How Cloudflare helped with global election cybersecurity
Presented by: Alissa Starzak, Jocelyn Woolbright, João Tomé
Originally aired on December 6 @ 12:00 PM - 12:30 PM EST
This week, we present an episode on elections from an Internet and cybersecurity perspective, given that 2024 has been considered the “year of elections.” Over 70 national elections took place, impacting more than half of the world’s population.
Host João Tomé is joined by Alissa Starzak, our Deputy CLO and Global Head of Policy, and Jocelyn Woolbright from Public Policy. Together, they discuss Cloudflare’s various Impact initiatives and how these were utilized during the 2024 elections, particularly in the United States.
We explore how Cloudflare assembled a tiger team for the US elections and addressed the unique needs and challenges at the county, state, and national levels, including those of political campaigns. Additionally, we examine Internet and threat trends related not only to the US but also to Europe and other regions.
Learn more:
- Exploring Internet traffic shifts and cyber attacks during the 2024 US election
- How the Harris-Trump US presidential debate influenced Internet traffic
- French elections: political cyber attacks and Internet traffic shifts
- UK election day 2024: traffic trends and attacks on political parties
- Exploring the 2024 EU Election: Internet traffic trends and cybersecurity insights
- Internet insights on 2024 elections in the Netherlands, South Africa, Iceland, India, and Mexico
- Dutch political websites hit by cyber attacks as EU voting starts
- Celebrating 10 years of Project Galileo
- Protecting vulnerable communities for 10 years with Project Galileo
- Cloudflare Impact
- Project Galileo
- Cloudflare for Campaigns
- Athenian Project
English
Internet
News
Transcript (Beta)
Welcome to This Week in NET is the December the 6th 2024 edition and this week we're going to talk about elections in an Internet and cyber security related perspective.
In 2024 countries with more than half of the world's population, over 4 billion people send their citizens to the polls.
2024 is considered to be the biggest election year in history with over 70 national elections all over planet earth.
So this week we're going to have two special guests. I'm your host João Tomé, based in Lisbon, Portugal and with me I have Alissa Starzak, our deputy chief legal officer and global head of policy.
Hello Alissa. Hello, glad to be here today.
And also Jocelyn Woolbright from public policy that runs several of our projects, including Project Galileo.
How are you, Jocelyn? I'm good. Thanks for having us.
This is an exciting, exciting time. So let's start for those who don't know, where are you both based?
Alissa? I am based in Washington DC. Exactly. For those who don't know, we had a show, an episode with Alissa a while ago in the before the summer in May, if I'm not mistaken.
And we discussed many things, including the elections.
Many folks know by now that this 2024 was really a year of elections.
Over 70 countries held national elections. Apparently over 2 billion potential voters, about half of the world population in a sense that could vote, was targeted to vote this year.
So it was an extensive electoral activity this year, for sure, in terms of democracies.
Cloudflare, for those who don't know, has several projects, what we call Cloudflare Impact in a sense.
Some of those help during election periods.
Can we give folks in the audience a glimpse of what types of projects and initiatives we have regarding elections?
Jocelyn, maybe? Yeah, I'm happy to start with that.
So hi, everybody. Thanks for taking the time to chat about this topic today.
I think one of the things about elections that is really interesting is that we have a lot of different projects where we're helping so many different election groups.
And the way that we kind of think about them is we have one of our biggest projects, which is Project Galileo, where we protect more than 2,900 organizations in 111 countries.
And a lot of times the organizations that we're working with under Project Galileo are the human rights organizations, the journalism and media groups, a lot of these smaller organizations that really don't have the budgets to be able to afford cybersecurity services, but are also seeing these very sophisticated types of attacks due to the work that they're doing.
So a lot of groups will either try to steal sensitive information from these organizations or take these sites completely offline and make them inaccessible.
So we started Project Galileo in 2014, to make sure that these groups really have the highest level of protection from Cloudflare at no cost.
So now that we are a cybersecurity company, you know, we're really good at building security products, but we aren't necessarily experts in human rights or journalism, or really identifying which groups need our services in these spaces.
So we actually partner with about 53 different civil society organizations, these really large nonprofit groups, who we work with to identify who exactly needs these types of products.
So an example of some of these organizations that we work with is like Access Now, the National Endowment for Democracy, Freedom House, and many others who typically have kind of staff on the ground in many of these regions.
They have projects where they have digital security helplines, they do trainings for human rights defenders, and they really understand what types of cybersecurity threats these organizations can face, and can really advocate on how useful our products are to kind of build trust when it comes to providing Cloudflare services to these groups.
So one of the things about Galileo that I think is interesting in the election space, is that we have a ton of organizations around the world that work in journalism and media, and they are reporting on election results, or we have voting rights organizations that are working on getting information about last last day to register to vote.
And we protect a lot of organizations in the election space that kind of fall under those nonprofit, nonpartisan organizations that provide these kind of essential services.
So that's one of the way that we think about the nonprofit side of the election space.
And then we have the Athenian Project, which we started in 2017 to provide our free enterprise level services to state and local governments that run elections.
And one of the questions that I get a lot working with state and local governments is, how does the nonprofit work also kind of work with the voting system and kind of cyber attacks?
And one of the interesting things about the US voting system in particular, is that it actually is a decentralized election system with a wide variation of the ways that people vote.
So for example, in the US, each voting is run differently state to state, or within the same state.
So it makes the administration of elections from registering to vote to organizing polling places, that's typically handled by counties, cities and towns.
So that means that no county can really do voting the same. And that can be a good or a bad thing when it comes to cybersecurity.
Because like, one thing is that like, let's say you have a vulnerability, it won't necessarily exploit a large number of systems because they're all decentralized.
But that also means that counties around the world might not necessarily get the same type of budgets or like expertise to know how to protect their...
And potentially, they have to do it all by themselves in a way, because they're a bit independent in a way.
So that's complex, a little bit more complex for them, for sure. Lisa, I'm curious about Clawflare in general, like, some of these initiatives, how they came to be?
Why is it relevant to have them? We spoke about this a bit in May, maybe giving a sum up of the year regarding some of these initiatives.
Yeah, I think actually, Justin sort of focused on a couple of them.
I think one of the things that's interesting about Clawflare, and this will get to your question, is that we actually operate in so many different areas related to elections.
And I think Justin sort of flagged how we started, we started on the nonprofit side.
And I think in 2017, when we launched the Athenian project, there was really a recognition that elections were critical, protecting elections was actually critical to both Clawflare as an entity, but also just the global Internet, making sure that things worked well.
And it was really the same philosophy that sort of applied for Project Galileo, was the idea that some entities really had to be protected against cyber attacks, that it was critical for so many of us to make sure that those entities had protection.
I think what we've seen over time is that we've gotten involved in different parts of the election ecosystem.
So Justin got up through the Athenian project, we also protect political campaigns and Clawflare for campaigns, which was a very active area this election cycle.
And we've really been thinking about how the ecosystem fits together altogether.
And again, that gives us a, I think we have a very unusual perspective, because we really see most of the things that are connected to the Internet.
One thing I want to say on the broader piece for the state and local government side, I think what most people often don't understand is that most election systems themselves, the actual voting machines are not connected to the Internet.
They are not actually subject to potential cyber attacks.
They are air -gapped is what we call it, right? They're kept separate on purpose.
And so a lot of the attacks that can happen are really about trust.
They're trying to take down a website to make people think that something is a problem.
And so that's what we spend a lot of time trying to protect against, making sure that websites for, whether it's for a political candidate or a state and local government that shows where to vote, or media sites that actually are reporting on results, that all of those stay up so that people don't start to wonder what's actually happening behind the scenes.
Makes sense. For the US election that was mentioned, there was a lot of attention for that specific election.
We protect a lot of different websites from counties, states, as mentioned, even large campaigns.
What was the process of preparing for such a large event?
We have from other elections in France, in the UK, in so many countries, others using us for protection, but this was a very in-depth by state, by county type of election.
What was the process of preparing for such a large event really? It was a great process actually preparing for the 2024 elections.
I think one of the themes that you kind of see throughout our projects is that we partner with a lot of experts in this space to identify exactly where our services are needed and how we can be helpful.
When we thought about kind of preparing for the 2024 elections, the way that we started in February of 2024, we actually did three different webinars for state and local governments discussing the Klabsler dashboard, what types of threats we've seen against state and local governments in this space to kind of get them prepared and get them familiar with our services and make sure that they feel comfortable kind of using our services.
That was kind of how we were preparing. We sent a lot of security guides.
We sent a lot of checkups. Actually, a couple of months before the elections, we did about 40 different calls with state and local governments going over configurations and letting them know that these are the types of threats we are seeing.
These are the types of steps you can take to make sure that you're protected because one of the things that we really wanted to make sure is that a state or local government has so much to prepare for elections.
We don't want them to have to worry about their website and constantly be checking their Klabsler configurations.
They have so many other things that they need to be focused on.
So making sure, giving that touch point, making sure they have that assistance kind of months before is really important.
And then also we worked with different types of partners, like defending digital campaigns on the campaign side.
So we worked with them really closely to figure out how can we update our security guides when it comes to new threats that we see emerging coming to political campaigns in the state and local or political parties, which is really, really interesting.
And then we also worked with Joan, your team, to identify how can we kind of tell the story to an external audience to make sure that people know that we're able to help kind of provide that expertise.
So that was some of the stuff that we did kind of externally.
But internally, it was trying to figure out how can we get a team ready together that is able to pull all the experts in at Klabsler to get really the support that in an under attack scenario, what that would look like.
And kind of the month leading up to elections, we saw about 10 different under attack scenarios where we had a whole team kind of come together to identify like, hey, let's get on a call immediately with this different campaign or nonprofit organization to provide that under attack support.
So we had about 100 different people internally being able to help and kind of jump in, which was really great to see, because like when it comes to elections, like time is of the essence and getting these folks back online in kind of these under attack scenarios, which really are the way that we were thinking about how we want to provide that support.
One of the things that we mentioned in the blog post that came out after the election was first, there was clearly cyber attacks activity.
So there were definitely attacks for sure.
But the good news is they were not successful, right, Elissa?
So we were able to, from our end, our perspective, keep everything on in a sense.
Yeah, no, that's exactly right. I think, you know, it's really kind of a hard balance in some ways, right?
Because the goal for us as a cybersecurity company and for just for helping in this space is to make sure that everybody stays online.
So, you know, we were really proud, actually, at the end of it, that that's exactly what happened.
We didn't see prolonged disruptions. We actually saw it as a relatively secure election, but that doesn't mean that there wasn't a lot of activity behind the scenes.
And so it's sort of a careful balance between those two, where we want people to know as they come into the next election cycle, that there is no doubt that there was a lot of cyber activity in this election, but that doesn't mean that things were disrupted.
And so that you can have both of those things and have it be something that continues to work.
So I think we've been, we were really proud of sort of our team's efforts, that we really kept people online, that it really, that practically, even though there were attacks, we managed to fend them off.
And I think we were, you know, for a very good outcome.
I think we thought we saw a very secure election in the end. True. Specifically, and showing now the blog per se, we saw clear attacks on some types of organizations.
We also explained here how we exist with election infrastructure. Some of the areas already mentioned before by Jocelyn and Elisa.
But in a way, we definitely saw an increase in attacks in November and October, specifically DDoS attacks being the first ones here appearing in highlight.
And also two specific election-related campaign websites.
And this, I think it was the most notable one, because it was all through a few days before the election.
And it actually continued large-scale requests-per-second DDoS attacks to one particular campaign website, through November the 5th, the day of the election, also the following day.
So a specific example here.
We also, here in the blog, mentioned specific campaign infrastructure types of websites, state political types of websites, counties.
Jocelyn, you were mentioning for specific how we helped specific counties even.
And here is a specific attack on a county.
Is there lessons learned, like feedback we got from what happened through these elections, even to those smaller counties, smaller states in a sense?
It's interesting because I've been at Cloudflare for five years, so I was here during the 2020 election and now the 2024 election.
And kind of reflecting on the last couple of elections, I think we definitely learned that when it comes to the different players in the election space, they all do need kind of different levels of products and different levels of services.
But I think one of the themes that we see is that we are one piece of the wider election puzzle.
And it's organizations like Defending Digital Campaigns or, for example, CISA's Joint Defense Cyber Collaborative, JCDC, who have been doing a really great job of putting best practices out there.
And we're really happy to be working with organizations like that to be able to get the word out about what types of products are available.
And also being able to share this type of data helps other types of players in the election space kind of understand what is out there and be able to get the protection and the support they need.
And I think another part about kind of lessons learned is that there's so much that we can learn in 2024 that we can take that expertise and give it to partners such as Defending Digital Campaigns, JCDC.
And also, we work with another partner called the International Foundation of Electoral Systems that is providing cybersecurity protections and expertise to election management bodies outside the U .S.
So the kind of lessons that we learned in the U.S., we can also use that to be able to help others in the election space kind of advocate, like, we've seen this in the U.S.
We can also make sure that you're protected against what we see here because we we assume that will probably happen again or similar types of attacks.
So kind of partnerships is really what we try to focus on when we think about the election space, because, like, we can't do it alone.
It's really important that you have so many different players to be able to kind of make the democratic process as as trusting as possible.
You're mentioning other countries, other situations specifically.
I was surprised looking at our data to attacks, how so many, even in the Netherlands, in the U.K., in France, all of these countries had elections.
There was this year the European Union election throughout all of the European Union countries also.
And I was surprised first how attacks are frequent and first how a culture is used for by so many to be protected.
Elisa, on that regard, are you surprised also in a way by how we protect even in other countries, elections, campaigns, things like that?
Yeah, I think people don't often realize how complicated the ecosystem is.
And this is sort of what I was getting at at the beginning. Both Jocelyn and I were getting at, I think, you know, the reality of what does it mean to attack an election?
People think it is, again, attacking the voting systems. And that's not at all what we see.
I think or certainly we're not we're not protecting the voting systems themselves.
So that's one of the reasons. But I think that we do see people attack things that might not be protected.
Right. So we see campaign websites is really common.
And I think I think that reality isn't something that people always process.
They don't put that into the broader campaign ecosystem or the broader election ecosystem always.
And because of that, it is it's not always something that that gets the attention and the care that that you might want it to get.
So I think one of the things that we've been I've been really sort of as I sort of reflect do the same thing that Jocelyn doesn't reflect on the cycle.
One thing that I think we did really well was to take information from across the ecosystem and sort of give people best practices that were still tailored to what they could do.
I think we just spent a lot of time trying to think about what that would look like for a campaign versus what that would look like for a state and local government based on what that would look like for internationally, what somebody else might have seen on the same kinds of attacks, whether we could compare them, whether there were similarities.
We did a lot of work on that area this cycle. But again, I think that we have seen consistently now in different jurisdictions just kind of DDoS attacks on campaign websites, just something really simple.
But that can that can absolutely derail someone if they are if they are not protected.
Exactly. For example, one that we published a blog post about was during the EU European Union voting in the Netherlands.
Clearly, some large scale DDoS attacks targeting two political related sites, for example.
And we saw different perspectives in different elections, South Africa, Iceland, India, Mexico.
All of those had elections, relevant elections this year, the EU elections, as mentioned before.
And specifically, the French election was also the target of very clear attacks.
And some of the attacks, for example, that surprised me were first sometimes on the day of the election.
Other times were simply right after the election, when someone won, for example, that was the case for the UK election specifically.
There was a new party winning that specific election.
And we definitely saw an increase after the results were published in a way to a specific political related website, right after the results were announced.
And the media was also mentioned before in terms of attacks. Those are also attacked.
Any perspectives here regarding these types of more specific attacks on specific zones specifically?
Anyone wants to jump in?
One thing I will say that I think is actually just worth understanding, when we talked about the evolution, we were late to the campaign space compared to everything else.
And that's because the campaign space is much more complicated in many ways.
So a lot of countries have campaign finance requirements and restrictions.
And that means that something that might be a government oriented sort of cyber protections typically don't apply in the campaign space.
And so they are two distinct things. We actually benefit from the partnerships that Jocelyn mentioned, particularly with respect to campaigns, because there are several nonprofits in the campaign space.
So on the US side, that was defending digital campaigns.
It's IFAS on the international side. But that ability to sort of make sure that we have a way of protecting those sites, even though it is not sort of standard, or might even be subject to legal restrictions, that finding legal ways to do that, in a way that actually will work for those parties is really important.
And I think we saw, if you look at those attacks, but in the French election, in the Netherlands, in the US as well, those were ones that really did come under more attacks this year.
And it's something that we were tracking pretty closely.
So I think that we again are looking at this sort of political space, and recognizing that there is a huge amount of value in it being able to provide free services and with the partnerships that enable us to do it.
Some of these blog posts also mentioned the increase in Internet activity in general.
Typically, actually, it drops a bit during the election day. And then when results, when polls start to close, and results start to pour in, Internet traffic picks up and actually increases a lot.
On the sense of elections in general, and Jocelyn, you're mentioning the 2020 election, what type of changes have you observed from that one to this one, even in terms of how counties, how states are prepared?
I think when I look back at 2020, and kind of comparing to 2024, I think when it comes to the Athenian Project and state and local governments, there have been so many great organizations that have been putting out best practices.
And I think the biggest difference of whenever I get on a call nowadays with the state and local government, I typically have to talk about like, okay, this is, are you familiar with Cloudflare?
How did you learn about the Athenian Project?
And they'll be like, oh, we already know about Cloudflare, we already have a free account.
We would just love to learn more about like, what types of threats you've seen against state and local governments and what exactly we should do on our configurations.
So I think the biggest difference has been like, because our projects have grown so much, like, we get to onboard so many more state and local governments, because we do save a lot of time because, you know, they recognize who we are in the election space.
And that's because we have so many good partnerships and so many good people that work on these projects that can help kind of make sure that everybody's kind of set up for success when it comes to providing support to all these different folks in the election space.
So when it comes to like comparing 2020 to 2024, we've saved a lot of time in terms of having to do like the onboarding for state and local governments or political campaigns, because a lot of them are using Cloudflare, which is really great to see.
And having them under our projects is just making sure they get that extra level of support and just ability to be able to make sure that they can, they don't have to focus on their website going offline, they can focus on the other work that they're doing in the election space.
One of the things that surprised me always is that although some attacks, DDoS attacks, are small to the Cloudflare scale, they are huge for some of these websites regarding, could be a journalism platform, could be a state or a county, they are huge for them to support.
So these types of protections really make a difference, even when the attack is not big, right?
Alyssa, do you have a sense on how sometimes a difference these types of things make in terms of feedback also you've got over the years?
Yes, you know, one of my favorite things in the world is actually to talk to entities on any of our impact projects.
But certainly we've heard this from state and local governments where they had an attack, and they didn't even notice they had an attack when it was happening.
And that reality that it was just automatically mitigated by Cloudflare, because that's the way our network works.
Those are the things that make me incredibly happy, because as Jocelyn said, if you're a state or local election official, we don't want you having to focus all of your time on dealing with configurations or dealing with an attack, we want you to be able to do all of the other things that make an election run smoothly.
And so when we can do that, when we can use our network and make it so that an attack is meaningless for them, they don't even notice it, they don't even have to do a thing, they don't have to change anything, that is by far the best feeling in the world.
It feels like we actually made a real difference, because we gave them time back that they could use for something that they absolutely need around the election.
And we've heard that in the Galileo space with nonprofits, with media organizations, we've heard that in the state and local government space, and we've heard that on campaigns.
And so to me, that's one of the things that makes me the happiest. The level of number, the number that we have in some of those campaigns is quite interesting.
Project Galileo over 111 countries, correct me if I'm wrong, Jocelyn, Athenian project, over 33 states in the US, over 400 websites being protected with that program.
Call for campaigns, it's over 300 campaigns and 34 state level political parties being protected.
So it's huge numbers in terms of the current situation of protection.
Regarding the next steps of these types of projects, what are those types of steps in terms of lessons learned now, but also what's coming?
Jocelyn, do you want to pitch in? Yeah, I think there's a lot to learn when it comes to the 2024 election.
And I think being able to share some of the attacks that we've seen are going to help kind of future elections and working really closely, for example, with IFAS and defending digital campaigns to kind of make those partnerships, trying going into new areas, trying to figure out where our support is needed is really what I'd like to focus on for 2025.
So we're really excited to have these great partnerships and kind of understand like where our services can be useful and kind of look back more about like these are the types of threats that we've seen against election management bodies.
How can we kind of advocate to others around the world to make sure that they have the protections that they need?
Alyssa, you have a 2025 perspective of what's coming, especially in this area.
Yeah, I think Jocelyn's exactly right. I also think the partnership piece is incredibly important.
And I think one of the things that we've seen, if I look back sort of over the time that I've been here at Cloudflare, one of the things I've seen getting increasingly sophisticated, unfortunately, on the attacker side is the combination of threats.
So it really has to be a partnership model where we think about what attacks look like across different providers, across different kinds of infrastructure, and we actually have a conversation.
That is how we end up succeeding in the end. We have conversations that on both hybrid threats and on the same kinds of threats across different providers.
And I think that is where we are going. I think that is the world of long-term partnership for us, where we have, as Jocelyn said, we are one player in a very significant threat ecosystem, but we are a significant one, but we are just one player.
And so we have to find a way to make sure that we've built the best possible collaboration and cooperation with a lot of different kinds of providers.
And that's certainly something we're going to be looking at in years ahead.
Makes sense. Project Galileo, potentially the one that started all the others, did 10 years this year.
It's a big mark in a sense. What are the main highlights we would want to give about Project Galileo in terms of where it's at and where is it going?
Jocelyn, do you want to pick up? Yeah, I think for when we think about Project Galileo, I think what I'm excited for for the future is thinking about new partnerships where our products can be most useful into new areas.
We have more than 53 different civil society organizations.
So they're really the ones that we look to for their expertise.
So I'm really excited for the next year of where exactly are our places or spaces that our services aren't and how can we be more helpful in those areas?
So I'm really excited for how do we expand Project Galileo?
How do we get more organizations around the world that we wouldn't be able to necessarily get that visibility into or get those services to?
So that's one of the things I'm excited about.
For those who want to reach out and participate in one of these programs, we have colfer.com slash impact where Galileo is there and other resources and possibilities are there.
Anything we want to mention in terms of those who want to be included in some of these projects, what they should look to?
Actually, cyber safe schools here is right here actually. Yeah. So one, please, please reach out.
We're friendly folks and we actually love having conversations.
I think the biggest thing for me when I look back at 10 years of Project Galileo, Project Galileo started something for Cloudflare that has been meaningful and is actually something that led to all of our election projects where it was really a sentiment that we had a role that we could play and that there were entities that should absolutely be protected no matter what.
And you see that not just in our impact projects, but across Cloudflare in general.
And so when there is somebody who comes under attack, that is a really meaningful organization, we act first to help get them back online, to help prevent the attack and then figure everything else out later.
And we've done that consistently. And it's something that I think is really something that's come to define Cloudflare in a really meaningful way.
And it's just something I'm really proud of. And I think we've gotten feedback from a lot of our partners on exactly that point.
So we're about to be putting out a new impact report.
We're going to be talking about the 10 year anniversary of Project Galileo.
But a lot of the feedback that we've gotten from civil society partners is that they see that on their side.
And again, just something that makes me super proud to work at Cloudflare and something that I hope we continue for the next 10 years.
And keep expanding. Keep expanding. It's a good wish.
I remember when I joined the company, reading a specific case study about Wikipedia, how we helped Wikipedia a few years ago.
It's public. That was a really good way.
Wikipedia is really important and we helped them. So it definitely resonates.
2025 is just around the corner. Just to end things. In a more general, not necessarily impact related in terms of our projects, more general perspective.
Do we want to give some predictions or what we expect the most for even on the policy side potentially for 2025?
I'm sure, I have no doubt that 2025 is going to be an exciting year.
I actually think that the year of elections means that it's a year of change.
2025 will necessarily be a year of change.
We obviously have a new U.S. President. We have a new European Commission.
We have many new governments around the world. And so some of it will be thinking about what that looks like ahead for policy.
If policy will change, as governments change, policy changes.
So no concrete predictions, except that things will be changing.
So that's about it. So there will be work to do for sure.
I can predict that there will be a lot of work to do. That is one thing I can absolutely predict.
And I can also predict that there will continue to be cyber attacks, which means that Cloudflare will continue to have a lot of work to do on both the technical and the policy side.
For sure. Justin, do you have a prediction for 2025?
No, I think that that really encapsulated it.
Lots of change, but we're here to help any nonprofit or state or local government campaign.
So definitely, if you kind of fall under that bucket, definitely apply for one of our projects.
That's perfect. And that's a wrap. Thank you all.
