Free Cybersecurity Services Offer a First Step to Securing US Elections

  /     /     /  
Publicated : 23/11/2024   Category : security


Free Cybersecurity Services Offer a First Step to Securing US Elections


Some key security vendors - including Microsoft, Google, Cloudflare - are offering pro bono services and tools for election jurisdictions and campaigns this election season. But will it help?



Its too late to truly secure US election infrastructure for the 2018 fall midterms: that would require a massive security overhaul nationwide. But a number of election jurisdictions around the country have signed up for free website and user-account protection services being offered this election season by a handful of security companies, including big-name vendors like Google and Microsoft.
State and local election jurisdictions and campaigns traditionally are cash- and resource-strapped when it comes to technology, and especially security. So the freebie, cloud-based election security services available now from Cloudflare, Google, Microsoft, Akamai, Synack, Thycotic, and McAfee, give them a shot at putting some protections around their Web-based systems.
There are over 10,000 election jurisdictions nationwide, and the ones whove opted in for these new free security services remain the minority. Cloudflare, one of the first vendors to offer free election security services with the December 2017 launch of its Athenian Project service, says some 72 election jurisdictions from 19 states have signed up for the DDoS mitigation and firewall protection service, while Akamai says 10 state and county election bodies including the states of Arizona and Virginia are on board for its free DNS-based Enterprise Threat Protector with Akamai Cloud Security Intelligence.
That leaves plenty of other state and local election systems theoretically at risk of attack either in the coming days before the election or on Election Day itself, unless they have other security measures in place.
While voting machines have been proven as painfully easy marks for hackers thanks to the work of researchers participating in DEF CONs Voting Village the past two years, security experts say Web-based systems are the most likely and
easiest targets for attack
during the elections.
States election-reporting websites, states voter roll websites, and candidate websites all are at risk of disruption via distributed denial-of-service (DDoS) attacks, as well as hacking and data-tampering by nation-state or other attackers. Rather than tamper with a voting machine, an attacker could remotely penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers.
While the wave of gratis security services from the security industry this election year are a welcome assist, its just a first step in updating and tightening security of election systems. There realistically wont be any major improvements in security until at least 2020, experts say.
You can make meaningful change in two years before the 2020 presidential election, notes Patrick Sullivan, director of security strategy at Akamai. A lot of that is ... leveraging cloud services is easier than replacing on-site security infrastructure, he notes.
The state of Idaho runs Cloudflares Athenian Project service for its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site, which includes voter registration. Idaho deployed the service three weeks prior to its May primaries and got an immediate wakeup call about threats to the sites: three days before the primary, it saw some 27,000 blocked domain requests by Cloudflare in one 24-hour period, according to Chad Houck, Deputy Secretary of State for Idaho.
The spike came amid a website defacement attack on Idahos state legislative services and state judicial services websites - which dont use the Athenian Project service. One theory was the attackers may have targeted a wide swath of the states domains in the attack.
Free security offerings for elections arent all altruistic, of course. Some of the free offerings - Akamais and Synacks, for example - expire after the fall elections, although jurisdictions can become paying subscribers thereafter. The security vendors get a shot at new customer prospects whove had a chance to test-drive their security services for free.
Even so, its a start. A rising tide raises all boats. Being able to offer campaigns and [elections] enabling cybersecurity and knowledge can only be useful in raising the bar, says Priscilla Moriuchi, director of strategic threat development at Recorded Future and former threat manager for East Asia and Pacific for the National Security Agency (NSA).
As long as its a reputable security company thats offering the pro bono services or security education for the right reason, it can help improve security, she says. But if companies are offering it to solidify their own reputation, then it may be doing more harm than good, she says. As long as theyre making sure its the right [security] advice and tailored for the election office, she says.
Matthew Prince, CEO of Cloudflare, sees his companys free service as a first step in locking down election infrastructure.
In the long term, my hope is that [Project Athenian] will help make those systems that much stronger, says Matthew Prince, CEO of Cloudflare.
Whos Offering What
Heres a rundown of some of the free security services now available for US election officials and campaigns:
Microsoft
last week joined a wave of security vendors offering versions of their security services for free to election jurisdictions and campaigns. Its free AccountGuard, available to federal, state, and local candidates and campaign offices as well as think tanks and political organizations that use Office 365, includes a threat and attack detection and notification service for both corporate Office 365 accounts as well as for personal accounts for Hotmail. Microsoft also is offering up best practices guidance, materials, and workshops covering threat modelling, secure coding, phishing awareness, and identity management, for example.
Tom Burt, corporate vice president of customer security & trust at Microsoft, acknowledged that the service only covers its own ecosystem of customers, and there are other vectors for attackers to hack election systems. We know our colleagues in the industry are working diligently to take similar steps, and we’re enthusiastic about their work. As we expand Microsoft AccountGuard, we will look for opportunities to coordinate with their efforts, he wrote
in a blog post

Googles Alphabet Jigsaw
group offers free cloud-based security services under its so-called
Protect Your Election
tools for candidates, campaigns, publishers, journalists, NGOs, and election monitoring websites. It includes Project Shield, a DDoS mitigation service, as well as account protection services like its free password manager Smart Lock, Password Alert for Chrome that flags a possible password compromise, and personalized security recommendations.
But Googles
Advanced Protection Program
to add extra security to a Google account isnt totally free: it requires the purchase of two physical security keys. The keys run from $20 to $50 or so apiece.
Cloudflares
Athenian Project
 is akin to its enterprise-class service: DDoS mitigation, firewall, site access management, and load balancing. Its also a service offered in perpetuity and not just for the election season. Project Athenian protects public-facing websites as well as internal sites. In addition to Idaho, the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C., all use it.
Akamai
s free
Enterprise Threat Protector with Akamai Cloud Security Intelligence service
 is a recursive DNS service. The focus here is on just using DNS as a security chokepoint, Akamais Sullivan says. It detects phishing and other malicious domains, and is available for free through Nov. 30, 2018. 
Synack
, co-founded by two former NSA cybersecurity experts, offers pro bono penetration testing services to US states. Synacks
Secure Election Initiative service
roots out vulnerabilities in voter registration databases and online voter registration websites, and provides remediation help as well. The company says its working with a number of different states but cant provide details on them at this time.
User access management firm
Thycotic
last month released the
Cybersecurity Election Protection Toolkit
for US election candidates and their teams. The kit includes a digital edition of Cybersecurity for Dummies, an incident response template, and a poster template for campaign offices to display and educate staffers on how to protect their credentials and practice secure online behavior. Theres also a tool to check password strength.
Most recently,
McAfee 
announced its now offering a free 12-month license of
McAfee Skyhigh Security Cloud
to US state election officials for securing voter data stored in cloud-based systems such as Amazon AWS and Microsoft Azure. That includes detecting misconfigured AWS 3 buckets as well as compromised user accounts. 
Cylance
, meanwhile, says its 
Cylance Smart Antivirus
 is now available for free to anyone, including campaigns, through November 2018.
And today,
Valimail
said it will offer its
 
Enforce email anti-fraud service
for free through the November elections for US campaign offices, state Boards of Elections, and voting machine and equipment vendors. Its also providing pro bono fraud protection to the Democratic National Committee and the Republican National Committee through the 2020 presidential election.
Related Content:
Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains
The ABCs of Hacking a Voting Machine
 
White House Cybersecurity Strategy at a Crossroads
8 Steps Toward Safer Elections
 
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Free Cybersecurity Services Offer a First Step to Securing US Elections