Microsoft last week joined a wave of security vendors offering versions of their security services for free to election jurisdictions and campaigns. Its free AccountGuard, available to federal, state, and local candidates and campaign offices as well as think tanks and political organizations that use Office 365, includes a threat and attack detection and notification service for both corporate Office 365 accounts as well as for personal accounts for Hotmail. Microsoft also is offering up best practices guidance, materials, and workshops covering threat modelling, secure coding, phishing awareness, and identity management, for example.

Tom Burt, corporate vice president of customer security & trust at Microsoft, acknowledged that the service only covers its own ecosystem of customers, and there are other vectors for attackers to hack election systems. "We know our colleagues in the industry are working diligently to take similar steps, and we’re enthusiastic about their work. As we expand Microsoft AccountGuard, we will look for opportunities to coordinate with their efforts," he wrote in a blog post

Google's Alphabet Jigsaw group offers free cloud-based security services under its so-called Protect Your Election tools for candidates, campaigns, publishers, journalists, NGOs, and election monitoring websites. It includes Project Shield, a DDoS mitigation service, as well as account protection services like its free password manager Smart Lock, Password Alert for Chrome that flags a possible password compromise, and personalized security recommendations.

But Google's Advanced Protection Program to add extra security to a Google account isn't totally free: it requires the purchase of two physical security keys. The keys run from $20 to $50 or so apiece.

Cloudflare's Athenian Project is akin to its enterprise-class service: DDoS mitigation, firewall, site access management, and load balancing. It's also a service offered in perpetuity and not just for the election season. Project Athenian protects public-facing websites as well as internal sites. In addition to Idaho, the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C., all use it.

Akamai's free Enterprise Threat Protector with Akamai Cloud Security Intelligence service is a recursive DNS service. "The focus here is on just using DNS as a security chokepoint," Akamai's Sullivan says. It detects phishing and other malicious domains, and is available for free through Nov. 30, 2018. 

Synack, co-founded by two former NSA cybersecurity experts, offers pro bono penetration testing services to US states. Synack's Secure Election Initiative service roots out vulnerabilities in voter registration databases and online voter registration websites, and provides remediation help as well. The company says it's working with "a number of different states" but can't provide details on them at this time.

User access management firm Thycotic last month released the Cybersecurity Election Protection Toolkit for US election candidates and their teams. The kit includes a digital edition of Cybersecurity for Dummies, an incident response template, and a poster template for campaign offices to display and educate staffers on how to protect their credentials and practice secure online behavior. There's also a tool to check password strength.

Most recently, McAfee announced it's now offering a free 12-month license of McAfee Skyhigh Security Cloud to US state election officials for securing voter data stored in cloud-based systems such as Amazon AWS and Microsoft Azure. That includes detecting misconfigured AWS 3 buckets as well as compromised user accounts. 

Cylance, meanwhile, says its Cylance Smart Antivirus is now available for free to anyone, including campaigns, through November 2018.

And today, Valimail said it will offer its Enforce email anti-fraud service for free through the November elections for US campaign offices, state Boards of Elections, and voting machine and equipment vendors. It's also providing pro bono fraud protection to the Democratic National Committee and the Republican National Committee through the 2020 presidential election.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:46:41 AM
All good
It's also providing pro bono fraud protection to the Democratic National Committee and the Republican National Committee through the 2020 presidential election. These are all good but are they going to do it accord the country? A few states would not be enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:45:01 AM
Re: Security fundamentals
Disruption of the election process, reporting, and tampering with voter rolls is more of a concern. That is true, this will have more impact in the results than anything else.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:44:10 AM
2020
You can make meaningful change in two years" before the 2020 presidential election I would agree with this. As long as all the states agree technology can secure it quite well.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:42:22 AM
Re: Security fundamentals
legacy voting" isn't even secure! I would agree wit this. There are frauds beyond technology obviously, whether it impacts result of the election or not I am not sure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:40:41 AM
US election Security
It is really hard to believe that we are still discussing security of election, with the technology on hand this should have been resolved years earlier.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/30/2018 | 9:39:24 AM
Re: Security fundamentals
Not sure what you mean by "legacy voting." Voter fraud is rare overall. Disruption of the election process, reporting, and tampering with voter rolls is more of a concern.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2018 | 11:07:03 PM
Security fundamentals
Alas, even aside from all of electronic voting's unique technological flaws, the big picture that many miss in this conversation is that "legacy voting" isn't even secure! You don't need to be a hacker to commit voting fraud in this country. Often, you only need enough nerve.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.