Tech mobilizes to boost election security

Tech mobilizes to boost election security
© The Hill illustration

Private companies are stepping up to offer cybersecurity programs for midterm campaigns as Congress stalls on passing election security legislation.

Microsoft is the most prominent name, unveiling a free cybersecurity program in August after the company revealed it had detected Russian hackers who appeared to target a pair of conservative think tanks.

The company is joining a broad list of firms providing free or discounted security services, such as McAfee, Cloudflare and most recently Valimail, which is offering its anti-fraud email service to campaigns.


Officials at companies said they felt obligated to step up to the plate and offer services that election officials or campaigns might otherwise not have access to — shortcomings that have been widely highlighted ahead of November’s midterm elections.

Microsoft President Brad Smith cited the importance of protecting the democratic process in a blog post announcing the companies’ free election-security programs in August.

“While cybersecurity starts with Microsoft and other companies in the tech sector, it’s ultimately a shared responsibility with customers and governments around the world,” Smith wrote.

“No individual or company can hope to meet this imperative by itself,” he continued. “We all need to do our part. We’re committed to doing our part by helping to protect candidates and campaigns in preserving their voices and votes no matter what party they support.”

The Department of Homeland Security (DHS) has offered assistance and additional election-security funding to states, but Congress’s own efforts to pass election-security legislation have largely faltered. The Secure Elections Act, a bipartisan bill in the Senate designed to strengthen campaigns against cyberattacks, was abruptly put on hold in late August over a lack of GOP support.

Senators behind the measure remain hopeful that the legislation will move forward, although its future remains unclear.

“I’m grateful to Chairman [Roy] Blunt [R-Mo.] for his leadership to markup this bill in the Senate Rules Committee, and I look forward to it being rescheduled in the days ahead,” Sen. James LankfordJames Paul LankfordThe Hill's Morning Report - Can Sanders be stopped? Senate drama surrounding Trump trial starts to fizzle The Hill's Morning Report - Trump defense rests, GOP struggles to bar witnesses MORE (R-Okla.), one of the bill’s sponsors, said in an email to The Hill.

“This is an important bill that I will not let fail. I look forward to working with Members and groups that have technical concerns with the text of the Secure Elections Act as we continue to walk through its passage.”

Those stalled efforts, though, created an opening for tech and cyber firms, which are already under the microscope after the 2016 elections and facing pressure to do more to prevent hacks and foreign influence efforts.

Tech and cyber companies this year have tried to be more transparent, detailing security issues and foreign efforts they detect and sharing more information publicly. Officials from social media platforms, including Twitter CEO Jack Dorsey, will testify before lawmakers this week.

Officials at cybersecurity firms told The Hill in interviews that they felt the need to step up and help secure election systems after the widespread media coverage of foreign interference in the 2016 presidential election.

Cloudflare was one of the first to provide complimentary services, launching its Athenian Project in 2017. It offered the company’s top-tier products to local election officials for free. The company’s products help fight distributed denial of service attacks, which direct massive amounts of internet traffic to servers to take them offline.

Alissa Starzak, head of public policy for Cloudflare, told The Hill that the company started a pilot program with Alabama for the state’s special elections last year, and it now has partnerships with 19 different jurisdictions, from entire states to smaller municipalities.

She said the company felt it was important to offer support for local governments’ election websites to help build voters’ confidence.

“The notion that a website would go down even if it’s not malicious — the concern is that if you start to sow doubts in democracy, that’s a problem,” Starzak said. “You don’t want people to think that any of your public institutions are potentially vulnerable to cyberattacks because it actually undermines faith in the underlying systems.”

McAfee also made headlines last month when the company announced it would offer election officials free access to its cloud security program for 12 months.

Ken Kartsen, vice president for public sector at McAfee, said the company will decide in a year whether it will continue to offer the product for free or take a different approach to help secure elections.

He said McAfee officials started discussing how to help with election security last year and recognized that many jurisdictions were starting to host information or sites on cloud servers, which could open them up to new cyber vulnerabilities.

Kartsen said that similar to federal officials, cyber companies sometimes struggle with figuring out how to offer security programs to state and other local election officials, because of the “independent nature of our election process.”

State officials are responsible for running their own elections, and some secretaries of state have bristled over legislation that would dictate how states must conduct certain election processes, like audits.

Still, experts and firm officials agreed that it is ultimately up to election and campaign officials to adopt best practices in cybersecurity, and that the free offerings serve as a push in the right direction.

Sean Sullivan, a security adviser for the security firm F-Secure, said private companies are essentially throwing roadblocks in front of users to force them to adopt security practices. 

Measures like two-factor authentication, for example, require users to take additional steps to access their accounts in order to block potential hacks.

“I think we’ll see private companies step up a bit, but there’s only so far they can go,” Sullivan said.

Jessica Ortega, a website security analyst at SiteLock, predicted that education will soon come to the forefront of cybersecurity efforts — and not just for election officials.

“We’re going to see a lot more of the private sector coming out in favor of cybersecurity education,” said Ortega.

She said campaigns would need to see cybersecurity as equally important as their other election efforts, “making sure that these smaller campaigns, for example, have cybersecurity built into their budget the same way they would have advertising or flyering or robocalling built into the budget.”