Report on Election Security Gains Attention, and a Sharp Rebuke
A Virginia cybersecurity company asserted many states were vulnerable to election system intrusions. Critics called the report flawed and questioned whether the company was looking to exploit legitimate anxiety about election security.
by Jessica Huseman Sept. 13, 5 a.m. EDT
In July, election officials across the country received a mass email from NormShield, a Virginia-based cybersecurity company few had heard of.
The company informed the officials it was about to publicly release the results of a risk scorecard it had generated assessing vulnerabilities in their internet-facing election systems. States could request their scorecards in advance, the company said, and join what it termed a joint marketing and public service project.
NormShield is the only provider that assesses and prioritizes the risk of any organization within 60 seconds, Chief Security Officer Bob Maley wrote. Its work would provide each state with an overview of its failures in 10 categories, all given an easy-to-understand letter grade that can be instantly used to evaluate cyber defenses.
Initially, most states ignored the email. Some told ProPublica they thought it was spam. Others dismissed it as a heavy-handed marketing ploy one of dozens of such approaches states receive monthly from cybersecurity companies hoping to win government contracts.
https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke
-snip-
But ProPublica was unable to find a state that had made any changes after receiving the report. And in a phone call, Maley downplayed the companys responsibility for the improvement, saying he was not willing to make the correlation between the disclosure and the improvement. I dont know, he said. He declined to specify which states grades had improved, and experts say that states may have made a number of changes unrelated to the scans that would have affected their scores.
The Post wrote that NormShield plans to publish another report next month in which it will actually name which states have low grades a move Wallach said would be irresponsible. Maley denied having said this, only saying that it was a potential option if states didnt improve, and that the company would have internal discussions about next steps after the data was analyzed.