Microsoft will give away software to guard U.S. voting machines

The tech giant says it has tracked more than 700 cyberattacks by foreign adversaries against U.S. political organizations so far this election cycle.
Image:
A voter casts his primary vote in Hialeah, Florida, on Aug. 30, 2016.Alan Diaz / AP file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Ken Dilanian

ASPEN, Colo. — Microsoft on Wednesday announced that it would give away software designed to improve the security of American voting machines, even as the tech giant said it had tracked 781 cyberattacks by foreign adversaries targeting political organizations so far this election cycle.

The company said it was rolling out the free, open-source software product called ElectionGuard, which it said uses encryption to "enable a new era of secure, verifiable voting." The company is working with election machine vendors and local governments to deploy the system in a pilot program for the 2020 election.

The system uses an encrypted tracking code to allow a voter to verify that his or her vote has been recorded and has not been tampered with, Microsoft said in a blog post.

Its announcement was timed to coincide with the Aspen Security Forum, an annual conference of current and former intelligence, defense and homeland security officials that kicks off Wednesday in Aspen, Colorado — co-sponsored by Microsoft and others. NBC News is a media partner of the forum.

Edward Perez, an election security expert with the independent Open Source Election Technology Institute, said Microsoft's move signals that voting systems, long a technology backwater, are finally receiving attention from the county's leading technical minds.

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

"We think that it's good when a technology provider as significant as Microsoft is stepping into something as nationally important as election security," Perez told NBC News. "ElectionGuard does provide verification and it can help to detect attacks. It's important to note that detection is different from prevention."

Perez said that about 30 percent of America's registered voters currently live in counties with voting systems that have no auditable paper trail, a situation that he and other election experts say poses an unacceptable risk. An election security bill that could help counties install more security systems by providing $600 million to the states has passed the House but has been held up in the Senate by Republican leader Mitch McConnell.

Microsoft said it has notified almost 10,000 customers in the past year that they've been targeted or compromised by nation-state cyberattacks. About 84 percent of the attacks targeted enterprise customers — generally at organizations — and about 16 percent targeted consumer personal email accounts, the company said.

"While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives," the firm said in the blog post.

The majority of the suspected nation-state attacks came from Iran, North Korea and Russia, Microsoft said.

Last August, Microsoft rolled out a service it calls AccountGuard, now in use in 26 countries on four continents. The company provides it free to current candidates for federal, state and local offices in the United States and their campaigns, the campaign organizations of all sitting members of Congress, national and state party committees, technology vendors who primarily serve campaigns and committees, and certain nonprofit organizations and nongovernmental organizations. Microsoft AccountGuard is offered free of charge. Organizations must be using Microsoft's Office 365 software suite to register.

Since then, the company said it has made 781 notifications of nation-state attacks targeting organizations participating in AccountGuard — 95 percent of which targeted U.S.-based organizations.

"Many of the democracy-focused attacks we've seen recently target NGOs and think tanks and reflect a pattern that we also observed in the early stages of some previous elections," Microsoft said. "A spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns, serves as a precursor to direct attacks on campaigns and election systems themselves."

Echoing the warnings of U.S. intelligence officials, the company said it anticipates "that we will see attacks targeting U.S. election systems, political campaigns, or NGOs that work closely with campaigns."

Microsoft is not the only tech giant trying to help with election security. The Defense Department's Defense Advanced Research Projects Agency (DARPA), is working with an Oregon firm, Galois, on open-source voting software designed to be resistant to hacking. That system also uses encryption to allow voters to verify their votes.

But that system will not be ready for 2020. A recent report by Stanford University's Cyber Policy Center summed up the current state of vulnerability.

"A number of independent research efforts have demonstrated the ease with which individual electronic voting stations can be compromised by simply using the paltry resources available to university research teams," the report said. "Hostile foreign governments would be able to deploy orders of magnitude more resources to this task."