States that received the reports found them riddled with errors and unhelpful for assessing actual election security. The work done by NormShield — called “Rapid Cyber Risk Scorecards” — had tested online government material not associated with elections. In Idaho, for example, the company examined the security of the Department of Environmental Quality, but not the state’s online voter registration system. In Oklahoma, of 200 IP addresses scanned, none were related to elections. In Vermont, the scan had been performed on a defunct domain.
“You would think a firm that claims expertise in cybersecurity could do a simple Google search to find the correct address of a state website,” Iowa Secretary of State Paul Pate said in a statement.
Multiple states confronted NormShield about the reports. Federal government agencies privately called it irresponsible, and nonprofit groups panned NormShield’s failure to appropriately notify the states of vulnerabilities before threatening to report them publicly.
It might all have faded away as an unremarkable, if annoying episode had it not been for the fact that NormShield on Tuesday published its work. While the published report did not name any specific states, it said that more than half of the 50 states whose systems it examined had received “a grade C or below.”
The report garnered considerable attention, written up by The Washington Post, Politico and Axios.
In interviews with ProPublica, election officials and experts in election security said NormShield’s behavior amounted to another kind of election security threat: companies looking to profit from a country on edge about the integrity of its national and local elections.