Why security company Cloudflare is protecting U.S. election sites for free

The San Francisco company is shielding election agencies in red and blue states and localities from attacks, like denial of service, meant to sow mayhem.

Why security company Cloudflare is protecting U.S. election sites for free
[Photo: lisafx/iStock]

Whatever President Trump says or un-says, it’s clear that election authorities in the U.S. and around the world have faced and will continue to face an onslaught of hacking attacks. While it’s unclear if hackers have been able to actually manipulate vote tallies, anyone from a Russian agent to a “400-pound” hacker sitting on his bed can easily seed mayhem and doubt by knocking voter registration sites offline or posting forged announcements of election results.


Now San Francisco-based cloud security provider Cloudflare is offering a free service, called the Athenian Project, to any U.S. election authority for the 2018 polls. About 70 agencies, including 10 state election authorities as well as county- and city- level bodies have signed up, the company announced today. (If other companies are also providing pro-bono election security services, please let me know!) Cloudflare CEO Matthew Prince acknowledges that these are just a “drop in the bucket” out of the over 8,500 election authorities in the US, and he said that any other ones are welcome to join.

Takers include the states of Alabama, Hawaii, Idaho, North Carolina, and Rhode Island; the City and County of San Francisco, and Pickens County, South Carolina. (Not all authorities want to reveal their participation, preferring “security through obscurity,” says Prince.) Before today, only Alabama had revealed its participation in the Athenian Project, which launched with little fanfare in December 2017. The state used Cloudflare in the December senate race in which Democrat Doug Jones narrowly beat Republican Roy Moore.

Prince claims that the protection that the Athenian Project provides is worth “millions of dollars per year,” based on what it charges business clients for full enterprise protection. But he adds: “We’re not seeing this as how we can claim a tax write-off.”

Trying to stop mayhem

Prince cautions that Cloudflare can’t protect everything. “What we are good at is anything internet-facing that helps support the election . . . the site that you would go to register to vote; the site you would go to, to find out where your polling place is; the infrastructure that various polling places would use to report back the vote counts,” he says.

“We’re not the right solution to help secure your electronic voting machines,” he says. “I think that the thing that the more aware states earlier on saw was that there was a lot more to elections than just [voting machines].”


Related: Here’s How To Plug One Of The Biggest Privacy Holes In The Internet

Cloudflare–and competitors like Amazon Web Services, Akamai, and Incapsula–form a barrier between clients and the internet, absorbing hacking attempts. One example is denial of service–a flood of traffic that overwhelms and crashes servers. Cloudflare can also, for instance, shield outdated or unpatched software from attacks that take advantage of known vulnerabilities, says Prince.

Election hacks aren’t “about making sure candidate A wins and Candidate B loses,” says Prince. “This is about subverting the process so that whoever wins has a harder time governing.” An example, he says, would be a close election for which the voter registration site had been knocked offline. If more people had been able to register and vote, would the results have been different?

More than PR?

The Athenian Project may be good PR for Cloudflare, but there’s reason to believe that motives go deeper. It was conceived together with the Center for Democracy & Technology (CDT), a non-profit advocate for online privacy and free expression. (Funders range the political spectrum, from conservatives’ bête noire George Soros to liberals’ persona non grata Charles Koch.)

Cloudflare and CDT have also worked since 2014 on Project Galileo, which provides free protection to threatened political or artistic parties, such as LGBT groups in the Middle East or African journalists reporting on corruption.


Related: Cloudflare’s Matthew Prince Explains Why It Was So Hard To Dump The Daily Stormer

Cloudflare has provided paid support to election campaigns in other countries, like both major parties in the 2012 Mexican presidential race. (If one is especially small, it may qualify for free service.)

“We had 16 of the 17 major presidential candidates, ranging the political spectrum from Bernie Sanders to Donald Trump,” says Prince. “Everyone except Hilary Clinton, somewhat ironically.” Neither the Democratic not Republican national committees use the Cloudflare, either.

Could Cloudflare have stopped Russian hacking of the Clinton campaign? “I think some of the database security stuff we might have helped with,” he says. “Email spear-phishing, I don’t know if we would have helped with.” That attack, which infiltrated the Clinton campaign, uses bogus emails that appear to come from a trusted source, like a coworker, to request sensitive information or direct someone to a malicious website.

Prince says he doesn’t have definitive evidence about election hacking by Russia or other countries. Cloudflare can spot the source that launches an attack, but these are typically hacked servers or networks of computers directed by attackers somewhere else.


However, attacks have “signatures” that might show up in multiple attacks, such as those sets of compromised machines, or lists of usernames and passwords that hackers fire at a login page in hopes of getting a match.

“As we’re seeing information coming out in the [special counsel Robert] Mueller report, we’re going back through our information and [asking], ‘Are we seeing anything similar?” for any Cloudflare clients, says Prince. “And we’ve seen evidence of similar attempts of attack that have been launched against individuals and infrastructure that we’ve helped protect.”

Correction: A previous version of this article referred to the “2014 Mexican presidential race.” It was the 2012 race.

About the author

Sean Captain is a Bay Area technology, science, and policy journalist. Follow him on Twitter @seancaptain.