Earlier this week, a report from a purported security company called NormShield made big news. It asserted that it had examined all 50 states' elections systems and that more than half had received "a grade C or below." The alarm bells rang all over the national media. The problem is, ProPublica reveals, that the report was a scam. NormShield is capitalizing on the fear of another hacked election and the vacuum of action by government, thanks to Moscow Mitch McConnell's refusal to address election security.
In July, the company sent out a mass email to states, informing them of its pending public release of a "risk scorecard" it had compiled from an analysis of their internet-connected elections systems. It was offering states the opportunity to get their scorecards in advance for "a joint marketing and public service project." Some states ignored it as either a scam or a come-on marketing pitch. Others followed up and found out the company's "analysis" was useless, error-ridden, and sometimes not even related to elections. "In Idaho, for example, the company examined the security of the Department of Environmental Quality, but not the state’s online voter registration system," ProPublica reports. "In Oklahoma, of 200 IP addresses scanned, none were related to elections. In Vermont, the scan had been performed on a defunct domain."
Despite this—and these states and other groups gave this feedback to NormShield—the company released the scorecard and caused an uproar, which ultimately plays into exactly what Russia wanted to do with its interference: raise questions within the electorate about the integrity of our elections. And they're doing it for profit. "There is a lot of work to do to better secure election technology, and states are looking for help," David Becker, the executive director of the Center for Election Innovation & Research, told ProPublica. "But profiteering only serves to further diminish voter confidence, which is exactly what our adversaries want."
The states are looking for help, and it could come from a $600 million boost to cybersecurity efforts passed by the House, which McConnell has blocked from coming to the floor. He says that we've already done enough to prevent Russian interference and that the fact that the money comes with some baseline cybersecurity requirements states would have to meet threatens states' autonomy in running elections. But those requirements would also crowd out scammers such as NormShield. As it is, "Election officials now need to spend time they don't have responding to these poorly vetted claims," said Ben Adida, the CEO of VotingWorks, a nonprofit building secure and affordable voting machines.
So NormShield is free to keep operating and absolutely intends to do so. It will be issuing more scorecards publicly, it tells ProPublica, and even though states now know the company's work has been bogus, it’ll have to be addressed. Jim Condos, the Vermont secretary of state, who has contracted with real security companies to assess the state's system, says that the situation is ripe for this kind of exploitation, noting, "It appears to me to be an attempt to create hysteria in the public to sell their product."
All the while, Moscow Mitch is making sure states are vulnerable both to election hacking and to being scammed.