🔒 How Cloudflare helps governments run elections in 2024
Presented by: Daniele Molteni, Jocelyn Woolbright
Originally aired on October 17 @ 10:30 PM - 11:00 PM EDT
Welcome to Cloudflare Security Week 2024!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Daniele Molteni, and Jocelyn Woolbright.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Good morning. Good afternoon, everybody. My name is Daniele Molteni. I'm a product manager in the application security team here at Cloudflare, and I'm very excited to be joining with me Jocelyn today.
Jocelyn, can you introduce yourself? Hi. Yeah.
Hi, everybody. My name is Jocelyn Woolbright. I work on our Cloudflare impact team.
I'm based here in Lisbon, and a lot of what I do specifically on our impact team, there's three of us.
We work on a lot of the projects that have to do with Cloudflare and how we help build a better Internet.
So there's a lot of different parts of our team.
We work on the environmental side, the human rights side, but what I do is I manage a lot of our different corporate social responsibility projects.
So one of the things that Cloudflare that we have is that we have a free plan that basically anybody on the Internet can go to Cloudflare and sign up for a really great level of protection for free.
But one of the things that we've kind of noticed in like the nonprofit space and the human rights space is that a lot of these types of organizations who do this really important work are targets for cyber attack.
So the idea is that they need a higher level of protection than other types of customers.
So we actually have projects dedicated to providing free services, free upgraded services to these vulnerable groups on the Internet.
So anything that falls in that realm, it's typically under my purview.
And I've been at Cloudflare for about four and a half years.
Oh, wow. That's great. Yeah. I've also been at four years at Cloudflare, so we probably almost started at the same time.
So the reason for this section today is that it's security week, right?
So during security week, we have tons of new stories, blogs, and features we launch and we want to talk about to the broader world.
And one of the areas we want to focus on is what do we do to improve, to make Internet better, right?
And your blog, your story is actually very, very relevant for the world this year.
Do you want to tell us a little bit what's that about?
Yeah. And security week is definitely one of the most interesting weeks, at least for our team, when it comes to kind of weeks that we have here at Cloudflare, because a lot of the reasons why we started these types of impact projects is very much security focused.
Like these types of organizations who don't necessarily have the expertise or budgets to afford these types of sophisticated types of cybersecurity products.
That's really why we started these projects.
So it's really timely that we can incorporate a lot of these projects into security week.
And I think one of the parts about 2024 that's really interesting is there's actually going to be 80 national elections around the world that are going to impact 4.2 billion individuals.
So there's elections happening in Indonesia, the United States, the European Union, and many more.
So it's really the year of elections we're calling it.
And one of the things that we think about on elections is that it's really the cornerstone of democracy because it allows citizens to shape their governments and hold leaders accountable and also be able to participate in the political process.
So one of the things at Cloudflare that we're thinking about during security week is that we protect a lot of different types of election entities that work in different areas.
So how can we get help those individuals and organizations get ready for elections as we kind of go into 2024?
So it seems pretty fitting that we're having security week. We're going into Super Tuesday, which is in the United States, one of the biggest election days besides the general elections.
So it seems like a very timely topic for security week.
Yeah, it is amazing. It's actually a great blog, great story. So again, it's about how do we protect, how Cloudflare helps protecting democracy and global democracies by helping, giving security and protection to those countries that are fitting elections this year, right?
But tell me a little bit more about Cloudflare Impact Projects.
So you mentioned it's something related to global sustainability.
We have a number of initiatives there. So tell us a little bit more, how should we think about the Cloudflare efforts into improving impact in the ESG projects?
Yeah, so at Cloudflare, we've kind of started, we've been doing a lot of these types of environmental human rights initiatives.
But I think one of the things that we've been trying to do is like formalize this and trying to tell that story, because I Cloudflare has a really unique story in that space.
When it comes to our impact projects, it really started with our main project, which is called Project Galileo.
And it was started in 2014. So we're actually going to be celebrating the 10th anniversary this summer, which is super exciting.
But the idea of Project Galileo was that organizations that work in really sensitive areas, for example, in journalism and human rights in promoting democracy, they need these types of increased cybersecurity products, and also expertise from Cloudflare to understand what types of threats are out there, but also like how to protect their either internal applications or their website.
So the idea of Galileo was let's provide these organizations with a higher level of service for free, and also like trying to figure out how we can understand the types of threats that they're seeing.
So right now under Project Galileo, we protect more than 2,500 organizations in 111 countries.
And it really ranges from the small nonprofit organizations that are working on environmental issues in Brazil, for example, to the larger nonprofits that could be based in Germany, for example, that are raising money for a specific cause.
And I think one of the themes that we see with Galileo is that there's such a diverse range of organizations and expertise.
So how can we be helpful in providing some of the standards of cybersecurity for these range of organizations?
And when we think about the election space, specifically with Project Galileo, I think it's really interesting because a lot of times the organizations that we consider under Galileo are really that work in the election space or organizations that are helping get information about where your polling place is or like providing election results.
So a lot of journalism organizations will be posting election results in real time, or they're like promoting, like registering to vote.
So a lot of those like nonprofit type organizations work in the election space.
And that's how we kind of work when it comes to Project Galileo and how we look at elections.
And one of the things that we noticed with Galileo as like in the last like 10 years was that we would have like state and local governments apply for Project Galileo.
And like we don't protect state and local governments under that project.
It's really dedicated to the nonprofits of the world.
But we would have state and local governments apply.
We were like, okay, we recognize that there is a need for these types of cybersecurity services, these layer seven types of protections for state and local governments that run elections, especially like the smaller counties.
So one of the things in the US that's really interesting about elections is that each state does it completely differently.
And also each county will also do it completely differently in that state.
So there's no like types of standards when it comes to like running elections specifically in the United States.
So we kind of saw that we saw state and local governments coming to us asking for free upgraded services because they were seeing these sophisticated types of attacks specifically during the 2016 election.
So we were like, okay, how can we like provide these set of services in a responsible way to the state and local governments, specifically like smaller counties that need these types of protections, but don't have the budgets to be able to, the budgets or expertise, because it can be really complicated to figure out how to protect your website that is typically getting a couple thousands of visitors a week.
And then during election time, it'll spike to the hundreds of thousands.
And a lot of times it's legitimate people looking for like where they're polling places or like trying to figure out like authoritative election results.
So we've always looked at our projects as like, okay, we see that there's a need.
How can we be able to help?
Like what's the most responsible way to provide our products? So that's kind of how we look at our impact projects here at Cloudflare.
Yeah. And I think one figure while reading your blog, one figure that really like shocked me and stood out is that I was reading that in the last three months leading up to the election to the 2022 US midterm election, there were around 150,000 phishing emails targeting campaign officials, right?
So there's a huge amount of increased malicious activity, right?
Trying to, of course, like exploit officials and exploiting general situation.
What are the other trends you've seen or perhaps a path or concerns that perhaps those organizations have shared?
I think whenever one of the ways as we've kind of grown each project over the last couple years, we've been able to learn best practices when it comes to protecting these different types of election entities.
So for example, when it comes to the nonprofits that are working in voting rights, they need a different level of service and support than a state or local government that is running election.
And also like we have another project that's dedicated to political campaigns and they have different cybersecurity needs compared to state and local governments and nonprofits that support elections.
So I think over the years, we've really been able to figure out how do we provide these services in collaboration with a lot of, with partnerships.
And that's really one of the ways that we've been able to understand what types of threats we're seeing against election entities, how we can get this information in the hands of organizations that work with election entities as well to try and figure out like what's the best and most responsible way to provide our products.
And I think as we look toward the 2024 elections happening around the world, we are really reminded how important our services are in keeping information related to elections reliable and secure from those looking to disrupt those processes.
And unfortunately, I think the problems that election officials face in these elections specifically have only gotten more complicated.
And it really requires facilitating information sharing, capacity building, and really joint efforts to safeguard the democratic process.
So at Cloudflare, we really see ourselves as like one piece of the puzzle when it comes to election security.
And when we think about threats, I think the information sharing part is really important and making sure that there are many players in the space that can provide these types of free services.
We don't want to be the only one providing free services to state and local governments, and we are not the only ones.
And I think encouraging more companies, non-profits, governments to really talk about information sharing and collaboration efforts and capacity building is something that we really want to be doing at Cloudflare.
And as we look to 2024, I think that's really one of the main focuses that we see in the election space.
And if we look back at 2020 and 2022, what did we learn from there?
And is there any learning we can then apply to get ready to prepare for such a big and huge event?
I think there's so many different kind of efforts when you think about preparing for an election.
And during 2020, it was interesting because internally at Cloudflare, we created a whole tiger team that was available kind of on call for that whole week of elections.
Because in the United States in 2020, it actually like the presidential election, they wasn't called until maybe like five days after people went to the polls on official election day.
So for us, we were thinking, okay, how can we like prepare like a week before, a week during, and a week after?
And there's a couple different scenarios that we actually saw during the 2020 election that has informed us of how we can get ready for the 2024 election.
And there was actually one example that's really interesting where it kind of takes only one person with a huge following to post something about like voter registration, which can drive a lot of traffic to a specific website.
And in the past, we've actually seen election websites, they'll see these websites spikes to four to 15 times the normal amount of traffic during these times of voter registration.
So with these unexpected influxes of traffic, they really have to be on guard before, during, and after elections.
So we've been trying to figure out like what we learned during 2020, how we kind of can take some of our security tools and best practices and kind of teach them to state and local governments and nonprofits and political campaigns.
And another kind of interesting tidbit that we learned during the 2020 election is that we had this really large journalism site that was actually bringing in real time election results during the 2020 election.
And during that time, the organization was actually one of the first orgs to call the general election.
And right when they were about to do so, they experienced a DDoS attack, a huge, and you can see this just huge spike in traffic.
And one of the reminders, the spike was seen in about a 20 minute timeframe, which can really show how quickly these types of attacks can occur.
So one of the recommendations that we kind of have for 2024 is that like, you know, you kind of have to be on guard that whole month of elections, which can be really difficult for a state or local government, where a lot of times like a county in one state, let's say you have a small county in one state, they might actually share the same IT person in the neighboring county.
So it can be really difficult for that one IT manager to be managing like many different county websites.
Yeah, it's really difficult.
And like, we really want to make sure that these election officials have the tools in place beforehand.
So they don't have to worry about their website going offline during these important times.
Because unfortunately, one of the other trends that we've seen in 2024, that isn't even related to Cloudflare, is that like election officials are really worried about like, physical security, making sure the voting machines are working, that like don't really have anything to do with us.
And that's why I say like, we are one piece of the puzzle.
And we want to give election officials the confidence that their website is going to be stay online, it's going to be secure, and it's going to be reliable.
And that's really kind of how we're looking at 2024. That's great. And just to give a little bit more context on the products we actually provide to those organizations.
Of course, DDoS is something you mentioned. So I guess DDoS attacks is of course, top of mind and one of the probably most common attack vectors that are used by by actors to try to bring down sites and organizations in general, but specifically when there is a political motive, I guess this is also a tool they use more.
And then for example, I see as a WAF PM, I see how important it is to apply like rate limiting tools that, that make sure that no one, no single user is able to perform too many requests, for example, to a polling website, for example, and try to bring that down or to bring it offline.
And I think also while you were talking, it came to mind how we increase performance also for those types of websites, right, and digital assets, by being able to give them access to our network that again, can scale and have that elasticity.
So if the peak of requests shoots up on the day of the election, for example, then we can we can easily serve content without affecting the performance of the of the digital content of the website in this case.
So I think, yeah, it feels like all the products we've been building as a company in the last 10 plus years, they're actually served for this purpose, pretty, pretty well.
And, yeah, but can we just take a broader look at the world, right?
Because you mentioned a few times about the US, but how can we take our expertise globally, if you want to help elections, commissions around the world?
Is there anything we can do? Is there an example already of projects ongoing?
Yeah, that's a great question. One of the things that we've learned in the past couple years with Project Galileo, and the Athenian project, is that whenever we kind of think about our projects, and like launching new projects, we always really look to the experts to understand if our services are will be useful, and how to do it in a responsible way.
So actually, one of the most interesting parts about Project Galileo is that we actually work with about 50 different civil society organizations.
And these civil society organizations are these large nonprofit organizations that have either, you know, offices all around the world that support human rights defenders, or work in increasing democracy in many places around the world.
Or like they provide like assistance on the digital security side for human rights defenders.
So we partner with organizations like Amnesty International, the National Endowment of Democracy, and a lot of the Council of Europe, like a lot of these large, really like the leaders in the human rights space.
So we actually partner with them to understand like, hey, how can we provide our services?
How can we be helpful? And we do this a lot during like global events.
So for example, like during the war in Ukraine, we saw a lot of organizations come to us that were raising money for Ukrainians, or like journalism sites in Ukraine that needed protection.
So we kind of worked with our partners to figure out how do we get these organizations under Galileo.
And because we've kind of built those really great partnerships, we've been able to learn that like election security is not only a US specific issue, but really a global issue.
So we actually look to some of the experts, for example, we work with an organization called the International Foundation of Electoral Systems, and they are a large nonprofit that helps emerging democracies and works with election commissions around the world to help kind of increase their cybersecurity posture.
So we work with IFAS to provide our enterprise level services to election commissions around the world.
So we've actually been providing services to like some entities in Canada, North Macedonia, and many others too, because like we do have this expertise in election security with all of our projects, like we can actually provide that expertise to others around the world.
So I think when it comes to on the partnership side, that has been such a really great way to be able to understand how we can give our services away with the help of a nonprofit, because like they're the experts, we are not the experts in human rights.
You know, we really want to be able to like work with the experts that know this space, and kind of understand our technology and how we might be able to be useful.
So that's definitely one of the ways we've been able to kind of expand the Athenian project to protect election entities outside of the US.
Yeah, sounds great. And when it comes to, let's say the threats we do that we see against election websites, can you expand a little bit on that?
I think also that's part of the story today. Yeah, I think when it comes to the threats we actually did, whenever we were thinking about the threats that we see against state and local governments specifically, we've put out a couple different blog posts about the threats that we see.
But we wanted to do something a little bit different for the 2024 election.
And we really wanted to learn specifically from state and local governments protected under the project, like what really worries them in terms of online security threats.
So we actually sent out a brief survey to a few participants under the Athenian project.
And we found that a majority of the participants that we surveyed believe that the use of generative AI tools will have a significant impact on the 2024 elections.
And also we were trying to figure out what is the experience of a election official when it comes to kind of online threats.
And we found that 80% of participants that we surveyed indicated that their team had experienced an email phishing attack in the last year.
So some of the threats that we're seeing have only really grown more complicated.
And trying to figure out like at Cloudflare, we're seeing these state and local governments say that we have experienced these email phishing attacks.
And then we take that information, we say, okay, what types of products might be helpful to these election officials in this space?
And how can we kind of collaborate on the best way to kind of talk about our products and see how they'll be useful?
And another kind of survey question that we found is we found that trust and reputation is really the highest concern when it comes to a cyber attack with election officials, when it comes to like the worries on online security threats.
Because when we think about like elections and democracy, one of like the main pillars of that is trust.
And like making sure your website is available during a really important time is really like the best way to build trust.
So like making sure that your website's reliable, secure, and that people can have access to information helps build that trust so people will have more like confidence in their democracies.
So that's really one of the ways that we've been trying to think about are the ways we provide our services in the election space.
Yeah, and you mentioned AI.
And if anyone on listening to us has followed all the announcements during this week, you've probably noticed that we're heavy on new AI products or new AI security solutions.
So I think the AI concern is something that is shared across the board, right?
It's, there are a couple of components there, I guess it's like one is AI enables attackers to be more sophisticated.
So we see that, for example, using AI within with social engineering type of attacks, it makes it very complicated, very hard to, to spot it, or even gives a more sophisticated weapon to the attackers.
So it really the advent of AI enables us as a society to be perhaps, you could argue more productive, or perhaps generate, as we all know, more like, like some new content, but also gives attackers a new tool that they can exploit.
So these forces or nudges companies like Cloudflare, in the security space, of course, to, to create new protection, new solutions that can counter those type of attacks.
And as you've seen, during the week, we've also announced an AI for a firewall for AI solution, which is going to offer protection for models, right?
So if, for example, any of those, of those organizations, they if they use AI, if they use LLMs to serve some of their products, for example, they could offer a chatbot to answer questions about elections, or about those type of topics, then of course, some security can be useful to protect those, those models, and Cloudflare is moving to that space as well.
So yeah, just keep, keep an eye out for new releases in the future.
Yeah, so why I like Security Week, because it's like, there's so many new types of products that come out.
And like, it's always nice talking with product managers, because like, they see these types of secure things in such a different lens.
And like, for me, I love kind of collaborating with our security teams, our product managers to be like, okay, I get this like little tiny frame of like, what it looks like for a nonprofit or a state or local government.
So it's always really interesting to kind of learn about all the products that are coming out.
And I'm always like, ooh, like a nonprofit would love to use this because they have these problems every day.
So I, I really love kind of collaboration between all the teams here at Cloudflare.
Yeah, and I guess it's one of our strengths, right?
Because we, we have so many different projects and so many different things.
So as a product manager, hearing feedback also from nonprofit organizations using our tools is incredible, right?
Because then I, first of all, I, I realized that what we do, what we build as an impact and as value, which is, of course, the biggest aspect of this, but also gives me additional insights on what we need to build to help protect those organizations better.
And one thing I noticed, like looking at the data is that you can also during the election, going back to that, you can see patterns in the traffic, right?
And I think this is something we see, or we've seen in the past, even for other big events.
So you see patterns during the hours of the day. There are like, because we see all the, or a big chunk of the Internet traffic, we can look at how that spikes in activity or troughs in activity they look like, and we can correlate it to actually what's happening, right?
And then I think one thing I noticed is that we can see when polls are open or closed and see different type of traffic, Internet traffic moving to mobile, perhaps when, when people goes to vote or simply stopping being online because they're busy in during the election process, I guess.
So it's something very interesting. Yeah. Yeah. It is really interesting.
Like we talk a lot about, well, at least I talk a lot about like our election projects and like how we support state and local governments, but our team works really closely with the radar team because one of the kind of trends that we've been seeing in the election space is that you will have countries that will either conduct Internet shutdowns around elections.
So that actually happened in Pakistan this year on election day.
So they had an election on February 8th, and that actually came with an Internet shutdown focused on mobile networks.
That was actually criticized by one of our partners, Amnesty International.
So it actually, this, our data shows that the outage started around two o'clock UTC and started to recover after three o'clock.
So that is actually one of the ways that we've been working with civil society organizations as well in identifying because at Cloudflare, since we have so many points of presence around the world, we are able to easily kind of identify when you see these like significant drops in traffic.
And we actually send that information as an alert to a lot of our civil society partners, and they will either come back to us and say like, yes, this happened.
We have people on the ground that say this happened because there was widespread protest in this country.
And the ways that governments try to either silence human rights defenders or stop the flow of information is by just like completely shutting down the Internet.
So that's something we're definitely monitoring as well when it comes to like identifying elections around the world.
So that's definitely like something we really want to focus on this year as well because like that is, we really consider that not a very, that's not the way that you should be silencing human rights defenders by shutting down the Internet because it also has like economic consequences for the country as well.
So that's something that we work really closely with our radar team and civil society organizations to provide that information so they can track these human rights violations.
Yeah, and I guess this is also the one of the amazing aspects of having such a big network that we can monitor or we possibly see what's happening.
And because everybody is online, we can actually infer what could be, what could cause a specific outage.
And this gives a great point to understand whether there are violations, whether there are abuses from even like states, state level.
So this is incredible. We can do this and can share it with the world.
Great. And any final thoughts that we want to leave with?
No, I think actually one of the final thoughts, whenever we put out our survey for state and local governments protected under the project, like we got some interesting kind of information from one of the participants.
And like, as we kind of go into a lot of these elections, as I said, like election officials are really worried about the physical security side.
And one of the participants said that like, they want people to remember that like election officials are also citizens and residents in their community, and they strive to have safe, free and fair elections.
So it's really one of those things of like, election time is like a time for everybody to get together and figure out like, what's the best way to kind of promote democracy and like, also recognizing that like election officials are citizens as well.
I think it's something that was really telling whenever I kind of start, I talk with state and local governments.
So that was an interesting kind of way to end the survey that we had for a lot of these participants.
But I'm excited for like many of the elections in 2024. And if there's any like nonprofits that work in voting rights or state and local governments or political campaigns that kind of need help from Cloudflare, I definitely recommend reaching out to our team because we're really happy to help.
That's great.
Thank you very much for closing with this call to action for everybody listening.
So thanks again for joining me today. And well, all the best with the election.
Let's hope that this year is gonna, is gonna bring some some good change for everybody in the world.
And with that, I think, goodbye, everybody.
Yeah, definitely. Thanks so much. Bye. Bye.