Image
Hand placing a piece of pager into a clear ballot box in front of the United States flag

Report on Election Security Gains Attention, and a Sharp Rebuke

© iStock - sefa ouzel

Jessica Huseman, ProPublica

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

In July, election officials across the country received a mass email from NormShield, a Virginia-based cybersecurity company few had heard of.

The company informed the officials it was about to publicly release the results of a “risk scorecard” it had generated assessing vulnerabilities in their internet-facing election systems. States could request their scorecards in advance, the company said, and join what it termed “a joint marketing and public service project.”

“NormShield is the only provider that assesses and prioritizes the risk of any organization within 60 seconds,” Chief Security Officer Bob Maley wrote. Its work would provide each state with an overview of its failures in 10 categories, all given an easy-to-understand letter grade “that can be instantly used to evaluate cyber defenses.”

Initially, most states ignored the email. Some told ProPublica they thought it was spam. Others dismissed it as a heavy-handed marketing ploy — one of dozens of such approaches states receive monthly from cybersecurity companies hoping to win government contracts.

But some states asked for reports on their systems. Considerable upset followed.

States that received the reports found them riddled with errors and unhelpful for assessing actual election security. The work done by NormShield — called “Rapid Cyber Risk Scorecards” — had tested online government material not associated with elections. In Idaho, for example, the company examined the security of the Department of Environmental Quality, but not the state’s online voter registration system. In Oklahoma, of 200 IP addresses scanned, none were related to elections. In Vermont, the scan had been performed on a defunct domain.

“You would think a firm that claims expertise in cybersecurity could do a simple Google search to find the correct address of a state website,” Iowa Secretary of State Paul Pate said in a statement.

Multiple states confronted NormShield about the reports. Federal government agencies privately called it irresponsible, and nonprofit groups panned NormShield’s failure to appropriately notify the states of vulnerabilities before threatening to report them publicly.

It might all have faded away as an unremarkable, if annoying episode had it not been for the fact that NormShield on Tuesday published its work. While the published report did not name any specific states, it said that more than half of the 50 states whose systems it examined had received “a grade C or below.”

The report garnered considerable attention, written up by The Washington Post, Politico and Axios.

In interviews with ProPublica, election officials and experts in election security said NormShield’s behavior amounted to another kind of election security threat: companies looking to profit from a country on edge about the integrity of its national and local elections.

“There is a lot of work to do to better secure election technology, and states are looking for help,” said David Becker, the executive director of the Center for Election Innovation & Research. “But profiteering only serves to further diminish voter confidence, which is exactly what our adversaries want.”

In an interview, Maley, the NormShield official, defended the company’s work and its dealings with the states. He said that the security tests it ran were legitimate, and that the company had been aboveboard with election officials about that work and what NormShield intended to do with it. States, he said, had ample opportunity to both contest its findings or fix the identified vulnerabilities.

Election officials and experts contacted by ProPublica rejected the company’s assertions and criticized virtually every aspect of NormShield’s work on election systems. The technology it employed was limited, they said, and the company also had failed to honor industry best practices by not adequately alerting the states to its findings before making them public.

Election officials in Oklahoma, for instance, said the company had a “gross misunderstanding” of the state’s systems and rejected its findings. Iowa officials called the report “error ridden.” In an interview, Idaho’s Deputy Secretary of State Chad Houck said the scorecard was “so worthless that I didn’t print it out.”

While the scan did detect real problems — some states, for example, are not using standard protections to prevent email spoofing and others are using outdated operating systems — none of these problems are particularly revelatory, experts said. The Department of Homeland Security runs regular scans on election systems that detect identical problems, and many states said they already had long-term fixes in the works.

Jim Condos, the Vermont secretary of state, said that Vermont has hired multiple cybersecurity consultants recently to perform tests on its systems and none had made the conclusions reached by NormShield’s test, which relied exclusively on publicly available information and did not consult the states to ask specific questions about their security. Scans of other state agencies’ cyberhygiene were not, he said, a reflection of his office.

Maley laughed at the concerns in an interview. He said vulnerabilities in state sites unrelated to elections nonetheless posed risks. “Everything [election offices use] is connected to the state,” he said, calling it “disingenuous” for state officials to suggest otherwise. “Their mail servers, their DNS servers, their server farms — they are connected to the same networks.”

But J. Alex Halderman, a computer science professor at the University of Michigan who studies election systems, said potential interconnectivity to other state agencies is not enough to assert the level of danger NormShield has reported. While many states may depend on the infrastructure Maley references, not all do. Halderman said the tests were “a crude way” of assessing election security.

Dan Wallach, a computer scientist at Rice University, said that without asking specific questions about each state’s security protocols, a scan of the type that NormShield ran would only offer clues as to vulnerabilities but would not itself confirm they were present. “I’m going to label them as a company desperately trying to get attention for themselves,” he said. “This is clearly just a marketing attempt.”

In interviews over many months, election officials across the country have admitted that vulnerabilities exist, and that Americans are right to be worried. Those officials have been frustrated by both state and federal government failures to commit funding to helping protect elections. Congress has failed to pass several bills related to election security, most recently a $600 million funding infusion that would have come with a slew of cybersecurity requirements. Mitch McConnell, the Republican Senate majority leader, blocked their consideration. He says that the country has done enough to prevent Russian interference, and that federal security requirements attached to funding would threaten the states’ ability to conduct their elections as they see fit.

The same officials and a number of independent experts have also cautioned that a mix of legitimate worry and political frenzy has created an environment that companies can exploit. “It appears to me to be an attempt to create hysteria in the public to sell their product,” Condos said.

Candan Bolukbas, NormShield’s chief technology officer, said that the company had “no marketing mindset,” but that any election security work “automatically becomes a marketing item” because it is such a hot topic. He said the company had no intention of selling its product to states and would be offering the scans and assistance to them for free. Their target market is instead private companies, who may see the report and learn of NormShield’s offerings.

“Of course we want to sell our product,” a company spokesperson, Josh Zecher, said.

NormShield is a new company that performs what are called “nonintrusive” tests of websites used by government or private companies. Anyone can request a scan on NormShield’s website for free, and they can then pay NormShield to help mitigate any problems discovered. The company has recently received $3.5 million in seed money from investors.

Cybersecurity companies that perform vulnerability testing generally follow a very specific procedure for notification that includes individually reaching out to subjects and constructively helping them fix problems before publicizing them. NormShield does not appear to have followed this process.

“It’s not a good practice to release scary information based on insufficiently vetted, automatically generated threats. Election officials now need to spend time they don’t have responding to these poorly vetted claims,” said Ben Adida, the CEO of VotingWorks, a nonprofit building secure and affordable voting machines. “I’m sure NormShield meant well, but it seems to me they caused net harm.”

While states were offered an advance copy of their July scorecards, they were unaware that the company had done a second set of tests in August until the public report was released this week. Maley said the report included updated information for the states who demanded NormShield redo the reports using the correct addresses. If a state ignored the report and did not alert NormShield to flaws, the company assumed there were no objections.

Maley said that if NormShield tested incorrect websites, the fault was with the National Association of State Election Directors, which was where the company found the list of websites. NASED, a nonprofit run by a single person, was not contacted ahead of the list being used.

The company appears to have made no independent effort to verify it tested the correct sites. In an interview, when asked what efforts had been made to fact-check the scores, both Maley and Bolukbas said such efforts were unnecessary and not part of their offering to states. “Our proactive part is done when we generate the report,” said Bolukbas, who said mistakes were “inevitable” in any cybersecurity product.

Maley said that states were given “every opportunity” to ask for corrections, and that he regretted if states felt that NormShield’s communication was ineffective or a marketing ploy. When pressed on what opportunities were given to the states, Maley and Bolukbas ended the interview.

In its report, NormShield appears to claim extensive success pointing out vulnerabilities to states. “After the July assessment, NormShield privately provided its findings to the Secretaries of State (SOS) and election commissions in July in order to empower them with the information needed to remediate vulnerabilities. NormShield ran a second scan in August and found significant improvement in the security posture of several election commissions,” it wrote. Media coverage in the Post, Politico and Axios likewise mentions the improvements, correlating them with NormShield’s scans.

But ProPublica was unable to find a state that had made any changes after receiving the report. And in a phone call, Maley downplayed the company’s responsibility for the improvement, saying he was “not willing” to make the correlation between the disclosure and the improvement. “I don’t know,” he said. He declined to specify which states’ grades had improved, and experts say that states may have made a number of changes unrelated to the scans that would have affected their scores.

The Post wrote that NormShield “plans to publish another report next month in which it will actually name which states have low grades” — a move Wallach said would be irresponsible. Maley denied having said this, only saying that it was a “potential option” if states didn’t improve, and that the company would have “internal discussions” about next steps after the data was analyzed.