LDN - Other News

How Amazon.com moved into the business of U.S. elections

[October 15, 2019] By Nandita Bose

WASHINGTON (Reuters) - Amazon.com Inc's <AMZN.O> cloud computing arm is making an aggressive push into one of the most sensitive technology sectors: U.S. elections.

The expansion by Amazon Web Services into state and local elections has quietly gathered pace since the 2016 U.S. presidential vote. More than 40 states now use one or more of Amazon's election offerings, according to a presentation given by an Amazon executive this year and seen by Reuters.

So do America's two main political parties, the Democratic presidential candidate Joe Biden and the U.S. federal body charged with administering and enforcing federal campaign finance laws.

While it does not handle voting on election day, AWS - along with a broad network of partners - now runs state and county election websites, stores voter registration rolls and ballot data, facilitates overseas voting by military personnel and helps provide live election-night results, according to company documents and interviews.

For a graphic, click https://tmsnrt.rs/321GbNH

In the fullest public picture yet of Amazon's strategic move into U.S. election infrastructure, Reuters reviewed previously unreported company presentations and documents, and conducted more than two dozen interviews with lawmakers, election administrators, and heads of election security and technology in nearly a dozen states and counties that use Amazon's cloud.

Amazon pitches itself as a low-cost provider of secure election technology at a time when local officials and political campaigns are under intense pressure to prevent a repeat of 2016 presidential elections, which saw cyber-attacks on voting systems and election infrastructure.

"The fact that we have invested heavily in this area, it helps to attest to the fact that in over 40 states, the Amazon cloud is being trusted to power in some way, some aspect of elections," Michael Jackson, leader, Public Health & U.S. Elections at AWS, told prospective government clients in February via a presentation on a webinar, which was viewed by Reuters.

The company's efforts are welcomed by election administrators, who in interviews said they often struggle with keeping outdated systems up to date at the local level.

In Oregon, for example, the state's in-house servers that support election services shut down every time there is a power outage - an often occurrence as Oregon updates its electric grid, according to Peter Threlkel, chief information officer at the Oregon Secretary of State. A move to the cloud fixes that problem, and Oregon ran a pilot with AWS to move its voter registration system to the cloud, he said.

Some security experts like David O'Berry, co-founder, Precog Security, said moving to AWS is "a good option for campaigns, who do not have the resources to protect themselves."

Still, Amazon's growing presence in the elections business could undermine what many officials view as a strength of the U.S. voting system: decentralization.

Most security experts Reuters spoke to said that while Amazon's cloud is likely much harder to hack than systems it is replacing, putting data from many jurisdictions on a single system raises the prospect that a single major breach could prove damaging.

"It makes Amazon a bigger target" for hackers, "and also increases the challenge of dealing with an insider attack," said Chris Vickery, director of cyber risk research at cybersecurity startup Upguard.

A recent hack into Capital One Financial Corp's <COF.N> data stored on Amazon's cloud service was perpetrated by a former Amazon employee. The breach affected more than 100 million customers, underscoring how rogue employees or untrained workers can create security risks even if the underlying systems are secure. [nL2N24U1LH]

Amazon says its systems are reliable. "Over time, states, counties, cities, and countries will leverage AWS services to ensure modernization of their elections for increased security, reliability, and analytics for an efficient and more effective use of taxpayer dollars," an AWS spokesperson told Reuters.

Amazon's push into the election business comes as the company faces criticism from politicians, labor unions and privacy advocates over its business practices and growing influence. President Donald Trump has accused the company of competing unfairly and repeatedly attacked the Washington Post, owned by Amazon CEO Jeff Bezos, for alleged bias, a charge Bezos and the paper deny.

Amazon is forging ahead. It now powers the websites for the Federal Election Commission (FEC), the Republican National Committee (RNC) and the Democratic National Committee (DNC), according to a source and election security experts.

The FEC, DNC and RNC declined comment. A person familiar with the DNC's plans said the committee has recently moved some data from AWS to Alphabet-owned Google <GOOGL.O> cloud but did not explain the reason for the shift.

Amazon has also won over major individual candidates, the executive leading the company's election push said earlier this year.

"Some of the largest presidential, congressional and gubernatorial campaigns are also trusted to AWS," Amazon's Jackson told clients in the February webinar viewed by Reuters.

For example, Democratic Presidential frontrunner Joe Biden's online fundraising operations rely on AWS, a source with knowledge of the matter said. The Biden campaign did not respond to requests for comment. In the past, AWS powered the Obama for America campaign in 2012, the source added.

Reuters could not verify what cloud service the Trump campaign is using. It had no comment.

The privatization of voting infrastructure is part of a broader trend that has swept across nearly every aspect of government activities in America - from parking tickets to prisons - and continues under the Trump administration.

[to top of second column]

The Amazon.com logo and stock price information is seen on screens at the Nasdaq Market Site in New York City, New York, U.S., September 4, 2018. REUTERS/Mike Segar/File Photo

Microsoft Corp's <MSFT.O> Azure, the biggest rival to AWS, has a sizeable government business and offers some election services but it has not focused on them and lags Amazon, according to companies who partner with both firms for government contracts. Microsoft declined to comment.

Amazon is also competing with traditional election technology vendors including Elections Systems & Software (ES&S) and Dominion Voting Systems Corp, which offer some similar services such as election night reporting and data storage, according to consultants.

An ES&S spokeswoman said the company has not seen any impact from Amazon's efforts. Dominion did not respond to requests for comment.

LESS THAN $100 TO SECURE ELECTION NIGHT

Voting itself does not happen via Amazon. Voting machines in most states are not connected to any cloud service.

But elections require a raft of other technologies to keep track of voters and provide information. Amazon often works with specialized partners, who actually do the bidding on government contracts and include Amazon as a preferred vendor.

North Carolina chose Amazon Web Services over Microsoft's Azure to deliver election night results reporting because it "was simple to set up (and) very low in cost," the State Board of Elections said. Before it worked with Amazon, North Carolina spent "thousands of dollars" on a similar service. Amazon charged them less than $100 during elections in 2016 and 2018 for the same service, the State Board of Elections said.

California's Alameda County turned to Amazon's cloud to let citizens view results on election night. The cost is less than $100 a year, county officials said.

In his webinar to clients, Amazon's Jackson said these services help the company win bigger contracts. For example, Oklahoma has tied up with an Amazon partner and pays $26,000 for two services on Amazon's servers, Pam Slater, assistant secretary at the Oklahoma State Election board said.

Amazon has three categories of election-related clients: election administrators in states and counties, political campaigns and election-related non-profits, the documents, presentations and interviews show.

The company's expansion in the election arena reflects its broader dominance in the fast-growing cloud computing business. Amazon had 33% percent of the overall cloud market in the second quarter of 2019 followed by Microsoft, according to SRG Research. For a graphic on market share, click https://tmsnrt.rs/323b9Vw

AWS, officially launched in 2006, generated $25.7 billion in sales in 2018 and is the company's biggest profit-generator. It was not clear how big the election business is inside AWS and the company declined to provide any details.

IS IT BULLET PROOF?

One of the main security concerns with election systems involves voter registration data, which Russian hackers breached in at least Arizona and Illinois in 2016, according to the FBI.

Such databases generally include voter ID information such as partial social security numbers, addresses, voting history, party affiliation, whether an early ballot was sent, early primary ballots for independent voters, provisional ballots, and hand-written signatures of voters and absentee ballots, according to an analysis of RFP's (request for proposal) from states looking to move such databases to the cloud.

Vickery, the director at Upguard, uncovered at least three instances where voter data on Amazon's cloud servers was exposed to the internet, which have been reported previously.

For example, in 2017, he found a Republican contractor's database for nearly every registered American voter hosted on AWS exposed on the internet for 12 days. In 2016, he found Mexico's entire voter database on AWS servers was leaked. https://reut.rs/30J35be

Amazon said the breaches were caused by customer errors, adding that while AWS secures the cloud infrastructure, customers are responsible for security of what goes in the cloud.

Errors caused by customers could continue, experts said, as many employees of states and counties who use AWS services lack the skills and training to avoid such errors in the future.

Greg Miller, co-founder of the OSET Institute, which works with the Department of Homeland Security and Congress on election security, also noted many of Amazon's partners - such as technology companies also called managed service providers (MSP's) who are tasked with delivering AWS services to customers - do not have the credentials or experience needed in delivering and handling election services.

Amazon did not comment on the issue.

None of these risks have failed to deter those that have signed up with AWS.

"We think (AWS) provides us with the best available level of security," said Ron Morgan, chief deputy county clerk of Travis County in Texas, one of the largest counties in the state, which uses Amazon's servers to run its election website.

"Is it bullet proof? I don't know," he added. "But is it a very, very hard target? Absolutely."

(Reporting by Nandita Bose in Washington; Additional reporting by Jeffrey Dastin in San Francisco and Chris Bing in Washington; Editing by Chris Sanders and Edward Tobin)

Back to top