🌐 Helping Secure Elections Around the World with IRI, NDI and The D4D Coalition
Presented by: Jocelyn Woolbright, Amy Studdart, Chris Doten
Originally aired on November 25, 2023 @ 11:00 PM - 11:30 PM EST
Election security and the integrity of foundational democratic institutions has been a growing concern around the world. In this Cloudflare TV segment, Jocelyn Woolbright will discuss with experts Amy Studdart from the International Republican Institute and Chris Doten from the National Democratic Institute on the online threats to a range of players in the election space and how Cloudflare is working with NDI, IRI and the D4D coalition to strengthen democratic institutions and increase civic participation.
Read the blog post:
Visit the Impact Week Hub for every announcement and CFTV episode — check back all week for more!
English
Impact Week
Transcript (Beta)
Hi everybody, my name is Jocelyn Woolbright and I am the program manager on Cloudflare's public policy team and I am very excited to be joined by Chris and Amy.
So Chris is the Chief Innovation Officer at NDI and Amy is the Senior Advisor for Digital Democracy at the International Republican Institute.
So I'm super excited to have these two guests join us.
I want to start with a little bit of background and then Chris and Amy and I are going to really go into the details about election security and kind of what we're offering under our new expansion project in our partnership.
So one of the reasons why we started the Athenian Project, which is a project in which we provide free services to state and local governments in the United States with a certain set of cyber security services to make sure that they can stay online during elections time but also secure all of their information, including voter registration, and make sure their site is reliable.
Whenever we started this project we had a ton of applications that were coming from outside of the United States and also from many different types of election actors.
So for example, we had journalist sites come to us looking for protection because they were posting election results or we had political parties, we had political campaigns, we had election management bodies come to us.
And as a U.S.
company, one of the things that we internally struggled with is trying to figure out how we extend these types of protections because election security is not only a U.S.-specific issue but it's happening all over the world and many countries are not able to have the capacity to withstand against these attacks.
So that's where we started collaborating with many of our Project Galileo partners.
So under Project Galileo we provide a free set of services to a range of actors on the Internet from human rights organizations to journalism and media sites to non-profit community building types of websites.
And Chris and Amy have been really amazing partners in this space under Project Galileo and since they worked in the election space in terms of supporting election management bodies but also a range of different actors in the election space, we turned to the experts to figure out how Cloudflare could provide this free set of services to a range of actors.
So let's talk about it. So Chris, do you want to go first and introduce yourself, give us a little bit of background about NDI and your role at the organization?
Sure, thanks. Thanks very much and it's great to be here. Cloudflare has been a wonderful partner for NDI.
So NDI, the National Democratic Institute, despite the name we work internationally in a non-partisan manner with a range of civic and political groups around the world to help build more open democratic societies.
And increasingly it's been a dangerous time out there. The digital world is a scary place and being able to partner with Cloudflare through Project Galileo has been extremely useful in helping keep a lot of our partners safe from various forms of hacking and DDoS attacks.
So at NDI we work a lot with political parties, with campaigns, and of course during the heat of an election environment it's one of the most difficult and dangerous times out there.
You don't have to look farther than right here in the United States to see some of the challenges that can happen based where political outcomes can change based on the results of hacking or other types of manipulation of that kind.
So we're delighted to find ways to try and keep our partners safer in this scary world.
So we work in about 60 countries around the world trying to help these groups keep themselves safe and stable.
My path to get to be at NDI has been also politically very involved.
I worked on U.S. domestic political campaigns for a number of years and so I've seen firsthand the challenges they face, the risks that they have to encounter, the necessity of being online to be effective these days, but then also the challenges of working on such a short -term basis for campaigns and elections worldwide.
You have a date that you have to make and everything is subsumed in the idea of trying to get to that date and win, which means that sometimes there's not a lot of time for cyber security and it's hard to make the efforts for that stuff.
So excited to see this new range of tools and capabilities help keep some folks a bit safer.
I'll go next.
So I'm Amy Studdart. IRI, the International Republican Institute, is the sister organization of NDI.
So I will spare you all a repeat of all of the stuff that Chris just said.
We do a lot of the same things. Our fundamental philosophy is really that political competition that is exercised with integrity gives people agency and freedom to control their own lives and so we want to go out there and support as many of those people as we can who are fighting to create as much political agency for as many people as possible.
The way that we see at IRI is really that the digital era has ushered in a whole bunch of opportunities for democratic advancement, but there's also a lot of new threats out there as well and so we think that the digital revolution has completely altered our mission, it's altered how we do our work, it's altered the services and the programs that all of our partners all over the world need and that they can also share with us so that we can share those things both domestically and globally.
So for us, we've seen this landscape change to have a whole range of digital threats that are coming up against actors and against people who haven't necessarily been technologically savvy in the first place.
They didn't go in to study computer science at university, they're not digital safety activists, they're political parties, they're candidates, they're folks who studied political science at university who came along a path that is much more about politics and democracy and governance more than it is about technology and so programs like this have really allowed us to give really easy access to help those folks guard against those threats in ways that are usable and deployable.
My path to this, so I grew up in a tiny little island called Grenada which was the recipient of a lot of U.S.
assistance.
A lot of that assistance was very well-meaning but not necessarily connected to the realities on the ground.
So you'd have a park that was funded by U .S.
taxpayer money that was built right next to an absolutely beautiful beach and so no one was using the park because they were sitting on the beach and exercising on the beach and sort of walking around Grenada and spending time with people there.
I realized that there was just this massive disconnect between decision making and the realities on the ground and so this marriage of sort of democracy and development really speaks to me because we can make better decisions, better informed decisions, use resources more effectively and generally give people a lot more agency in their own lives if we can figure out how to make those systems work.
And to me, you know, the Internet has been a real opportunity to be able to do that provided that we're able to actually guard against the threats.
It's interesting that you mentioned that because I think as we've all seen kind of COVID has really made circumstances very difficult in terms of cybersecurity.
A lot of these different election entities don't necessarily know what they should be doing online to keep themselves safe and typically cybersecurity is, you know, a second thought before because there's so many different things in terms of political participation that they're juggling.
So I'm curious as what you think the largest threat to these election entities are and what IRI has seen in terms of the threats to these entities and then I'll ask Chris the same question.
Yeah, you know, I think that the disinformation challenge which has gotten such a huge global profile everywhere has really started to alert election bodies and other actors that are engaged in elections of just how much these digital threats can undermine election integrity and fact-based political competition.
You know, we've started to see an emergence of DDoS attacks on political campaigns, hacks on political websites, political party websites, the Taiwan DPP, the Democratic People's Party which is the ruling party at the moment in 2018, their election site was hacked and a lot of data on members was compromised.
And so there's this sort of broad set of threats in which the information environment is undermined, political actors' safety is put at risk and their data is put at risk and election bodies don't really know how to deal with that.
There's not legal frameworks in place, there's not normative frameworks in place, let alone technical frameworks to mitigate against those threats.
And all of this is happening really, really quickly as well, right?
Like, and then elections add to sort of the scalability and the speed with which these threats are emerging.
When you add that into an election environment where election periods are really fraught, there's a lot to get done very, very quickly.
An election is a huge logistical exercise with a whole bunch of bodies that are stood up just for an election.
Creating a cybersecurity framework is really difficult within that kind of landscape.
And it's also hard to anticipate for folks who don't focus on this stuff all of the time.
And so I think that that's really sort of where we've been able to come in with Cloudflare and with others who work in this space is to say, hey guys, you might not know that this is going to be a problem, but this is something that we have been seeing happening in every other election that we've worked on and we also have a part of the solution set for you.
So here, let's go and fix this. So that your political competition can be fair.
And then Chris, I'm wondering if NDI has seen some of the same types of threats to election entities?
Sure. Yeah, no, Amy did a great job of summing that all up.
You know, whether it's a political campaign and political party or a civil society organization that's helping provide an independent monitoring, independent check on the integrity of an election, something that NDI collaborates a lot of groups on.
You know, trust is really critical and hacking can really, really undermine or destroy that trust and put people at risk.
So, you know, the idea that, you know, for example, we work a lot with these election observation entities and helping put their websites, their servers, their data collection systems behind, you know, Cloudflare's web application firewall through Project Galileo or through Thinian here and being able to help protect them against DDoS attacks.
So like the website isn't knocked offline during the most critical hours of a campaign or when they're trying to get a really key message about, you know, their findings on the integrity of the election out.
So elections, you know, more so than most human endeavors really rely on things happening at a certain time.
And so the bad guys don't need to, like, shut off the Internet forever.
They don't need to, you know, permanently hack and deface a website.
But if they can do it at the right time or get access to information early, then that can really, really disrupt things.
So, you know, and with the fact the campaigns are so busy, so the political parties are so harried and so ill-funded and, you know, not technically well-versed in this stuff, you know, for most political parties with which NDI works, you're lucky if you've got somebody who's technical enough to, like, know how to reboot the printer to get it working again.
So we need to be able to find ways that normal people who are focused on driving positive political change to keep themselves safe.
So, for example, the, you know, being able to use the web application firewall capabilities of, you know, Cloudflare's Internet shield then helps in case they're not able to get their content management system patched up right away.
The fact that a lot of those tags can be intercepted mid-flight provides a lot of additional assurance that the election information environment can be open and fair.
Yeah, one of your points that you made about the trust in elections, I think it's, a lot of people think there's so many different moving parts when it comes to election security.
So you have, for example, if you're securing a specific voting station of some sort, and then there's the public-facing side, so thinking about an election website that is hosted or a political campaign website where they're taking in donations to be able, or posting public, like, policy issues on their specific website, it's really important that that website isn't defaced or isn't taken down because that can build, you know, mistrust in the system.
So it's really important to have those types of information out there for the public.
So I'm curious, as there's so many different types of technology when it comes to elections, when it comes to civil society, so I'm curious how each of your organization goes about assessing different types of technologies to different election entities.
So, for example, there has to be a different, there has to be different ways that you engage with political parties versus state parties or civil society in assessing whether or not a specific product or a specific technology is good for them in terms of if they have the capabilities, if they have the knowledge of that specific product.
So I'm curious how you kind of grapple with these issues, and Amy, I'll start with you.
Thank you. I'll just absolutely underline the point that you and Chris made, which is not only do we have to secure the reality of elections, we also have to have the perception that we have secured the election in order to guarantee election integrity and faith in the outcome, and that's such an important point, and Cloudflare's been a really good partner on making that happen just because of the integrity with which the company operates.
You know, Jocelyn, your question is such a good one, and it's one that we struggle with at IRI all of the time.
You know, what an activist needs, what a single person that is going out on the streets and protesting or trying to bring about change in their own individual capacity needs in terms of digital safety is very different to what a three-person civil society organization that's sharing files but is, you know, very low capacity in terms of the resources that it has, which is then very different to a 50 -person organization, which is really different to a campaign that's been stood up for six months and suddenly has to get its whole infrastructure in place but is sharing sensitive information between itself with its party, you know, all over the place, which is, again, different to a political party, right, which exists permanently and has a membership database and lots of sensitive data, and then an election administration organization or an election management body that has a really strange time cycle that isn't like any other organization that cybersecurity products are developed for.
A government is, again, you know, governments have different pieces to them, and they all have different cybersecurity needs, and so added on top of that, when you're a global organization like an IRI or an NDI where you're trying to support all types of different actors that are fighting for democracy in various different contexts where Internet connectivity might be quite different, right, where some people in some contexts that we operate in, everyone's accessing everything from their smartphone, and in other contexts, there might be a mix of different types of devices, and then the threat landscape is very different, right, like in one space that we're operating in, the threat might be a very, very well-resourced adversarial nation-state, and in another space, it might be a hate group that's, you know, got a slightly anarchistic campaign or another nation-state that's trying to sort of sow chaos as opposed to having specific strategic objectives, not to mention a domestic government that's trying to undermine its own democratic political processes for various different reasons, and so the landscape is just very, very broad, and there's lots of need for specificity there because there's not a one-size-fits-all approach.
We've tended to start with the people that we're trying to serve first and the organization or the organization that we're trying to serve first and really assess what their needs are and also what their capabilities are and what the threat landscape looks like, because in addition to trying to give cybersecurity assistance to an organization, we're also trying to get them to focus on, you know, a whole bunch of other things, including procurement to reduce corruption and, you know, how to do proper advocacy campaigns, and so there's a whole lot there that we're trying to sort of share with people, and how we weigh cybersecurity within that is really specific to the threat environment.
You know, I think that one of the great things about Galileo has been that it's actually really quite straightforward, and you guys have made it as easy as possible, and then we're able to go in and help out, and then it's done in there, and there has to be some monitoring, but we make it as straightforward as possible, and so we're really trying with all of the different threat environments that we work with, with all of the different actors that we work with, we're really trying to make security as easy as possible as we can for as many as we can.
Yeah, I think it's a very specific type of skill that I think organizations like Cloudflare, NDI, and IRI have to play in being able to take really technical topics and really technical types of products, and being able to market it to organizations that might not have the technical ability, but they need these different types of products.
And Chris, I want to go to you because I actually want to know, are there any elections that you worked on that really stand out in terms of learning opportunities, and you don't have to specify in which specific countries, but I'm curious what that has been like, you know, personally for you.
Sure, thanks. Yeah, and I agree completely with all the statements were just made about trying to understand the risk environment.
Our colleagues at Internews and other major international NGO have a wonderful, if a little bit technically complicated, assessment toolkit which can help go do risk assessments for organizations that can help prioritize what's most important to focus on.
And for us with NDI, we have a cybersecurity for local parties and campaigns guide coming out in the next couple of weeks, so watch this space.
That's something that we've collaborated on, including with our colleagues from IRI, that's designed to provide sort of the fundamentals.
So you can never be perfect, but there is a challenge in the space that, for example, as awesome as Cloudflare's offerings are, they're not a silver bullet that solves all cybersecurity problems, and so we don't want people, for example, to get the idea that because they put their website behind Cloudflare, now everything is fine.
So trying to balance those risks is a real challenge.
So yeah, you know, I think there's lots of interesting stories, some of which are better told in person, but the, you know, I think one example I could draw upon, there was an election a couple years back in an East African country where there was an office raid, and so an independent election monitoring group had been documenting what had been taking place during the election process, and that was apparently seen as threatening to the incumbent government.
And so after the election, the office was raided, computers were taken, staff were just like college kids working to try and, you know, help build a better, more just society were, you know, taken away by the police.
But we had anticipated that a risk like that was possible, and so all the kind of the major data stores were not on the laptops, they were not in the data center, they were not in the office, they were off on web-based servers that were out of the reach of that government.
But that then creates a whole other set of risks, right? Now you've got, now the government can try and get at them in other ways, or other malicious hackers.
So those sorts of situations, it gives us a real sense of comfort to know that the sites are protected behind Cloudflare's shield, particularly if you're an election monitoring organization, you need to get that data in when it comes in so you're ready to know what actually took place, and a delay of hours can be fatal to your ambitions for trying to justify things, whether the election was or was not problematic.
So, you know, that sort of thing is, I think, an increasing risk, you know, we're seeing a rising tide of authoritarianism and sort of fluggish government actions around the world, and so moves to virtual space are in many ways necessary, but then bring with that a whole other set of risks.
Yeah, I think assessing risks, especially before an election is really key, because as Amy mentioned, elections are very quick, everybody's moving incredibly fast, and they might not necessarily be able to assess what that risk might look like, especially in the cybersecurity space.
So being able to plan out like, oh, we, our organization has seen this in this country, and taking those learning lessons and bringing it, you know, to a new country as you work and kind of assist these civil society and different political campaigns in the space is really, that knowledge is really valuable.
Amy, I'm curious if you have any kind of learning opportunities, stories that you'd like to share.
Sure. So, you know, the election that always sticks with me, or the elections, the series of elections that always stick with me are Taiwan in 2018 and 2020.
So Taiwan is really interesting, because it's a very technologically savvy country that has a clear threat actor, right, and we should absolutely have anticipated that there would be cybersecurity attacks on on the 2018 election, the 2018 local elections, and that there would have been information operations around the 2018 elections.
And in reality, we did not, we did not anticipate that the international community, I think probably didn't focus enough on it, but also Taiwan was taken by surprise.
And so between 2018, where we saw a lot of disinformation, you know, there was, there, we don't know how to attribute it, but there were a lot more cyber attacks on governments during 2018, on government agencies and political parties during 2018, in the lead up to the election than, you know, we'd ever seen before.
And a decrease in cyber attacks on economic entities within Taiwan as well, which we found to be quite interesting.
So between 2018, and then the 2020 presidential election, there was really a sort of coal of society effort to figure out, like, how can we strengthen our society against, and our election processes against this huge actor that is deploying every resource that it has to undermine our election integrity.
And there was just a rapid learning experience there.
And it was comprehensive, right? It was the election commission had to figure out what to do, all of the political parties had to figure out what to do, civil society, academic institutions that were also being hacked, had to figure out what to do.
And they all figured it out together. And, you know, I think that there was, there were a partnership with private companies, you know, there was a lot of attention on this within the national security community here in the US for obvious reasons.
So there was a lot of focus from, from US companies in particular to try and figure out what they could do to ensure sort of that their systems, that their systems weren't compromised.
And there was also a massive effort from the political parties and civil society to figure out like what all of the different elements were.
But the thing that's really striking to me about that is that with a concerted effort, it is completely possible to go from a dynamic in which you are being attacked and have no capacity to address those attacks, to two years later, having an election that is widely regarded as having operated with integrity and where, you know, cyber attacks have been reduced, the impact of disinformation and the spread of disinformation was reduced.
And you sort of raise the cost for the malign actor or actors who are engaging in that space make it less worthwhile.
So the cost is higher and the benefit is lower. And you end up with an election that is, that operates with integrity.
And the other thing that I've really taken away from that is, you know, we've talked a lot about, for obvious reasons, because we're here in the U.S., but the community here has really focused in on the integrity of the U.S.
elections, right, and how we preserve the integrity of U.S.
election processes. And the thing I think is so cool about the Cloudflare approach is that it draws from this lesson that we've also taken from Taiwan, which is this is a global problem.
And if you're able to see the problems as they emerge in another country, then you can address it in all of the other places that it's going to come up as well, right.
And so a lot of what we saw here in 2016 could have been anticipated if folks had been following what was going on in Ukraine before that.
And you can sort of create global resiliency, and not just in problem identification, but also in what the solution set is for addressing those problems over the longer term.
So there's a lot of lessons that we can learn about how to deal with this that we can take from other democracies around the world as well.
Yeah, and just piggybacking off of that, one of the biggest problems that we're seeing, which is not solvable from a hacking perspective, but it's the Internet shutdown.
And so what had been like an extreme measure is now becoming a routine part of the playbook of governments, not just strong authoritarian regimes either around the world, particularly around volatile events like elections.
I remember being in one country where all the major social media platforms were censored through Internet blocks for some days after the election.
This is, you know, really, it's bad for democracy, it's bad, it's a violation of people's human rights, and it's a huge problem.
So I'm quite excited to see that Cloudflare is now using their global infrastructure to help alert civic and political groups to what appear to be shutdowns kind of in real time as they're happening.
So that's one initiative that I'm looking forward to hearing more about.
We won't be able to solve the shutdowns in this way, but we can at least kind of draw attention to them and hopefully push back against this encroaching norm of blocking people's right to communicate freely across borders.
Yeah, especially in the case of Internet shutdowns, you know, you can be the most prepared in terms of an election, you have campaigns that are ready, you're ready to, you know, you put everything that you think is fine in terms of cybersecurity features, and then the government decides to shut the Internet down for a certain amount of time.
And, you know, how do you prepare for that?
But also, how do you keep governments accountable for these actions and also be able to track and call them out for this behavior?
So we're really excited to be working with a lot of different civil society partners on that.
So we have one minute left. And I just my last question, we could do this very quickly is like, what are you all working on now?
What are you excited about?
What is you know, the future of the election space that you're seeing right now?
And Amy, I'll start with you. Super. Thank you. I love this question.
So there are two things. One is that we have this big program called Democracy 2030, where we're really investing in local actors who are using technology in ways to deliver on democratic principles.
And I'm so excited about the idea of just investing in people who are using tech for good.
Because I think that that's actually a really big part of combating the ways in which it's being used for ill, as well as being just good in and of itself.
And we're also soon to be launching this is a related initiative soon to be launching with both NDI and the Stanford Internet Observatory, a guide, a sort of how to beginners guide on how to combat information manipulation in the lead up to elections.
So that will be forthcoming within the next couple of months.
All of those things sound so amazing.
I'm really excited to be tracking along. So thank you, Amy and Chris for joining for this Cloudflare TV segment.
I always love learning from both of you. So I really appreciate your time.
Thanks, Jess.