Tag Archives: Athenian Project

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

Post Syndicated from Jocelyn Woolbright original https://blog.cloudflare.com/election-cybersecurity-preparing-for-the-2020-u-s-elections/

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

At Cloudflare, our mission is to help build a better Internet. As we look to the upcoming 2020 U.S. elections, we are reminded that having the Internet be trusted, secure, reliable, and accessible for campaigns and citizens alike is critical to our democracy. We rely on the Internet to share and discover pertinent information such as how to register to vote, find polling locations, or learn more about candidates.

Due to the spread of COVID-19, we are seeing a number of election environments shift online, to varying degrees, with political parties conducting virtual fundraisers, campaigns moving town halls to online platforms and election officials using online forms to facilitate voting by mail. As the 2020 U.S. elections approach, we want to ensure that players in the election space have the tools they need to stay online to promote trust and confidence in the democratic system.

We’re keeping an eye on how this shift to online activities affect cyberattacks. From April to June 2020, for example, we saw a trend of increasing DDoS attacks, with double the amount of L3/4 attacks observed over our network compared to the first three months of 2020. In the election space, we are tracking trends and vulnerabilities to better understand the threats against these critical players. Our goal is to use the information to create best practices for election and campaign officials so they can be better prepared for the upcoming elections.

Key Takeaways:

  • When comparing types of attacks against campaigns and government election sites, we saw the exact inverse type of attacks with political campaigns experiencing more DDoS attacks while government sites experiencing more attempts to exploit security vulnerabilities.
  • On average, state and local government election sites experience 122,475 cyber threats per day with an average of 199 SQL injection attempts per day.
  • On average, political campaigns experience 4,949 cyber threats per day, although larger campaigns may see far more.

Project Athenian & Cloudflare for Campaigns Participants

Since 2020, the number of domains under Project Athenian has increased by 48 percent, to 229 state and local government election websites in 28 states receiving our security protections. Cloudflare also protects many political campaigns at all levels on a wide range of plans. Under Cloudflare for Campaigns, an initiative we launched in January 2020 to provide a free package of security protections to political campaigns with our partnership with Defending Digital Campaigns, we protect more than 50 political campaigns from candidates in 27 states.

Significant traffic spikes and probing for vulnerabilities to government election websites

For state and local governments, election night and the days leading up that day are typically the most important days of the year. With constituents accessing voter information such as voting and polling stations, election officials expect higher amounts of traffic to their website. Over the last few months, we’ve seen this shift at Cloudflare, with noticeable increases in traffic ranging from 2 to 3 times the volume of requests to many of these government election websites. We believe there are a wide range of factors for traffic spikes including, but not limited to, states expanding vote-by-mail initiatives and voter registration deadlines due to emergency orders by 53 states and territories throughout the United States. In March, more than 23 states conducted presidential primaries including 14 states on Super Tuesday, the most states on a single day to host primary elections.

At this year’s DEF CON Voting Village, experts from the Department of Homeland Security identified routine failure due to abnormally high demand as the largest risk to election systems because of the coronavirus pandemic. We have seen this in full effect, with traffic to election websites being unpredictable, and including unexplained spikes outside of election cycles, per the graph below.

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

To help state and local governments under Project Athenian prepare for elections, we wanted to identify the types of threats that election websites face and how to better protect their website from malicious attacks. Since the beginning of this year, we’ve seen a large number of attempts to exploit security vulnerabilities that were mitigated by the web application firewall (WAF), with 90 million threats blocked in March 2020, for example. Cloudflare’s WAF uses managed rulesets to offer a wide range of protection against known vulnerabilities and suspicious behavior and custom firewall rules to allow users to rapidly identify and adapt to the evolving threat landscape. Of the threats we identified, managed rulesets helped mitigate 51% of threats and custom firewall rules mitigated an additional 35% of threats. Having both managed rulesets and custom firewall rules therefore helps safeguard election information.

In previous elections, attackers have used SQL injections against government election websites to attempt to extract information. We therefore did a deeper dive on those types of attacks, to understand if these threats are being conducted leading up to the 2020 election. We identified a number of SQL injection threats that were blocked by Cloudflare, with an average of 43,884 attempts per day across all domains under Project Athenian. SQL injection attacks are commonly attempted against government election sites, with the WAF blocking an average of 199 SQL injection threats per day.

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

Political Campaigns have experienced more DDoS attacks

When looking at the ecosystem of election security, political campaigns can be soft targets for cyberattacks due to the inability to dedicate resources to sophisticated cybersecurity protections. Campaigns are typically short-term, cash strapped operations that do not have an IT staff or budget necessary to promote long term security strategies.

To gain a better understanding of the threats around political campaigns, we surveyed 80 U.S. federal political campaigns on a range of Cloudflare plans from Cloudflare for Campaigns to our self serve plans. Cloudflare has mitigated a total of 77,192,840 threats on these sites since January 2020. That means that, on average, these sites saw 4,949 threats per day from January 2020 to present.  In general, we see larger scale attacks against Senate candidate’s sites than those of House candidates.

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

As the election season has progressed, we’ve also seen an increase in the average number of attacks against political campaigns, with a 187% increase from May to June 2020. As face to face campaigning is not an option, campaigns now rely on online platforms such as video conferencing software, online fundraising and social media to reach voters. This can present significant cybersecurity challenges to already vulnerable groups, such as political campaigns. Political campaigns are realizing the importance of cybersecurity services and have begun working with state parties and committees on training on the types of cyber threats and widely available resources for campaigns. With basic cybersecurity hygiene training on issues such as password security, two factor authentication, identifying phishing scams, network protection, internal application security and social media privacy, campaign staff are less likely to be the victims of a data breach.

Election Cybersecurity: Preparing for the 2020 U.S. Elections.

There has been a notable amount of DDoS activity against political campaign websites. DDoS attacks, which can be cheap, easy to organize and highly destructive, are often used for targeting political campaigns. A DDoS attack that takes down a campaign’s website during critical times can severely disadvantage a website. Campaigns used rate limiting to address 63% of the cyber threats they experienced, suggesting that DDoS attacks remain a significant concern.

Securing Elections in 2020

Democracies rely on access to information and trust in government institutions, especially during a crisis. Reflecting this reality, elections officials are more aware and focused on reliability and resilience than ever before. Likewise, political campaigns are increasingly aware of the potential risks of DDoS activity and other cyber threats.

As COVID-19 continues to spread, it puts further pressure on ensuring that the Internet can be used to access and share election information. At Cloudflare, we believe that expanding access to tools that election officials and political candidates need to combat a range of online threats both serves our mission to help build a better Internet and strengthens our democracy.

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.

Post Syndicated from Jocelyn Woolbright original https://blog.cloudflare.com/two-year-anniversary-of-the-athenian-project/

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.

Two years ago, Cloudflare launched its Athenian Project, an effort to protect state and local government election websites from cyber attacks. With the two-year anniversary and many 2020 elections approaching, we are renewing our commitment to provide Cloudflare’s highest level of services for free to protect election websites and ensure the preservation of these critical infrastructure sites. We started the project at Cloudflare as it directly aligns with our mission: to help build a better Internet. We believe the Internet plays a helpful role in democracy and ensuring constituents’ right to information. By helping state and local government election websites, we ensure the protection of voters’ voices, preserve citizens’ confidence in the democratic process, and enhance voter participation.

We are currently helping 156 local or state websites in 26 states to combat DDoS attacks, SQL injections, and many other hostile attempts to threaten their operations. This is an additional 34 domains in states like Ohio, Florida, Kansas, South Carolina and Wisconsin since we reported statistics after last year’s election.

The need for security protection of critical election infrastructure is not new, but it is in the spotlight again as the 2020 U.S. elections approach, with the President, 435 seats in the U.S House of Representatives, 35 of the 100 seats in the U.S. Senate, and many state and local representatives on the ballot. According to the Department of Homeland Security and Federal Bureau of Investigations, election infrastructure in all 50 states was targeted during the 2016 presidential election. The risk is real. Florida counties suffered a spearfishing attack that gave hackers access to the voter registration rolls, and a Tennessee county website was knocked offline on election night and had to resort to handing out printed election vote counts.

Although the U.S government has sought to combat malicious actors that target election infrastructure, with Congress approving funding of $250 million for states in the administering and security of U.S elections in September 2019, there is always more to be done. As states rapidly prepare for the upcoming elections, the need for inexpensive, accessible solutions to protect election infrastructure are at an all-time high. As Micah Van Maanen, the Information Technology Director for Sioux County, Iowa, put it:

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.

At Cloudflare, we believe it is vital to the national interest that elections are secure and free from interference as these fundamentals are essential to United States democracy. In these two years, we have learned a great deal about government election offices all across the U.S, the spread of information and resources available to them, and the small number of people it takes to make an impact in the protection of election infrastructure.

We still have more to learn to ensure the protection of these critical sites and understanding how we can better prepare state and local election websites for the upcoming elections. As we look into the future of the project in upcoming years, it is important to also look at the past.

Stories from the Field:

The jurisdictions that are using Cloudflare to protect their election websites are diverse, with state and local governments representing a range of populations from over 1.2 million residents to fewer than 5,000 residents.

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.
I Voted Stickers- Element 5 Digital on Pexels

In Ohio, the Secretary of State released their yearly state directive in June 2018 and 2019, to all counties in Ohio Board of Elections on tools, resources and best cybersecurity practices to strengthen the security of their election system. The Athenian Project was recommended and encouraged in both directives for the DDoS protection, Web Application Firewall, Rate Limiting, Under Attack Mode and 24/7 support. During this past year- we have on-boarded 13 counties in Ohio with a total of 27 domains protected under Cloudflare. In the directive, Ohio plans to become the leader in best practices in the security of elections systems and we are happy to be aiding in this mission.

The Idaho Secretary of State joined the Athenian Project at the beginning of 2018 and Chad Houck, Idaho’s Chief Deputy Secretary of State, engaged with our team on how exactly the Secretary of State could benefit from Cloudflare services.

On May 11, 2018, two of Idaho’s state agency websites were defaced by an anti-government group that posted a manifesto in Italian. After receiving notifications from many different sources regarding the security breach and following several inquiries from the press regarding the matter, Chad decided to look at the Idaho Secretary of State Cloudflare account to see if there was any evidence of the same hackers trying to penetrate the IDSOS site. Using Cloudflare’s analytic tools, he was able to see 27,000 blocked requests, up from the normal 240 per day,  within the same 3.5-hour window that saw the other sites defaced. Cloudflare’s Web Application Firewall had automatically blocked the bad requests that attempted to penetrate the site.

Confident in the value of Cloudflare’s tools, Deputy Secretary Houck’s plan is to create policies of operation that assist Idaho’s 44 counties in protecting their election websites and statewide voter registration systems. “With the first two counties already on board for a pilot, our goal is to be the first state to reach 100% county adoption of the Athenian Project tools.”

Understanding the U.S. Electoral System & Athenian Project Expansion:

The United States election system is fragmented and varies greatly from state to state. In some states, the administration of elections is covered by the state government and, in others, by counties or local municipalities. This system is decentralized, meaning that each state and local government has control over how the various duties of elections are distributed. According to the National Conference of State Legislators, “there are more than 10,000 election administration jurisdictions in the U.S. The size of these jurisdictions varies dramatically.” This means the voting experience differs from county to county, and from state to state.

The Two-Year Anniversary of The Athenian Project: Preparing for the 2020 Elections.
Photo by Brandon Mowinkel on Unsplash

This system fragmentation has been a challenge for the Athenian project. In the process, we have learned that state and local government election offices range on technical abilities and funding. With this in mind, our teams at Cloudflare are looking into new ways to engage the community. Among our efforts, we aim to interact with election security information sharing centers that provide recommendations and resources for election infrastructure to strengthen cybersecurity practices. Doing this helps state and local entities prepare for the upcoming election.

What’s Next:

As we have a year until the 2020 election, we are thinking of how we engage with our current Athenian participants and expand access to Cloudflare services to new states and counties within the United States that might benefit from the Athenian Project. A key aspect that we have learned in this process is that the security of election websites sits with a small group of dedicated government officials that have found each other and built their own networks to share best cybersecurity practices.

In response to my question to Athenian participants in the onboarding process about how they discovered the project and Cloudflare, many of the answers I receive are similar: they heard about the project from another county, neighboring state, or information sharing centers that recommend using Cloudflare services as an extra layer of protection on their election infrastructure. Rodney Allen, the Executive Director for the Board of Voter Registration & Elections of Pickens County, South Carolina says that “the great thing about the Athenian Project is that Pickens County Board of Elections site has not experienced any downtime or outages thanks to Cloudflare, especially during South Carolina’s 2018 general election and special elections in 2019.”

As we set our sights for the 2020 election, we are happy to help provide these state and local governments with the tools they need to protect their election websites. If you run a state or local election website, feel free to reach out through our webform or read more about how our Athenian Project can help secure your online presence.