🌐 Expanding Cloudflare’s Protection of Elections Globally: Partnership with The International Foundation for Electoral Systems

Okay, perfect. We are live. Awesome. Hi, everybody. My name is Jocelyn Woolbright. I am on the public policy team here at Cloudflare, and I am super excited to have Stephen from the International Foundation of Electoral Systems, and he's the Senior Global Election Technology and Cybersecurity Advisor at IFAS. And we're going to be talking about all things election security and also talking about our partnership to kind of extend our election packages to many different types of bodies around the world. So Stephen, I'm really happy that you are here to chat with me because you are really an expert in election security, but also how election management bodies work. So do you mind doing a quick introduction of yourself and kind of a little bit of a background on how you ended up at IFAS? Yeah, thanks. Thanks, Jocelyn. Certainly love being a part of Cloudflare's Impact Week and, you know, Stephen Boyce, IFAS's Senior Global Advisor, as you just mentioned, and, you know, kind of that's a mouthful, but it's a very important job in working with electoral management bodies and civil society to provide them with, you know, access to technology and experts in securing, I'd say, the whole of society. So not just the organizations that they're a part of and their respective countries, but also in their personal life and at home. So how I ended up at IFAS is kind of my journey, if you will, to IFAS started really in a really great internship that I had at the U.S. State Department during undergrad, where I was working domestically and internationally with other countries on figuring out a way that the United States could leverage its diplomatic ties in order to assist and aid other countries and thinking about kind of the future where we're at now, the work that we're doing today and how can tech companies, how can civil society work with other countries on various different topics and elections being one of them. So as a part of my journey, I spent some time with the Department of Justice, working on forensics and cybersecurity, but also always had that international component, whether it was assisting foreign governments, law enforcement agencies with their investigations on behalf of the United States. And so that international piece, again, rooted from my time at the State Department has been a part of my journey thus far. All good things come to an end in my federal career. I shifted over to the private sector to work in consulting and lead investigations on a global scale, internationally as well, for all the various different types of cyber attacks that are going on right now. So when you think about that, ransomware investigations and working with organizations that have been victims of distributed denial of service attacks. And so as a part of that, many times I was engaged by a client and they said, well, what do we do? We can't access anything. No one can access our systems. And the first thing I would do is say, call Cloudflare. And so here we are today talking about election cybersecurity and the importance of Cloudflare and the work that you and I have done in conjunction with our colleagues in assisting governments as they are undertaking their elections. Yeah, it's great that you bring up a lot of those points, especially the domestic side of it. And it's interesting because whenever we started the Athenian project, so that's our project where we provide free services to state and local governments in the United States. We've had that project since 2017. And many people would ask us, oh, why don't you extend these cybersecurity protections to other election entities around the world? You have to realize that election security isn't only a U.S.-specific issue. And one of the things that I think us on the policy team were like, how do we, a Cloudflare, a U.S.-based company, how do we provide a free set of upgraded services to foreign election companies, foreign election entities? It's a really interesting kind of conundrum to try to figure out like, can we provide free services? And the intent is always to make sure that these election entities have the security that they need against these really large-scale attacks. So it's interesting because like kind of thinking back to it, whenever we would have these conversations internally and we would have different election bodies come to us, they would be like, hey, like we'd love to use these types of services. We've had these, we've been taken down by Adidas attacks. We've seen ransomware attacks. Can we please use these services? We're like, we're not really sure. But every time we talked to kind of our civil society partners under Galileo, they always brought up IFAS. And they were like, you need to talk to IFAS. They are the experts when it comes to technology and also assisting election management bodies. So I feel like we always have this conversation of like, hey, like we had this entity come to us, like what, like what, who do you have on the ground, Steven? Like, who do you know there? What, what does the situation look like? Because it can be, it can be messy. And also like the regulatory environment is really challenging. Very, very. And, and, and you bring up a good point because like, you know, before I joined IFAS, I certainly knew that the United States, specifically civil society, had a role in global elections. And when I came, you know, and learned about IFAS and the work that they've been doing historically in building capacity around the world, assisting election, electoral management bodies or EMBs and working with various different entities within, you know, a foreign government and kind of being that bridge between, you know, the government tech and bringing that whole of society approach. I was really, really excited about this position. And, and, you know, it's funny because IFAS is in about 33 countries, probably in counting, whether it's, it's boots on the ground or it's through our various different partners. And, you know, as the international foundation for electoral systems, one will think, Oh, well, IFAS just deals with elections. But, but as you, you know, and as I think other people are starting to realize, it includes working with, with folks like academia, right? And so IFAS has had a long history in partnering with various different organizations, whether it's academic institutions, whether it's women's rights groups, whether it's LGBTQ plus community, you name it. We have worked in very various different capacities and election technology and cybersecurity is integral into all the different areas of which we've worked in and continue to work and expand in. And so when you, when you, when you think about, you know, the boots on the ground and the people, we're set up very much so kind of like a diplomatic arm, if you will, in that we have a country director for many of the countries that we work in or a regional director that may be based in the region. And what you'll find is that they will have a team of, you know, locally employed staff, if you will, as in mixed with some international staff that are working hand in hand with the electoral commissions and electoral management bodies to, you know, focus on and improve democracy at its core. Right. So that is, that is kind of IFAS in a nutshell. And like I said, so many different countries and new countries coming online just about, you know, every month, you know, as we look to expand and build and promote free and fair elections and democracy around the world. Yeah, it's interesting. You bring up the different kind of players, like, for example, LGBTQ, there's civil society, but there's also like the journalists on the ground that are reporting about different election results. And I've always, I always think that there's, there's so many different types of technologies. And each of these groups are all different in terms of their capacity. So like an election management body is going to look very different than like a media organization and the tools that they need to be able to keep themselves secure online, but also in in real life. So I'm curious, like, what do you think some of the challenges that you've seen, at least you've seen, but also some of the people on the ground for IFAS, specifically when it comes to technology in the voting space, but also providing these types of tools to many different players in the election space. Yeah, yeah, no, I think a lot of the challenges, you know, range from, you know, you can start about the legal, the legal aspect, right, where, where the laws, and the frameworks and policies in place in certain countries, unfortunately, don't support kind of where technology has gone, where society has gone. And I think that's a, that's a global problem. I don't think there's any country in the world, whose laws and legislation has kept up with the times, especially when it comes to technology. And so it's, it's, it's really working with them within their frameworks within their laws, in order to figure out how we can, you know, assist them how they can can incorporate some of these newer technologies. And certainly from from from boots on the ground, right, you know, we're thinking about procurement, and we're thinking about their supply chain, right. And so, in certain parts of the world, there's no Best Buy, there's no CGW, where they can just or Amazon, for instance, where they can just go and purchase a new server and be up and running, they they have to depend on, you know, whether it's other countries, whether it's, you know, resellers, in those countries, and from an infrastructure standpoint, the biggest thing that we've found, in working with our partners on the ground is the support, the human support, and expertise locally, there may be, hey, we really want to upgrade to this new system, we really want to incorporate this new technology, right, like a CDN. And they are like, we've heard all about it. We heard about Cloudflare and IPHAS, you guys do a really good job. But we have no one that understands that capacity of how to implement how to maintain these systems, which has been really important as we've worked with you guys, at deploying the various different services in that, from a technical expertise perspective, we've really been able to work with non technical folks in order to leverage the services that Cloudflare provides. It's interesting, I always think about whenever I think we talk about this a lot, it's, it's difficult, especially when you have a technology that's something like Cloudflare, that's like, really easy to get started with. And it's really easy to use. But it can be really scary looking at it beforehand. And like, oh, I have to change my authoritative DNS, like, wait, I don't know if I want to do that yet, or like want to make sure that I have all of the right kind of security recommendations in place. Like, it can be really, it can be a lot to take in. And I think what I think that we we do this really well, is like trying to take very complex types of technologies, and simplify it so that it can be understandable to a huge group to a huge type of audience. So I think it's, it's a really interesting kind of like balancing act that you have to play. But it's also a very, you know, rewarding one, especially if you have an organization that really wants to use specific type of technology to make sure that their elections, you know, their website is staying up, they're posting election results, those aren't taken down, or they are defaced in some type of way. But I'm curious as what you think the most like popular technologies are that you've seen in the voting space, or like the political organizing space? Like, what are some of the most popular kind of technologies that you've that you've seen? Yeah, I think, certainly, even in the in the pre COVID days, but certainly post COVID, we're seeing a lot, you know, the digital transformation, if you will. And so, whether it's political parties, whether it's electoral management bodies, a lot of them are moving toward cloud based email, right cloud based hosting, when it comes to the way in which they run their business and or their organization. And in this, you know, we certainly will see that, you know, as they migrate to the cloud and embark on their digital transformation, we'll see the need for, hey, well, how do we really do this, we were kind of used to for the last 20 years, managing this email server, managing this locally, we had local servers, now we have people dispersed throughout, whether it's the country, whether in a political, you know, when it comes to political parties, they're doing events like we're doing right now, virtual events, right, virtual events are huge, right. And so just about every electoral management body, political party, and civil society is leveraging, you know, video conferencing software. And so from a technology standpoint, everyone is really interested in that. Certainly, you know, when you think about social media, as well, right, engaging, how do you engage with the public, to get the word out to tell them about great events, like what we're doing right now, you engage with them on social media. And so, you know, really see electoral management bodies trying to get really interested in that, you know, that really uncovers things like campaign financing and advertising, right, via technology and via social media, and figuring out how to best leverage that, but also thinking about kind of the risks that these technologies pose as well. And so, and kind of one last piece, if you will, certainly this, you know, moving target, if you will, from a technology standpoint is leveraging, you know, various cloud platforms, to host and post results, right. And so from a results transmission, we're seeing some electoral management bodies move towards displaying and posting results on websites, and wanting to leverage cloud resources for that purpose. And so we're seeing the really true digital transformation going on in the electoral space, and being leveraged by everybody differently to achieve the same goals, ultimately trying to protect the integrity, but maintain availability of that data. And this is, again, where Cloudflare comes in on that availability piece as a part of this electoral digital transformation. And it's interesting, one of the kind of when I was learning about election security, and really there's so many different parts of it. So people typically think about, you know, a voting machine of some sort, like making sure that is secure. But it's also like making sure that the website that has that, you know, if you're registering to vote, and the website goes down, right at the like last minute to register, like, a lot of people might assume that, oh, you know, the website was taken down by some foreign actor that wants to, you know, wants to build mistrust in the electoral system. Or, for example, on election night, if the results page is defaced in some type of way, or just taken down, it kind of beats down that credibility factor. And I think we could both agree probably the most important part of elections is building trust. So how do you think that plays a role in when you work with election management bodies, there has to be a certain type of trust that you have with them that the technologies companies have with them? How do you kind of create this, this trust between organizations and also tech companies? Yeah, no, and you brought it up as, as you were mentioning, really, when Cloudflare internally was like, how do we do this? Like, are they going to trust us? And you know, a lot of the questions that that certainly, you guys were asking yourself, we we've done and continue to do and ask those questions. And one of the things that we've done is leverage relationships that we've built on the ground since IFAS, you know, was IFAS, right. And, and they come back to relationships and really understanding, hey, listen, we're, we're, you know, here to help and assist. However, they take time, right. And so me and my role is, as I joined in December, I've had to leverage existing relationships that many of my colleagues spread throughout the world and locally have built with whether it's the electoral commissions, whether it's other government entities within that country, whether it's civil society, and the partnerships like Cloudflare and IFAS is another way in which we build trust, right? We understand, you know, existing relationships and understand how that we can best assist and build upon those relationships. But, but as I'm sure we all agree, they take time. And so, although there is, you know, a lot of elections that we've assisted with this past year, there were a lot of things that we would have loved to have done more of, right. But we built that trust, we've, we've kind of done a crawl, walk, run approach where we're saying, hey, hey, you know, we can assist you and help you when you're looking at risk, when you're looking at emerging technologies, we can advise you on the various different technologies out there. And the thing about that is, is we are vendor agnostic. And we look at, hey, what are the technologies that are available in society? And how can they how can you leverage them in order to, you know, build that trust, not only internally, but with your whether it's your constituents, whether it's your, your, your population, whether it's within your organization, and especially for elections, that trust building and confidence building piece is, is really at its core, you can take away the technology, you can take away cybersecurity. And at its core, that is that is what IFAS does, and the importance of that globally. And thinking about the trust factor, I feel like that also kind of goes into how you assess risks for new and emerging technologies. So do you mind kind of talking about in your process, and you definitely don't have to name specific countries that you've been working with. But how do you assess specific risk? And do you have any examples that you've been that you've been working on and trying to kind of piece together on what that looks like for an election management body? Yeah, yeah, no, we IFAS before I joined my colleagues in our Center for Applied Research and Learning had developed what is known as the heat methodology, which incorporated kind of best practices from around the world, as it relates to assessing risk, right. And so when you think about, okay, well, there's the the ISO standards, so ISO 27,000 series, or 27 ,000 series, if you will, you have the Center for Internet Security or the CIS controls. So incorporating that into our, our heat methodology, as well as the great work that NIST has been doing, and NISA in Europe, and Canada and Australia, and bringing these best practices, frameworks and policies into a holistic methodology in order to assess risk. And when we come in, and we perform our risk assessment using these various different standards and policies around the world, risk looks different to every organization, to every country. And again, goes back to a lot of the legal frameworks that are in place. And so when you think about emerging technologies, you know, when we look at biometric voter registration, we look at things when people are really, you know, excited about blockchain, right, Internet voting, or e-voting, looking at giving an electoral management body, including civil society to look at, okay, what are the benefits of whatever we're getting ready to incorporate into our electoral process? And what are and what are the risks, and understanding the risk tolerance, right, of that specific entity, that specific political party, that specific electoral commission, or electoral management body, gives them a various different risk treatment processes and options to say, are we going to, how are we going to mitigate the risks of this, right, of connecting this system to the Internet, right, and let's talk about all the different things that, unfortunately, could go wrong, right, and looking at different ways in which we do that. But I think as a part of our process globally in assessing risk and assisting with that assessment of risk, from an emerging technology standpoint, a lot of countries and electoral management bodies have chosen to, again, use the crawl walk around approach, right, let's actually test this technology in a smaller election, right, whether it's a local precinct equivalent of a, you know, a state election. And we see this globally, right, we see Internet voting being utilized, you know, at scale, certainly for countries like Estonia, right. And it works because of the crawl walk around approach, they have taken the time to invest in the infrastructure and people in order to maintain that infrastructure from a security standpoint. And so certainly in COVID, we've seen other electoral management bodies get really interested in this concept of e-voting when a lot of people couldn't necessarily go to the polls for health reasons, and we're in a public health crisis globally. And so with this, we certainly have taken the stance that we advise electoral management bodies as they are embarking on these emerging technologies to really think through the security aspects of that, the security risks of these emerging technologies, and figure out a way that if this technology is going to, as you mentioned, we talked about the trust, if it's going to build and maintain trust, ensure that voter confidence, provide its necessary functions, whether it's improving efficiencies, speeding up, you know, results, tabulation, et cetera, that it's doing all these things, and that you are comfortable with the associated risk, right, and the various different risk treatment options that you may have in place. As a part of that process, we have found that, you know, folks have said, wow, this, we really wouldn't have thought about this, right, we wouldn't really have thought about, wow, that this, this system has Wi-Fi enabled, and there's no way that we can disable it, right, and so that's how we've been using our HEAT methodology, utilizing the best practices throughout the industry globally, in assessing risk for electoral management bodies and civil society. Yeah, and I think it's, it's interesting specifically with elections, because it's kind of like elections happen, you know, everywhere in the world, but it's specifically one day, or like a very short amount of time, so it's kind of like you have to have everything prepared, and the risk is so much higher, because it's in a very short period of time, and it's, it's always really interesting to, to figure out what, what that looks like, but I, I like the idea of taking industry standards, and being able to bring them to this environment, and kind of help election management bodies figure out, like, oh, you're interested in this, this technology, let's, you know, take this back, and figure out if this is right for you, what the risks are, and present these to you, to let that you know, like, this is what we're worried about, and providing that information really trans, transparently is, I think, really important. We have about four minutes left, and I want to ask you this question, because I think it's really important as we go forward, and everybody is kind of, I think, tired of talking about COVID, but I think in the election process, it's really interesting. We've seen, like, this huge shift in the United States during the 2020 election, and how there was, we had to figure out different protocols to do elections, this huge vote by mail push, but abroad, what do you think, kind of, the lasting impact of the pandemic is on the election process, and what do you think that looks like from your perspective? Yeah, the lasting impact, certainly, globally, from COVID-19 in the pandemic, you know, is, is certainly resounding, that we need to do more. We need to do more in figuring out a way, when it's, whether it's marginalized groups, whether it's, you know, folks that didn't have access to voting, and before, certainly with this pandemic, has certainly complicated things, and so throughout this pandemic, you know, I'd say the silver lining, though, is that a lot of electoral management bodies are thinking about their displaced groups, if you will, and disabled groups, and providing, using technology during the tech, during the pandemic, in order to provide them with access that they wouldn't have otherwise had. However, I did want to just, just add, you know, when you think about the pandemic, and you think about, especially elections, it, it has complicated things, as people, it's a new way of doing campaigning, it's a totally new way of malign actors, you know, they're not necessarily going to go out, you know, and knock on your door to say, you know, you know, you shouldn't vote for X, Y, Z, because of this, or providing information, they're utilizing technology, right, so when you think about mis and disinformation, coming out of the pandemic, as it relates to elections, you know, that threat will only continue, you know, and it certainly was amplified during the pandemic, as everyone was at home around the world, working remotely, and really, that's another thing, when you talk about the pandemic, I think people are going to be moving around the world, right, moving maybe from countries, and so electoral management bodies will have to think, okay, well, how do we allow our expats, whether before that was a small population of maybe military and diplomatic expats, now we have a larger, nomads, if you will, right, and they're all around the world, we still want to provide them with this capability of, you know, their right to vote, how do we do that efficiently, effectively, and most importantly, securely, right, and I think, you know, that is some of the impacts that the pandemic will have for elections in the future. So that means we definitely have our work cut out for us, Stephen, us and IFAS, and many of the other little society and tech companies out there. Yeah, we do. Yeah, we do. Well, great. We're coming up at the end of our session, but Stephen, I really thank you so much for coming on. I always, whenever we chat, I always learn more and more, and IFAS is such an organization that we're really excited to partner with, so thank you again for coming on Cloudflare TV. Thanks for having me, Jocelyn. Alrighty, have a great day.