In July, election officials across the country received a mass email from NormShield, a Virginia-based cybersecurity company few had heard of.
The company informed the officials it was about to publicly release the results of a “risk scorecard” it had generated assessing vulnerabilities in their internet-facing election systems. States could request their scorecards in advance, the company said, and join what it termed “a joint marketing and public service project.”
“NormShield is the only provider that assesses and prioritizes the risk of any organization within 60 seconds,” Chief Security Officer Bob Maley wrote. Its work would provide each state with an overview of its failures in 10 categories, all given an easy-to-understand letter grade “that can be instantly used to evaluate cyber defenses.”
Initially, most states ignored the email. Some told ProPublica they thought it was spam. Others dismissed it as a heavy-handed marketing ploy—one of dozens of such approaches states receive monthly from cybersecurity companies hoping to win government contracts.
But some states asked for reports on their systems. Considerable upset followed.
States that received the reports found them riddled with errors and unhelpful for assessing actual election security. The work done by NormShield—called “Rapid Cyber Risk Scorecards”—had tested online government material not associated with elections. In Idaho, for example, the company examined the security of the Department of Environmental Quality, but not the state’s online voter registration system. In Oklahoma, of 200 IP addresses scanned, none were related to elections. In Vermont, the scan had been performed on a defunct domain.
“You would think a firm that claims expertise in cybersecurity could do a simple Google search to find the correct address of a state website,” Iowa Secretary of State Paul Pate said in a statement.
Multiple sta ..
Support the originator by clicking the read the rest link below.
