Cloudflare is one of the world’s largest networks. Today, businesses, nonprofits, bloggers, and anyone with an Internet presence uses our network to make their websites, apps, and anything connected to the Internet fast and secure. More than 26 million Internet properties are on Cloudflare, and our network is growing by tens of thousands each day. Cloudflare powers Internet requests for ~10% of the Fortune 1,000 for more than 1 billion unique IP addresses per day.
In September 2017, the U.S. Department of Homeland Security informed 21 states that their voter registration files or public election websites had been the target of cyber attacks.
Among their many responsibilities, state and local officials are often responsible for election websites, which are increasingly the primary source of critical voter information, such as where to vote, how to vote, and who is running for office. Just like every other Internet property, election websites need to be fast, they need to be reliable, they need to be secure. Yet, scarce budgets too often prevent governments from getting the right resources to prevent attacks and stay online.
Project Athenian offers Cloudflare’s Enterprise level of protection to state and local election websites for free. As part of this project, we are introducing this Interactive Guide to Protecting Your Election Website so that you are aware of the vulnerabilities and how Project Athenian protects you from them.
Taking the steps included in this guide helps us all ensure that the Internet remains a vital resource for elections.
They provide crucial information to people before, during, and after elections. Election websites can also be targets of attack and can face vulnerabilities due to peaks in traffic.
Here are just some of the ways that ways that vulnerabilities can interfere with a smooth democratic election:
Security and performance vulnerabilities can cause these sites to become unavailable or to spread false information about how to register to vote and the specific state and local measures that will be on the ballot.
Security and performance vulnerabilities can prevent citizens who visit election websites from accessing important information about where and when to vote.
Security and performance vulnerabilities can interfere with people who visit election websites after an election to see the results and get real-time updates.
Bad actors can target election websites with denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks that target websites and network infrastructure. These attacks overwhelm available resources, often utilizing application layer (layer 7) attacks.
The first step in protecting against a DDoS attack is to ensure that multiple layers of security controls are able to protect your network. Example controls include utilizing a web application firewall or IP reputation database.
A CDN provider will have insights into global traffic that would be impossible for individual websites to maintain. This knowledge is often fed into security actions. For example, Cloudflare employs a program called Gatebot, which automatically blocks bad traffic at the edge, preventing this traffic from reaching your origin.
DNS, short for Domain Name System, is the phone book for the Internet. It associates an IP address with a corresponding URL address. Nearly every action you take on the Internet starts with a DNS request. For example, when you type ‘google.com’ into a web browser, DNS is the system that finds the numerical IP address behind the letters. Cloudflare can help protect DNS because our authoritative DNS servers run on the same 35 Tbps network which protects more than million Internet properties from DDoS attacks.
Election websites can be vulnerable to security breaches like SQL injection attacks, cross-site scripting, and cross-site forgery requests, which can lead to the theft of data, including voter data.
Structured Query Language (SQL) Injection is a code injection technique used to modify or retrieve data from SQL databases. By inserting specialized SQL statements into an entry field, an attacker is able to execute commands that allow for the retrieval of data from the database.
Cloudflare develops automatic rules for our WAF based on intelligence we gather from our global network.
Protecting your website starts with strong encryption practices. Secure Sockets Layer, or SSL, is the first widely-adopted web encryption protocol. The latest protocol is called TLS, short for Transport Security Layer. Because data on the Internet is transferred across many locations, it is possible for bad actors to intercept packets of information as they move across the globe. By using a cryptographic protocol, like TLS, websites ensure that only the intended recipient is able to decode and read the information, and intermediaries are prevented from decoding the contents of the transferred data.
A Web Application Firewall (WAF) monitors, filters, and blocks HTTP traffic to a web application. Using a WAF protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests.
If DNS is the phone book of the Internet, DNSSEC is the Internet’s unspoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden ‘man-in-the-middle’ attacker which can go unnoticed by site visitors, increasing the risk of phishing, malware infections, and personal data usage.
Bad actors can create bots that interfere with election websites. The most common types of abuse include content scraping and account takeover, which can lead to increases in operational costs and data loss.
A Web Application Firewall (WAF) filters, monitors, and blocks HTTP traffic to and from a web application. Using a WAF protects your internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests.
IPs that perform malicious actions can be tracked with a global reputation system. An IP reputation database enables shared network intelligence and predictive security to identify and block abusive bots.
Oftentimes, election websites experience periods of high traffic, often referred to as network spikes. These spikes in traffic can overwhelm websites creating a poor user experience — at times, content on the website will slowly load; at other times, the content will not load at all.
Similarly, spikes in traffic can also lead to increased network infrastructure bills, due to higher network and server utilization. Using a CDN and caching will help offload resources from your server at all times, optimizing your website's resources and reducing the burden of spikes in traffic.
Reliable DNS providers like Cloudflare use vast networks of servers to ensure that your content is always reachable and decreases delays in resolving your DNS.
Cloudflare is an Anycast CDN which quickly routes incoming traffic to the nearest data center with the capacity to process the request efficiently, handling surges in web traffic due to voter registration deadlines and election result updates.
Oftentimes, election websites are looking to serve web traffic to countries in which the visitor is not a constituent. Being able to block specific countries frees up resources and prevents malicious attacks.
Serving static assets from a CDN provider will significantly offload resource load from your origin. This will allow for more processing power from your servers, especially during peak times, during the election or when results are published.
It’s important to monitor how your election website is performing. With Project Athenian, you have access to Cloudflare’s analytics platform, giving you full insight into performance, availability, and security of your election website.
You now have the fundamentals of election website vulnerabilities and the steps you can take to make them secure and reliable.
If you run a state or local election website in the United States, we encourage you to apply. Project Athenian is for websites that administer elections. This includes sites that provide information related to voting and polling places, voter data, including voter registration or verification, or the reporting of election results.
If you feel that your website could benefit from Project Athenian, reach out to us at Cloudflare and we can walk you through signing up your webpage and upgrading your service to Enterprise level.