Election cybersecurity discussion sponsored by Synack and The Bridge in Washington, DC, on Oct. 16, 2018
23 October 2018

What Will it Take to Secure Elections? Reporting, Information Sharing and Security Intelligence


A few weeks ago, NBC news reported that the DHS intelligence assessment indicated a “growing volume of cyber activity targeting election infrastructure in 2018”. As Americans were wondering if the security of the 2018 midterm elections was doomed, Chris Krebs, Undersecretary for the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) seemed to say otherwise during Synack’s “Security and Democracy” event in Washington D.C. last week. “It’s not an uptick in activity; what we’re getting right now is an increase in reporting to DHS about what was happening anyway,” Krebs claimed. We think he’s right.

DHS NPPD Chris Krebs speaking at TheBridge and Synack's event "Security & Democracy"
DHS is getting better at reporting on cyber threats because of better information sharing and improvements being made in threat detection. How are they doing it? Credit is certainly due to DHS itself, which conducts independent testing of state election systems infrastructure. DHS’ National Protection and Programs Directorate (NPPD) has offered scanning services to help states find vulnerabilities in their systems; so far 17 states have taken DHS up on their offer. This is a step in the right direction toward independent, third party testing of different parts of the elections ecosystem (voter registration systems, elections websites, etc.). DHS has also drastically increased information sharing through forming the Election Information Sharing Center (E-ISAC), which now has participation from all 50 states and over 13 counties and local jurisdictions.

Partnering with the private sector is also playing an important role. As Mr. Krebs said on Tuesday, “We have a shared responsibility, and everyone has a role in this fight.” Government agencies are starting to look to Silicon Valley’s cybersecurity companies as America’s “secret weapon” to making them secure in the cybersphere. Silicon Valley’s development of the latest in technology (platforms, real-time data analytics, artificial intelligence and machine learning) and access to the best security talent can be shared with states to help them assess their security risk before the 2018 Midterm Elections. Public-private partnership can translate into reliable, real-time, actionable intelligence for the federal government and state and local governments to help them better understand their susceptibility to cyber threats and prioritize coordinated action.

A united front in the face of these threats makes America stronger, which is why we brought together Cloudflare and Microsoft (companies who have offered free election security services and products) with TheBridge, the Aspen Institute, and DHS during DC Cyber Week to our highly-attended “Security & Democracy” event. All of these organizations stand under a shared belief that protecting democracy and improving cyber readiness takes collaboration between the private and the public sector.

Election cybersecurity discussion sponsored by Synack and The Bridge in Washington, DC, on Oct. 16, 2018
Cloudflare’s election security initiative, the Athenian Project, is protecting state and local election websites by offering its Enterprise-level DDoS mitigation, web application firewall, site access management, and load balancing services to election websites, for free. Microsoft is working with government entities to provide protection to US citizens on election day as well as threat and attack detection and notification services for Office 365 and Hotmail accounts through AccountGuard.

Synack’s free offering to states complements the threat detection services offered by Cloudflare and Microsoft by delivering valuable human intelligence on vulnerabilities found in voter registration systems. States can use this hacker-powered intelligence to determine how secure or vulnerable their registration sites look to an adversary, how thoroughly their assets have been tested, the impact/criticality of findings, and how to prioritize action. Synack’s Secure the Election campaign offers free crowdsourced security testing to states on their voter registration systems. Not only do we surface vulnerabilities through our crowd of top ethical hackers enabled by a proprietary AI/ML-powered scanner, but through our customer portal in real-time, states can view the number, type, and severity level of their vulnerabilities, whether they’ve been remediated, and even receive an Attacker Resistance score that gives them a measurement of how hardened their their assets are against attacks. The future of third party testing delivers real-time security intelligence.

As Jay Kaplan, Synack CEO & Co-Founder, stated during our briefing, “States are having a really difficult time figuring out what their vulnerabilities are. DHS is helping to scan, but scanning is just not enough.” What states really need is the intelligence and insights that only human security experts can provide. So far, Synack has made a significant amount of progress working with 10 states to get a hacker-powered perspective on their security. We’ve also hosted state and local government events for training and to facilitate information sharing. One of these events we held with Rita Gass, California’s CIO for the Secretary of State’s Office, at the Black Hat conference this summer, one of the largest security conferences in the world.

At Synack, we are committed to securing the American Way and helping states to address their vulnerabilities, which is why we announced a renewal of our 550k pro-bono commitment to >$1 million total through the 2020 Presidential election.

With these funds, we’d like to:

  1. Continue to build momentum by working with additional states and conducting crowdsourced third party testing of elections infrastructure.
  2. Organize and lead an industry coalition around election security. This open meeting with Microsoft and Cloudflare, leading tech companies who are also offering pro-bono election security services, is a great first step.
  3. Continue to work with DHS and Chris Krebs even after our event on October 16th to help scale DHS’ efforts to identify threats and share intelligence.

Get an inside perspective from the “Security & Democracy” event from Washington insiders, Allie Brandenburger, CEO of TheBridge, and Matt Rhoades, Managing Director of the Cybersecurity and Technology Program at the Aspen Institute, about our Security & Democracy event.

Matt Rhoades

Matt is the Managing Director of the Cybersecurity and Technology Program at the Aspen Institute. He oversees the work of the Cyber Strategy Group, which includes industry executives, government officials, academics, journalists and others in the cybersecurity realm. Prior to that, he served in the Obama administration as Director for Legislative Affairs on the National Security Council staff. He also served at the Department of Defense as Chief, Policy in the Office of the Assistant Secretary of Defense for Legislative Affairs.

Allie Brandenburger

Allie is the Co-founder & CEO of TheBridge. She has worked with some of the most innovative tech companies including SpaceX, Uber and Google, and has extensive strategic communications and external affairs experience. Allie helped start and advised the Retail Cyber Intelligence Sharing Center, the Retail ISAC, before focusing on TheBridge full time. She was deputy communications director on Jeb Bush’s 2016 presidential campaign, worked on Romney’s 2012 presidential race and Meg Whitman’s run for CA Governor. Allie knows Capitol Hill, she was communications director for Congressman Jeff Denham (CA), and understands issue advocacy, having worked at political committees and trade associations on cyber security, data privacy and e-commerce issues.