One year ago, Cloudflare launched the Athenian Project to provide free Enterprise-level service to election and voter registration websites run by state and local governments in the United States. Through this project, we have helped over 100 entities in 24 states protect their websites from denial of service attacks, SQL injection, and other malicious efforts aimed at undermining the integrity of their elections. With the end of the year approaching, and the November 6th US midterm elections behind us, we wanted to look back at the project and what we have learned as we move towards 2020.
US Midterm Election Day
The morning of November 6th was full of anticipation for the Athenian Project team with the policy, engineering and support teams ready as polls opened in the East. Early in the day, we were notified by our partner at the CDT that some elections websites were experiencing downtime. Mobilizing to help these groups, we reached out to the website administrators and, through the course of the day, on-boarded over 30 new county-level websites to the Athenian Project and helped them manage the unpredictably large amounts of legitimate traffic.
This last-minute effort would not have been possible without the help of the CDT and all of the other organizations working to maintain election integrity. Each organization brings their own strengths, and it took everyone working together, as well as preparation and diligence on the part of election officials, to make election day a success.
Civic Engagement Online
In looking at the aggregated election day data, the biggest story is one of engagement. In the month leading up to the November election, voter registration and election websites on the Athenian Project received nearly three times the number of requests as in September or any other month preceding it. Athenian Project websites received more requests in just the first seven days of November than in any other month except October.
When we first started the Athenian Project, we expected denial of service and other attacks to be the driving concern. However, we soon found that many state and local election websites experience large fluctuations in legitimate traffic on election day, especially in the event of a contested election, and appreciated having a CDN to help manage these events. As can be seen below, traffic levels, already higher than usual on election day, at times suddenly spiked to four times above the day’s average for certain websites.
Keeping a Lookout for Bad Actors
We are happy to report that we didn’t see any evidence of a coordinated set of attacks across the election websites on our service. There were, however, a variety of attacks stopped by rules within our Web Application Firewall (WAF). The prevented attacks included scans by malicious bots impersonating helpful bots. These scans enable malicious actors to check for vulnerabilities to exploit, and were stopped using fake user-agent rules which can identify the malicious bot’s attempt to spoof its identity. The WAF also stopped a variety of cross-site scripting attempts, forced login attempts, and SQL injection attacks aimed at gaining access to databases. The attacks appear to have been Internet-wide attacks targeting specific known vulnerabilities rather than election website specific attacks. This finding re-enforces our belief that improving cybersecurity is vital for everyone on the Internet every day, not just in response to large events.
Where We’re Going in 2019
Moving forward, we are hoping to continue improving the reach of the project. One year is a relatively short time, especially when considering code freezes around both the primaries and general elections, and we hope to continue education efforts and on-boardings in advance of the 2020 elections. One item we noticed was that, despite making it easy to obtain SSL certificates and use TLS on Cloudflare, not all of the requests to Athenian Project websites are encrypted. This happens either as a result of misconfiguration, or because Universal SSL has been disabled for the site and no non-Cloudflare certificates have been uploaded. As a result, we will strive to do a better job of encouraging SSL adoption and educating website administrators about the importance of encryption.
We would like to thank election officials and administrators across the country for their hard work in maintaining the integrity of our midterm elections. Election cybersecurity was not a story, and that is a testament to the commitment of these individuals.
With the midterm elections over, the Cloudflare Athenian Project team is setting our sights on 2020 and any special elections which may come before then as well as looking at opportunities to expand the Athenian Project into new areas. If you run a state or local election website and are interested in the Athenian Project, feel free to reach out through our web form at cloudflare.com/athenian.