Amid cybersecurity fears, tech firms are offering to help secure the U.S. elections for free or at a discount
American democracy is under attack, with foreign spies and trolls throwing wrenches into the workings of U.S. elections—be it attempts to hack candidate websites, scramble voter rolls, or spread fake news on social media platforms. While Washington bickers about whether it’s spending enough on security upgrades ($380 million has been allocated, with Democrats repeatedly asking for more), the overtaxed cities and counties that actually run the polls are scrambling to catch up.
Although Silicon Valley has come under fire for its role in recent elections around the world, enabling the social media vandalism of 2016, for instance, several tech firms are now stepping up to boost election security with free or discounted services. “We saw that tech was being used to undermine elections. And the question was, could we be a tech company that was helping to provide our services to help support those elections?” says Matthew Prince, CEO of the content-delivery network and security service Cloudflare.
In December 2017, the company began offering free enterprise-security accounts to U.S. state, county, and municipal election authorities—mainly to prevent distributed denial of service (DDoS) attacks that could knock them offline during voter registration, election-result reporting, or at other critical times. Cloudflare’s Athenian Project was first used by Alabama in its special election for the U.S. Senate last December. And in July, the company announced that about 70 government organizations, from states down to cities, have signed up for the service.
Prince acknowledges that this is just a sliver of the more than 8,000 mostly county-based, often cash-strapped government organizations that oversee parts of U.S. elections. (Even the federal government doesn’t have an exact count of how many local entities are involved.) It doesn’t look as if other companies have encouraged many takers, either, and some may not be offering quite as much as they claim.
Cloudflare’s transparency seems to be the exception, in a sector prone to vague promises and paranoia, with participating government officials loathe to say much about their security procedures.
Cloudflare’s service is an extension of the pro-bono protection it’s offered since 2014 for investigative journalists, human-rights groups, and other targets of vindictive hackers. Google’s similar, free Project Shield has also been extended to election authorities, as well as to campaigns. Sites don’t need to have any paid services from Cloudflare or Google to qualify for assistance.
The two services work in roughly the same way—sitting between websites and the open internet in order to filter out hacking attempts and absorb the overwhelming floods of data used in DDoS attacks. The companies also provide other security measures, such as blocking malicious apps from accessing key parts of networks and providing two-factor authentication that makes break-ins much harder.
Security through obscurity
How much these companies are helping is hard to determine, since most election authorities are reticent about talking. That doesn’t surprise Liz Howard, a counsel in the Democracy Program of NYU’s Brennan Center for Justice. It’s something the Department of Homeland Security itself encourages. “That often involves not disclosing what the states are doing and where they are on the cybersecurity spectrum,” she says.
Just five state agencies, one county, and one city among Cloudflare’s participants agreed to be named. While Google has extensive descriptions online of its offerings, it has declined repeated requests from Fast Company for more details, providing neither the names of participants nor even a ballpark figure of how many it has.
Meanwhile Synack, a security service founded by ex-NSA operators, is offering $500,000 worth of free penetration testing assessments for elections. Each test runs $25,000 to $35,000, says Justine Desmond, Synack’s product-marketing manager for government. The company is reaching out to secretaries of state, but counties are welcome to apply directly. “The government sales cycle is quite long.” Even a free offer can take three months to get approved, according to Desmond. Synack says that it’s working with “a number of states,” but can’t name them yet.
Even companies eager to talk are often prevented from doing so by their government partners. In May, Akamai—a major content-delivery and online-security provider—announced that it would offer its Enterprise Threat Protector to election authorities. The service blocks attempts by users to access a continually updated blacklist of malicious IP addresses. Tricking people into clicking links in bogus phishing emails was one of the main tools used to infiltrate the Clinton campaign and the DNC in 2016, according to the Mueller investigation’s indictment of 12 Russian agents.
“I’d say specifically phishing, I see that as the most valuable help,” says Ken Matta, elections-security officer for Arizona’s Department of State, noting that this is the most common route taken by hacking attacks, in general (not just for elections). Arizona is the only participant that would acknowledge taking up the new offer from Akamai, which says there are “about half-dozen other state and local election entities” taking part.
It’s more evidence that only a few governments are being helped by these offerings. In Arizona, for instance, only the secretary of state’s office is getting Akamai’s help. Matta is encouraging counties—many desperately strapped for resources—to join in this and many other offers, such as training sessions provided by his office.
Not quite free
Some of the programs advertised as “free” are actually just discounted offerings. Akamai’s May announcement states that it “is offering interested electoral bodies the ability to preemptively safeguard their infrastructure during this year’s elections at no cost to them.*” That asterisk goes to a footnote, which reads, “terms and conditions apply.”
Arizona is in fact paying for the election-protection service, though at a discounted rate of 50 cents per “seat” (i.e., per employee). “We worked with Akamai to get a really good price per seat for their services that we can extend to the counties,” says Matta, who says he think it’s a fair price to pay given the extent of the protection. Given how Akamai’s service works, it would protect entire county IT departments, not just their election operations.
Virginia found the service worth buying years ago. “We had an issue with election night reporting on election night 2014, and Akamai was the service that we got to prevent that going forward,” says Liz Howard, of the Brennan Center. She served as Virginia’s deputy commissioner of elections from 2014 to January 2018, and believes that the outage of the state’s site was likely due to a burst of traffic, not an attack. Akamai would not disclose how much the state is paying.
However, in neighboring Tennessee, election officials in Knox County believe that a site outage during a primary election in May was caused by a DDoS attack. Former wrestler Glenn Jacobs won the GOP nomination for mayor by just 17 votes. Messing with tight elections is a key tactic in undermining faith in the results.
In April, security company Centrify announced a two-thirds-off discount to election authorities for its “zero trust” service that aims to allow only authorized employees on safe connections to access applications. Election boards pay for just four months of a one-year contract. “At this time, Centrify’s offer has been accepted by a few state and county election boards in the Southeast, with several others currently considering the offer,” the company told us in an email.
The vaguest of all major tech providers is Microsoft. In April, the company announced the ambitious-sounding Defending Democracy Program. It promised to protect campaigns from hacking, defend against disinformation, and “explore technological solutions to preserve and protect electoral processes and engage with federal, state and local officials to identify and remediate cyber threats.”
The only product of that so far has been free cybersecurity-training sessions for the Democratic and Republican national committees, in June. Staffers from the committees, their vendors, and Congress took part. (Earlier this year, the company discovered a bogus “Microsoft” website set up for phishing attacks on three congressional candidates, but that wasn’t as part of Defending Democracy.)
I inquired about what else the program entailed, and after a long back and forth with the PR team, learned that they had no idea—or at least nothing that they were authorized to share. But they promised that details will be forthcoming at some point in the future.
A prominent omission on the list of companies offering help is Amazon, whose AWS is one of the world’s largest cloud-hosting providers. “It would be awesome if Amazon would step up and offer a similar sort of website or AWS . . . configuration-scanning service,” says Maurice Turner, senior technologist at the nonprofit Center for Democracy & Technology. Amazon informed Fast Company that it doesn’t have any pro-bono election services.
Better than nothing
Overall, there’s no evidence that these pro-bono services are reaching more than a small number of election authorities, but it’s better than nothing, according to Howard. “There’s a lot to be done in this space,” she says, “and it’s great that we have all these companies willing to assist officials that are often very short of resources.” Many counties have exactly zero IT staff, for instance.
But there is still some time for more authorities to get onboard both government and business assistance programs. “We’re just kind of really getting into this process,” says Ken Matta about outreach to Arizona counties. “We’re moving forward with goodwill, good political spirit, and trying to build a team.”
Pro-bono offers can only go so far to make up for what Howard sees as a huge federal-government funding shortfall. For instance, she says, there isn’t enough money to replace the direct recording electronic (i.e., no paper backup) voting machines in five states: Delaware, Georgia, Louisiana, New Jersey, and South Carolina. (Activists believe that Georgia election servers may have been hacked in 2016 and are suing the state to turn over possible evidence.) No tech firms are offering free voting machines, although they might be able to help ensure that the machines are not vulnerable to online attacks.
Ultimately, it’s up to government officials to make their move. “We want to make sure that any of the other [election authorities] know that if they want help, we’re here to help,” says Cloudflare’s Prince.
This story has been updated.
(12)