John R. Ashcroft, Missouri Secretary of State (SOS), is the chief elections official in Missouri and is responsible for administering elections in the state. The Office of the SOS manages the Missouri Centralized Voter Registration System (MCVR) which is used by all 116 Local Election Authorities (LEA) and is at the forefront of safeguarding the integrity of Missouri elections. The SOS plays a crucial role in providing support to the LEAs, if requested, with an election security best practices guide, security assessments, and continuity of operation plan creation. In 2020, before the November 3rd general election, the SOS accepted more than 318,000 online voter registration submissions. These submissions include new registrations, address changes, and name changes which are processed by LEA offices.
Stacy Mahaney, Chief Information Officer, and Willis Doss, Deputy Chief Information Officer, are responsible for the security and defense of the many SOS websites/applications and MCVR. In the days leading up to election night, the Missouri SOS was responsible for monitoring and assessing potential threats. This responsibility includes sharing and coordinating responses to threat information with federal, state, and local officials in Missouri.
The Missouri SOS joined the Athenian Project in 2018, onboarding only an archive site of past election results initially. After seeing the benefits of this collaboration along with reviewing guidance provided by the Cybersecurity and Infrastructure Security Agency, Mahaney and Doss onboarded additional sites. Familiarity with Cloudflare’s Enterprise services and excellent support made this change leading up to the 2020 U.S. elections a reality.
“The idea of our election websites being inaccessible due to a distributed denial of service (DDoS) attack was a concern for us, especially in the election space where trust and access to authoritative voting information is crucial,” said Mahaney. “There is only so much you can plan and test in terms of preparedness on the security side and after implementing Cloudflare and many other security precautions, we felt confident we had a security platform in place where we could adjust and respond to threats and high demand in real-time.”
For the 2020 U.S. elections, the Missouri Secretary of State’s cyber security team worked with a variety of federal government agencies such as the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) along with the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). The SOS cyber security team has many state partners including the Office of Administration’s Information Technology Services Division and the Department of Public Safety which includes the Missouri Information Analysis Center (MIAC), and the St. Louis and Kansas City Fusion Centers to aid in securing and ensuring that the election related sites remain accessible. The public looks to election officials as the trusted source for information and finalizing election results. With this in mind, Mahaney and Doss were better prepared for the unexpected. “Our team and cybersecurity capabilities grow during each election, so we have to train the staff on the new technology our agency uses to secure our processes as we expand,” said Mahaney. “Cloudflare solutions are user-friendly and easy to deploy, which allowed us to onboard domains quickly and train our staff on the ins and outs of the Cloudflare security suite.”
Prior to Cloudflare, Mahaney and Doss in the case of an emergency often had limited or delayed access to their security tools and consoles. During election week, many government agencies provided state and local government’s threat briefings and intelligence related to threats and ways to mitigate in real-time on election night. “In the past, we worked with a variety of vendors and, at times, did not have direct access to our security tools to make immediate changes,” said Doss. “To put everything under one umbrella, we had the ability to monitor and quickly change or address pertinent issues during this election cycle.”
The Web Application Firewall (WAF) analytics gave the Missouri SOS team visibility into security threats and granular control to quickly deploy custom WAF rules to mitigate new threats aimed at their election resources. Mahaney says, “The ease of use with Cloudflare, especially the ability to deploy a web application firewall rule in 30 seconds allowed us to adapt and quickly respond.” In addition to the Cloudflare WAF, the Missouri SOS cached their website heavily on Cloudflare’s network, which reduced the bandwidth usage and load on their servers substantially. During the weeks before the election, Mahaney detailed the spikes in traffic primarily accessing the voter registration lookup and voter outreach portal, which provide polling places and sample ballots for review. “We saw four times the amount of network traffic to the Missouri SOS site on election night,” said Mahaney.
When looking at security for state and local governments, Mahaney and Doss note that LEA offices that provide voting information might not always have the resources or expertise to know how to block threats in real-time or expand network or server capacity in the event of high volumes of unexpected network traffic. The addition of tools such as Cloudflare and the Athenian Project could be a quick way for them to add this level of defense. “Security is like an onion. Every layer of security that you add protects against various layers of attack or exposure,” said Mahaney. “We were able to add layers to our security defenses with Cloudflare. The more layers you add, the more difficult it is for attackers to succeed in making voters question the trust of the democratic process that we work to protect every day.”