It’s critical when we’re facing crises that we protect our core values, including democracy. Democracies were already facing adversaries intent on using cyberattacks to disrupt our elections and democratic processes. Now, as the world battles the COVID-19 pandemic, we have seen, and others have reported, that nation states and cybercriminals are taking advantage of the crisis by using virus-themed phishing attacks and other techniques to attack critical institutions. We must assume they will use these techniques to target our elections as well.
Today, we are announcing several steps our Defending Democracy program is taking to help our democratic processes become more resilient in light of all these threats. First, starting today, we’re expanding our Defending Democracy Program to include a new service, Election Security Advisors, which will give political campaigns and election officials hands-on help securing their systems and recovering from cyberattacks. Second, we are expanding our AccountGuard threat notification service to cover the offices of U.S. election officials and the U.S. Congress as many are working remotely. Third, we are extending Microsoft 365 for Campaigns to state-level campaigns and parties. And, finally, we are publishing our public policy recommendations for securing elections, including ways to secure them while confronting the COVID-19 public health crisis.
Introducing Election Security Advisors
Today, as part of Microsoft’s Defending Democracy Program, we’re announcing a new service called Election Security Advisors, bringing Microsoft’s cybersecurity preparedness and remediation expertise to election officials and political campaigns. Through Election Security Advisors, campaigns and election officials will be able to choose from two offerings from Microsoft’s Detection and Response Team (DART). The first is an assessment of an organization’s systems and then providing expert help in configuring them securely to close any security gaps. The second is an incident response service helping these organizations find the cause of an attack, root it out and provide the direction required to restore their systems.
Microsoft founded the DART team in 2012 to provide proactive and reactive incident response and resiliency services to customers with the most challenging security needs, including investigation and remediation following attacks. The team currently includes a variety of cybersecurity experts including forensic investigators, reverse engineers and crisis experts across more than 33 cities on five continents who are able to rapidly deploy to customers around the world. These experts have been on the cyber front lines, addressing hundreds of incidents in 52 countries, spanning 26 industries and numerous government agencies. We published a case study of the team’s work today here.
Election Security Advisors is available today to all campaigns for federal office in the United States, state and local election officials, and private vendors serving the campaign and election community. These services have been packaged especially for the needs of the campaign and election community and will be priced significantly lower than comparable services for enterprises. We are also examining ways to bring these services to other democracies in the future. Those eligible for Election Security Advisors can learn more by emailing Protect2020@microsoft.com.
Since we announced our AccountGuard threat notification service in August 2018, we’ve expanded it to political campaigns, parties and democracy-focused non-profits in 29 countries around the world. It now protects more than 90,000 accounts. Starting today, AccountGuard is now also available to members of U.S. Congress and their staff as well as state election officials across the country, and sign up is available here. As many of these officials and their staff are engaging in their duties while working remotely, we hope this extra layer of security will help.
AccountGuard is a free service that notifies organizations of cyberattacks, tracking threat activity across email systems run by organizations as well as the personal accounts of its employees who opt-in. It’s open to Office 365 customers and can track threats targeting Microsoft’s consumer email services, including Outlook.com and Hotmail. More on AccountGuard is available in our August 2018 announcement here. AccountGuard also includes access to cybersecurity training, and we’ve trained more than 1,500 campaign staffers and consultants on cybersecurity to date.
Microsoft 365 for Campaigns expansion
As we’ve continued to engage with those involved in the democratic process, one thing we hear routinely is that enterprise-grade email and filesharing services with world-class security are often too expensive for campaigns or are too difficult to set up and manage. Based on this feedback, last summer, we announced Microsoft 365 for Campaigns, bringing our best and most secure email services to political campaigns at the federal level.
Starting today, we’re bringing Microsoft 365 for Campaigns to anyone running for political office and political committees at the state level in the U.S., including those running for state legislatures and gubernatorial races. Those wishing to sign up can do so here. As campaigns and committees think about working remotely to support upcoming elections, we believe this will give them the world-class productivity, email, file-sharing and conferencing tools to do so in a way that’s affordable, easy to use and secure. Microsoft 365 for Campaigns provides the features of Microsoft 365 Business to these customers at a low price and with setup tools that help enable any campaign staffer to configure it securely for a campaign environment in about five minutes.
Today, we also published a set of policy recommendations and suggested actions government can take to secure the election system, including recommendations for conducting secure elections while addressing the need for social distancing to fight COVID-19.
To accommodate the possible need for social distancing leading into the November 2020 U.S. elections, Microsoft’s Defending Democracy Program is urging governments to
- Look at options like increasing access to absentee voting
- Enable curbside or portable voting solutions.
To enable absentee voting, states can, for example, waive the requirement that voters submit a reason for requesting an absentee ballot and allow people to request an absentee ballot online. Portable or curbside voting solutions, which exist today mainly to accommodate people with disabilities, should be expanded, which will require new tools like e-pollbooks that can ensure voters are eligible without being tied to a single polling place.
While COVID-19 is a new and unexpected threat to U.S. elections, it is certainly not the only one. Challenges of nation-state interference and concerns about the security of election systems were already at the forefront of many officials’ minds going into this year. To address this, the policy recommendations also lay out five specific suggestions for securing the elections in general:
- A paper trail should be required for all elections
- Election results should be confirmed through post-election audits
- Elections should be end-to-end verifiable, meaning voters and members of the public should be able to confirm the accuracy of results
- Consistent funding needs to be provided by the federal government, so that state and local officials know when they purchase new technology that they’ll have funds to keep it secure through updates and improvements
- Everyone impacted by cyber threats, including the election community needs to be part of the discussion about changing what’s considered acceptable behavior in cyberspace by joining multi-stakeholder initiatives like the Paris Peace Call for Trust & Security in Cyberspace
Of course, we don’t have all the answers, but we’re sharing these recommendations based on what we’ve seen as we’ve tried to offer new technologies to the community and based on discussions with other technology providers, election officials and the academic community. We hope others offer their suggestions and contribute to the conversation.
In closing, there’s one important note about today’s AccountGuard and Microsoft 365 for Campaigns news. Due to local regulations, we are currently unable to offer AccountGuard to state election departments or M365 for Campaigns in the following states at this time: Colorado, Delaware, Illinois, Oklahoma, Wisconsin and Wyoming. We encourage customers in those states to explore additional offerings here. In many cases, it’s law or regulation – not technical capability – that is preventing us from helping to secure democratic institutions as much as possible. We’ve been pleased that so many government officials around the world have worked collaboratively with us to break down existing barriers, and we’ll continue to work with government officials to find solutions.