Today we announced two developments in our work to protect critical democratic processes from cyberattacks. First, we disclosed that last week we disrupted an attempt by a group commonly associated with the Russian government to spoof internet domains associated with the U.S. Senate and two nonprofit groups engaged in work to protect democratic elections. Second, we launched an expansion of our Defending Democracy Program through a new service called Microsoft AccountGuard, designed to protect organizations that underpin democracy from cyberattacks. In this post I’ll share more about Microsoft AccountGuard including the organizations that are eligible for it, the services it will offer, how to register and the resources we at Microsoft are putting into the service.
While Microsoft AccountGuard is new, it’s grounded in work we’ve done for years to protect democratic processes. This includes support for the Iowa caucuses in 2016, our role as a technology supplier to conventions for both major U.S. parties, and the work of our Washington, D.C.-based team to serve both political campaigns and U.S. government institutions. Based on these foundational experiences, we constructed Microsoft AccountGuard to account for the threats these organizations face, their unique resource constraints and the mix of technologies they often use.
Starting today, Microsoft AccountGuard is open to all current candidates for federal, state and local office in the United States and their campaigns; the campaign organizations of all sitting members of Congress; national and state party committees; technology vendors who primarily serve campaigns and committees; and certain nonprofit organizations and nongovernmental organizations. Microsoft AccountGuard is offered free of charge. Organizations must be using Office 365 to register.
Microsoft AccountGuard has three core offerings:
Unified threat detection and notification across accounts
Microsoft AccountGuard will provide notification about cyberthreats, including attacks by known nation-state actors, in a unified way across both email systems run by organizations and the personal accounts of these organizations’ leaders and staff who opt in. Eligible organizations can invite staff and other associates to enroll in Microsoft AccountGuard, and notification will only occur with the consent of the account owner. In this way organizations can get protection for high profile surrogates helping a campaign, board members of nonprofit organizations or volunteers who use their personal accounts to communicate. Threat detection and notification will initially be available only for Microsoft services including Office 365, Outlook.com and Hotmail.
When we detect threats, we’ll work directly with participating organizations to notify them and help them secure their systems. This aspect of Microsoft AccountGuard will draw on the expertise of the Microsoft Threat Intelligence Center, or MSTIC. MSTIC’s state-of-the-art detection work is well-documented and helps protect our customers every day. However, the protection provided to Microsoft AccountGuard customers is special in three ways. First, by examining certain compromises or targeted campaigns against organizational email and personal accounts, we’re able to see larger patterns that are not apparent when accounts are examined in isolation. Second, providing a political organization with knowledge that a member of its staff has been attacked by a nation-state adversary is a key piece of information it can use to increase its security posture. Third, by working directly with organizations we know are most susceptible to nation-state attacks, MSTIC can better inform its research to develop mitigations against future threats.
Security guidance and ongoing education
Organizations that register for Microsoft AccountGuard will receive best practice guidance and materials designed specifically for the unique problems faced by politically oriented organizations. This advice will come in two forms: off-the-shelf materials organizations can use as they grow and take on new staff, and in-depth live sessions. Off-the-shelf materials will cover topics like enabling multi-factor authentication on various systems and devices, recognizing a spear-phishing attempt, when and how to install the latest operating systems, and how to provide appropriate systems access for different members of an organization. In-depth live sessions will be modeled after the highly successful, multi-day sessions for both parties’ national campaign committees and their partners which we recently held in Washington, D.C. These will cover topics like threat modelling, contingency planning, defensive coding, phishing awareness, identity and device and cloud management.
Early adopter opportunities
Finally, organizations registered for Microsoft AccountGuard will receive access to private previews of security features typically offered to our large corporate and government account customers. In addition to being among the first to deploy the latest technology, this aspect of Microsoft AccountGuard will enable us to collect critical feedback and rapidly evolve security to address the specific needs of eligible organizations.
Microsoft AccountGuard will be offered on a non-partisan basis and Microsoft will not disclose the participation of any customer in the program without its permission. Nonprofit and nongovernmental organizations may register for Microsoft AccountGuard if they are focused on political education, policy analysis, research or the advancement of democracy and meet Microsoft’s non-profit Mission Eligibility Guidelines. Technology vendors may register for Microsoft AccountGuard if they primarily service political campaigns or committees, are considered small or medium businesses by Microsoft and are headquartered in the United States.
Those eligible for Microsoft AccountGuard can visit https://www.microsoft.com/accountguard to request an invitation to enroll or to learn more.
Finally, it’s important to note that Microsoft cannot solve this problem alone. First, of course, we need organizations to adopt Microsoft AccountGuard and work with us to maximize the security of our democratic processes. To be successful in defending democracy, technology companies, government, civil society, the academic community and researchers need to come together and partner in new and meaningful ways. We also recognize that Microsoft AccountGuard is limited to protecting those using our enterprise and consumer services, and attacks can reach campaigns through a variety of other ways. We know our colleagues in the industry are working diligently to take similar steps, and we’re enthusiastic about their work. As we expand Microsoft AccountGuard, we will look for opportunities to coordinate with their efforts.