Free Tools Boost 2020 Election Security, but Not Enough

More companies than ever are offering low-cost security services for election bureaus and campaigns. It’s still not clear how much they’ll actually help.
woman voting at polling booth
Photograph: Drew Angerer/Getty Images

Officials around the United States have spent the past three years scrambling to harden election and voting infrastructure against the disinformation campaigns, phishing attacks, and system probing that plagued 2016. With exactly one year to go until the 2020 presidential election, local and state boards of election have made significant progress on improving digital defenses. But researchers and election integrity advocates continue to sound the alarm that some of the most important changes—like replacing insecure voting machines and hiring necessary personnel—can't happen without more funding from Congress. And the scores of free cybersecurity offerings that have cropped up from tech companies to fill the void ultimately can't substitute for those resource-intensive projects.

Free and low-cost election cybersecurity tools are gaining visibility, though, as a way for small or underfunded election groups to make some meaningful improvements. They are particularly suited in some ways to aid campaigns, which are lightweight, temporary organizations by nature. But in addition to their limitations for dealing with deeper problems, it's unclear how widely these low-cost tools are adopted, perhaps in part because it's difficult to determine which offerings are safe and effective.

"I’ve heard election officials, in particular, say that they are bombarded with offers from private vendors to help with cybersecurity and often feel like they have no basis for determining who to trust," says Lawrence Norden, deputy director of the Brennan Center's Democracy Program at New York University School of Law.

Private vendors aren't the only option for election officials and candidates. Since 2016, the Department of Homeland Security, the US Election Assistance Commission, federal law enforcement, and other agencies have all been working to increase communication about election security threats and expand the defense programs and tools they offer. Nonprofit and academic organizations have also been working on campaign security and election integrity resources.

And there are a number of free services from well-known vendors, which can still be valuable. Some initiatives debuted ahead of the midterm elections to protect state and local government websites and services like online databases. One of the more popular company offerings is the Athenian Project from the internet infrastructure company Cloudflare. It debuted in late 2017 and stems from a similar suite of free protections, known as Project Galileo, that Cloudflare offers to human rights groups, activists, journalists, and artistic organizations. Today the Athenian Project is used by more than 110 jurisdictions in 25 states, including Alabama, Hawaii, North Carolina, and Rhode Island.

"A lot of what happens in the election space is about voter confidence, so the concern is that you don’t want to have your website defaced or improperly accessed, because even if there’s no change in vote count, it still undermines voter confidence," says Alissa Starzak, Cloudflare's head of policy. "And we’re seeing instances where we’ve prevented those types of things. That doesn’t mean there aren’t still gaps and there aren’t still challenges in the space, but I think that we are seeing progress."

Jigsaw, a division of Google's parent company Alphabet, runs a comparable initiative called Project Shield. Project Shield began taking on election-related clients in May 2018, focusing on campaigns in the US and Europe. Jigsaw CEO Jared Cohen emphasizes the organization's dedication to election defense through Project Shield and Google's Protect Your Election initiative, which also aims to combat disinformation. Jigsaw wouldn't say how many campaigns have taken advantage of its services or provide any specific statistics on its use in the political sphere, though.

Another tech giant, Microsoft, offers a number of election-related cybersecurity protections through a service known as AccountGuard. Launched in August 2018, it provides monitoring and intrusion protection for Microsoft accounts in Office 365, Outlook.com, Hotmail, and other platforms. Microsoft says that AccountGuard currently has about 60,000 enrolled accounts across political campaigns, parties, and democracy-focused NGOs in more than two dozen countries. And the service has generated more than 800 notifications to AccountGuard users of attacks against political campaigns, parties, and pro-democracy groups since last year.

Microsoft did not specify how much of that adoption is in the US, though. Publicly available internet infrastructure records known as Mail Exchange records indicate that the only two presidential campaigns that used Microsoft-provided email services in September were those of President Donald Trump and Mark Sanford.

Still, Microsoft has done a slew of important election threat research and can gather activity signals worldwide through the massive footprint of Windows. At the beginning of October, for example, the company warned that Iranian hackers had been targeting a presidential campaign, current and former US government officials, journalists, and Iranians living outside Iran with phishing attacks. Microsoft would not name the campaign, but it is widely reported to have been that of President Trump.

In addition to low-cost offerings from recognizable tech giants, security firms of various size and prominence have also announced election-related protections. Companies of all sizes seem to be constantly entering the increasingly crowded space.

Facebook, for example, just launched a special account-protection mechanism for candidates, elected officials, and their staff at the end of October. With a year to go before the 2020 election, there's still time for candidates to activate this and other services. But it's of course too soon to say how many actually will.

When it comes to defending campaigns specifically, low-cost offerings have also taken time to proliferate because of campaign finance restrictions on accepting gifts and free services. Area 1, a phishing defense firm, initially faced pushback from the Federal Election Commission earlier this year when it tried to offer discounted protections to campaigns. Eventually, though, the company demonstrated to the FEC that the offering is not specific to campaigns and is actually a general business practice offered to a number of small or under-resourced organizations. Area 1 says it now counts half of current presidential campaigns and a majority of congressional campaigns as clients along with some campaign committees and election-related nonprofits.

"Companies have tried to use election security as a marketing ploy, but it's mostly bluster, because they haven't committed to making their offerings useful or legal with the FEC," says Oren Falkowitz, CEO of Area 1 and a former NSA analyst, of competitors in the space. "The candidates are very concerned about their campaigns being phished. And we are observing daily phishing attacks against candidates—a mix of nation state and non–nation state groups. The risk of damages increases as candidates gain momentum, expand their staffs, and get closer to Election Day."

Some companies may inflate their impact or play a public relations game, but free services can genuinely benefit state and local election organizations and campaigns that might not otherwise have the institutional will to prioritize even basic cybersecurity protections. At the same time, though, with so many offerings now available and few quality controls in place, the task of finding and deploying resources may still be daunting. Campaigns and election organizations can still make cybersecurity improvements in the final year before Election Day. But even choosing the right free tool won't resolve the deeper, more expensive vulnerabilities still dogging US election infrastructure.


More Great WIRED Stories