We examine the companies and technologies helping to mitigate threats to the 2020 US presidential election.
In a matter of weeks, Americans will head to the polls to vote in the 2020 presidential election. It will be a unique experience, with fewer people casting votes in person, and those who do wearing masks and maintaining social distance.
Even before Covid-19, the stakes for this election were high. In 2016, Russia deployed disinformation tactics on social media, infiltrated voter registration databases, and breached campaign systems to undermine the electoral process. Reeling from foreign interference in that election, federal and state governments have spent much of the past 4 years preparing defenses for 2020.
This year, intelligence professionals expect Iran and China to join Russia in their interference efforts. Some researchers also cite the growing threat of domestic political groups leveraging disinformation to affect the outcome of the vote.
Aware of the threats, Congress has granted states more than $800M in funding to improve election security. Furthermore, in 2018, the US Cyber Command initiated a new strategy to proactively disrupt foreign cyber threats and harden government systems. In partnership with the NSA, these endeavors reportedly thwarted a “concerted effort” to compromise the 2018 midterm elections.
The battle to ensure US election integrity persists. In this report, we examine the risk, potential impacts, and solutions for 11 vulnerability points in the upcoming election.
Table of contents
- Political campaigns’ systems
- Voter registration systems
- Voting machines
- Candidate personal accounts
- Election systems vendors
- Election administrators
- State and local websites
- Critical infrastructure
- Mail-in ballots (USPS)
- Foreign campaign finance
- Countdown to the election
Disinformation is the use of false information to mislead or deceive. Purveyors of disinformation typically aim to erode faith in institutions like the media and government, sow discord among different groups, or change public perception of specific figures, countries, ideas, etc.
Online platforms like YouTube and Facebook enable the efficient creation and distribution of disinformation, while artificial intelligence (AI) tech fuels its effectiveness, allowing the use of deepfakes — hyperrealistic artificially generated media — and bots.
Risk level: High
Disinformation is a threat with a proven track record, having played a role in the 2016 US presidential election.
Highlighting the imminent risk to the November 2020 elections, National Counterintelligence and Security Center director William Evanina has stated,
“[F]oreign nations continue to use influence measures in social and traditional media in an effort to sway US voters’ preferences and perspectives, to shift US policies, to increase discord and to undermine confidence in our democratic process.”
An investigation by a US Senate committee into 2016 efforts to influence the presidential election found no evidence suggesting voter tallies were changed or manipulated.
While there is no clear causal link between disinformation and voting behavior, concern about the proliferation of disinformation is well-founded. A 2018 study by MIT’s Media Lab found that false information spread faster on Twitter than the truth:
“False news reached more people than the truth; the top 1% of false news cascades diffused to between 1,000 and 100,000 people, whereas the truth rarely diffused to more than 1,000 people.”
This virality has been evident in the spread of Covid-19-related disinformation — a potential harbinger of what is to come in November. An April 2020 poll by Pew Research found that more than 60% of Americans were exposed to news about the virus that seemed completely made up.
Cyber defenses: companies aim to spot bots & deepfakes and improve media quality
To defend against disinformation, federal and local governments are aiming to educate the public about this threat. The federal government has also made moves to disrupt foreign actors’ malicious activities.
Online platforms and startups also have a role to play in mitigating the spread of false information.
To identify and remove false information, some companies employ content moderators, which, in the case of Facebook, number around 15,000 and are mostly contractors.
Others also use artificial intelligence technology. Google built a dataset of deepfakes to support researchers’ attempts to construct deepfake detection tools. Facebook joined with Microsoft and Amazon to sponsor a deepfake detection challenge in 2019-2020.
To promote factual information, Google, Facebook, and Twitter have donated more than $100M to outside fact-checking and journalism organizations since March 2020. These companies also joined or created initiatives (such as the News Integrity Initiative and Google News Initiative) to support quality journalism through investments, training, and partnerships. Facebook and Twitter both provide verified resources on voting in the 2020 election.
Startups tackling the challenge of disinformation are also seeking to identify bots and false information, as well as to raise awareness of the threat and promote media literacy.
Yonder and Astroscreen detect false information on online platforms. Yonder uses machine learning algorithms to monitor online conversations, while Astroscreen analyzes Twitter account behavior to identify bots.
NewsGuard seeks to inform the public’s consumption of information by providing a browser extension that indicates the quality of news sources found online. Quality scores are based on the news source’s trust ratings.
Political campaigns’ systems
Campaigns are often run by a small, full-time staff working with a large number of volunteers, who help with fundraising, messaging, events, and more. Members of these groups often have access to sensitive information about candidates and lists of potential voters and donors.
An attack on a campaign’s IT infrastructure can disrupt operations and release confidential information regarding candidates and their supporters.
Risk level: High
There is a precedent for this kind of threat. In 2016, hackers used a spear-phishing campaign to infiltrate Hillary Clinton’s campaign chairman John Podesta’s email and release the collected information to the public.
With regard to the 2020 election cycle, in 2019, Microsoft’s threat intelligence team identified similar malicious actions by foreign agents, stating, “We are seeing activity by the same Russian actors that we saw target 2016 and 2018.”
The release of sensitive information to the public can alter public perception and influence voting behavior. Further, the disclosure gives opposing candidates and campaigns an advantage by revealing strategies and messaging.
Infiltration of a campaign’s systems can also imperil operations such as fundraising, logistics, and communications.
Cyber defenses: Cybersecurity advisory services
Political campaigns are increasingly aware of the cyber threats they face, but many still struggle with the same challenges: a reluctance to share threat information, limited budgets, and a transitory volunteer workforce.
Several nonprofit organizations, including Defending Digital Campaigns and US Cyberdome, offer cybersecurity advisory services and vendor solutions for free or at reduced costs to campaigns. In March 2020, US Cyberdome created a threat information sharing network for political campaigns.
In 2019, the Federal Elections Commission granted Defending Digital Campaigns special approval to provide cybersecurity services to congressional and presidential campaigns. Since then, the organization has developed an ecosystem of cybersecurity partners offering free or discounted services.
The solutions available to campaigns cover a range of defenses, from email to cloud to endpoint protection.
Voter registration systems
In every state except for North Dakota, voters must register to vote. These records are managed at the state level and typically include a voter’s name, address, date of birth, and other identifying information.
While this decentralized system makes a nationwide attack more difficult, it also expands the attack surface. Each state updates its voter records with numerous sources, including the Department of Motor Vehicles, online registration websites, and local officials’ computers.
If hackers manage to access these voter registration systems, they can alter, delete, or lock down records, causing confusion on election day and harming the integrity of electoral results.
Risk level: High
In the 2016 US presidential election, Russian hackers probed at least 18 state voter registration databases. In some of these states, they managed to access voter registration systems, placing them in a position to alter the information.
While there’s no evidence to suggest hackers made changes to these databases, they likely gained a significant amount of information on state IT systems and security practices. This knowledge could place the US at risk of foreign interference as it heads into the November 2020 elections.
Hackers also frequently target state and local governments with ransomware. These attacks lock entities out of their systems with encryption, at which point hackers demand payment to provide a key to unlock them. Since 2019, local and state governments have experienced over 200 ransomware attacks.
Altering or locking voter registration databases with ransomware could create confusion and impact voters’ ability to participate in elections. However, executing this attack at scale would be a challenge.
Meaningful changes to voter records are easier to detect, and state systems are isolated and unique, making widespread attacks more difficult. Furthermore, most databases are backed up, and the provisional balloting process in most states allows individuals to vote even if an administrative error leaves them off the voter rolls.
That said, if there is evidence of voter registration database manipulation, it could jeopardize the legitimacy of election outcomes, resulting in uncertainty.
Cyber defenses: sensors for early detection and data backup solutions
States and the federal government have taken numerous steps since 2016 to improve voter registration databases. They’ve allocated funding for the issue, modernized systems, established processes for communicating threats, and hired additional cybersecurity personnel to focus on elections.
At least 36 states have worked with the Center for Internet Security, a not-for-profit IT security company, to add network intrusion sensors (known as Albert sensors) that detect and report malicious activity on networks. Early detection shortens state and federal authority response times, limiting hackers’ ability to impact voter registration databases.
To protect the sensitive information housed in voter registration databases from ransomware attacks and ensure availability, states should also consider data backup solutions. When databases are frequently updated from online sources, they also require frequent syncing to backup solutions. Cohesity, Druva, and Rubrik provide such solutions, ensuring data availability during disasters such as ransomware attacks.
Though an unusually large portion of the voting in November is expected to occur through the mail, voting machines will still collect a meaningful share of votes cast. These voting machines provide voters with a list of candidates, record their selections, and tally votes.
Many voting machines are digital and thus vulnerable to manipulation. While state governments are working to replace vulnerable machines, many will still be used in November 2020.
An attack on these machines could impact an electoral outcome by manipulating vote tallies or altering the ballot to deceive voters.
Risk level: Moderate
At the 2019 information security DefCon conference, hackers tested and successfully breached the security of 100 different voting machines certified for use in at least one US jurisdiction.
Furthermore, a Senate Committee report looking into election infrastructure following the 2016 election found:
“Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.”
The decentralization of America’s voting system insulates it from a widescale attack on its voting machines. Nevertheless, a mere few precincts can have an outsized impact on the election result, making their voting machines especially important to secure.
Further, if posted online, evidence of the successful tampering of voting machines, even at a small scale, could cast doubt on election results.
Cyber defenses: updating machines and verifying votes
Many states are replacing older voting machines and those that do not produce a paper copy of the results. These paperless machines prohibit a paper audit, which analyzes a sample of the votes to verify the electronic results. The Brennan Center estimates that only 12% of votes will be cast on paperless machines in 2020, down from 20% in 2016.
Further, Microsoft piloted its open-source ElectionGuard product in a local election in Wisconsin in early 2020. The product does not fix the numerous challenges associated with voting machines, but instead provides voters with a means of verifying their vote. By printing 2 copies of the vote — one for the ballot box and one for the voter — it allows voters to identify discrepancies that would indicate an issue with the machine.
ElectionGuard, which leverages homomorphic encryption to ensure security and anonymity, will not be ready for the 2020 elections. Nevertheless, its approach to the challenge highlights the importance of having a verifiable record of votes.
Candidate personal accounts
If campaigns for political office were a business, then candidates would be the product. For candidates, this may blur the lines between personal and public life and the technologies that support both.
Candidates often prioritize security for work email and applications while neglecting personal email and social media accounts. Unsecured personal accounts, however, represent a threat to elections, especially when the public does not discriminate between a candidate’s personal and public accounts or remarks.
Hackers targeting a candidate’s personal accounts could capture and release sensitive information as well as impersonate the candidate on social media or in other communications.
Risk level: Moderate
In July 2020, a hack of Twitter resulted in the hijacking of several high-profile figures’ accounts, including Democratic presidential candidate Joe Biden, former President Barack Obama, and businessman Elon Musk. The attacks serve as a proof of concept of taking over accounts and using them for malicious purposes.
Since 2016, several instances of phishing attacks — impersonations, often conducted via email, to deliver malware or solicit information — against political candidates have surfaced. Microsoft’s VP of customer security and trust, Tom Burt, has highlighted how his team identified 3 phishing attacks against candidates running for office in 2018.
Access to a candidate’s personal accounts represents a multi-sided threat: It allows hackers to collect and disclose information publicly or to rival candidates; use information to access other sensitive systems; or impersonate a candidate.
In all these instances, the potential to damage a candidate’s public perception represents a threat to a fair election.
Cyber defenses: email security and deeper authentication
To support high-risk individuals, Google launched its Advanced Protection Program as an extension of its popular email service. The solution provides an added layer of security to personal email accounts by limiting third-party access to email and requiring physical security keys for authentication.
Multi-factor authentication — where a second source of identification (such as a code sent via phone or email) is required to access an application or account — dramatically reduces the risk to personal account hacking.
However, hackers can intercept these authentication messages. A physical key (like a USB, Smart Card, etc.) such as those offered by Yubico eliminates this threat, removing the opportunity to intercept authentication messages.
Companies such as LastPass also offer protection to individuals by using encrypted password managers that support advanced two-factor authentication (e.g. fingerprint and face ID). Both Yubico and LastPass offer their services through Defending Digital Campaigns.
Election systems vendors
Local and federal governments rely on vendors to execute and support elections, from communications via email, to machines for vote collection, to election websites. Some vendors play a larger role than others: For example, a single vendor provides a system that more than 60% of Americans use to vote.
An attack on these vendors or one of their many suppliers could hamper election processes or result in the loss of sensitive information.
Risk level: Moderate
A report by the FBI found that Russian hackers breached a US election software provider in 2016. Posing as the same vendor, these hackers sent more than 100 spear-phishing emails to election administrators in several Florida counties.
Election management vendors with low margins, limited federal oversight, and high barriers to entry face complaints of severely under-investing in cybersecurity.
In 2017, for instance, a California-sponsored security audit of Election Systems and Software (ES&S), an election management vendor, uncovered multiple vulnerabilities that could allow a hacker to manipulate operating system configurations, even to the point of erasing votes.
Vendors support critical portions of the election process and often have access to personally identifiable information, making them sizable points of failure. In a highly concentrated market where just 3 companies (including ES&S) account for more than 90% of the US voting equipment, an attack on a vendor could cause significant disruption.
Cyber defenses: vulnerability disclosures & Testing
In 2020, ES&S announced a vulnerability disclosure program. This announcement follows a long history of election equipment and software vendors shunning vulnerability testing and disclosure activities.
Synack, a crowdsourced vulnerability testing platform, will support the program. This initiative follows on Synack’s push into election security, which began in 2018 with its Secure the Election program. Reaching out to each state’s Secretary of State, the company offered pro bono crowdsourced security testing of their election systems.
Crowdsourced vulnerability platforms such as those offered by Synack, HackerOne, and Bugcrowd can identify vulnerabilities in election technology before malicious actors have the chance to exploit them.
More than 10,000 local administration officials execute election processes, from the storing and testing of voting machines to the tabulation of results. Chief among their responsibilities is the transfer of information from the polls to state officials.
An attack on these administration officials and the systems they rely on could hamper voting, the tallying of results, or the transfer of these results.
Risk level: Moderate
A 2020 study by cybersecurity company Area 1 Security found that just over half of election administrators have “only rudimentary” technologies to protect against phishing attacks.
Hackers employed phishing attacks in 2016 with some success, breaching 2 county elections’ systems in Florida and gaining access to Hillary Clinton’s campaign chairman’s email.
With phishing attacks, email serves as the entrance to a user or corporation’s systems and data, placing electoral systems at risk.
Phishing success rates, however, are often in the single digits. Smaller jurisdictions are most susceptible, and with the patchwork of electoral systems across the country, the impact of such an attack could be contained.
Cyber defenses: PRIVILEGED access MANAGEMENT
Anti-phishing tools flag or redirect malicious emails, closing the door to hackers. Privileged access management solutions, meanwhile, limit the damage a hacker can do from within the network by controlling access to data and systems.
Area 1 Security and Agari are 2 anti-phishing companies providing their services at no cost or reduced cost through the Defending Digital Campaigns initiative. Centrify, a privileged access management provider, has offered its solution to the US Election Boards at a 50% discount through its “Secure the Vote 2020” initiative.
In addition to support from the private sector, federal agencies and state officials have worked to increase election administrators’ awareness of security threats, develop reporting processes, and improve cybersecurity training over the past 4 years.
For example, Texas now requires all employees with access to the Statewide Voter Registration and Election Management System to complete annual security training. The Cybersecurity & Infrastructure Security Agency (CISA) supports these efforts by providing training materials to state and local agencies.
State and local websites
State and local governments provide important information about how and where to vote in the days leading up to an election. This information, along with electoral results, is often hosted on government or news websites.
Hackers attacking the web assets of local governments and the media could provide false information or prevent important logistical information from reaching potential voters.
Risk level: Moderate
In 2018, a distributed denial-of-service (DDoS) attack took the Knox County Election Commission website offline during a local election in Tennessee. The website was used to provide the public with the election results.
Research by cybersecurity firm McAfee found that the majority of county and county election administration websites in 13 battleground states lacked security measures such as secure https encryption or a .gov validation. These shortcomings make website impersonation even easier for hackers.
Manipulating or taking down government websites supporting elections could sow confusion and impact voter turnout. Such attacks could also cast doubt on the integrity of the election.
That said, with alternative means of communication available (such as media, social media, and other government websites) and a decentralized voting system, an attack limited to electoral websites is unlikely to meaningfully impact the electoral outcome on a widespread level.
Cyber defenses: free website security services
With often limited budgets and IT resources, many election jurisdictions lack the tools to secure their web assets properly.
Recognizing this need, Cloudflare, a website security company, announced its Athenian Project in 2018. This initiative provides Cloudflare’s security products — web application firewall, DDoS protection, and website analytics — for free to state and local governments. As of December 2019, 156 local or state websites in 26 states had taken advantage of the offering.
Through its Jigsaw subsidiary, Google created Project Shield, a free service that protects the websites of human rights, news, and election monitoring organizations. Project Shield filters malicious traffic to keep sites up and running.
CISA defines critical infrastructure as the physical and virtual assets, systems, and networks that “are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, [or] national public health or safety.”
Critical infrastructure spans 16 sectors and, in 2017, the Department of Homeland Security added election infrastructure to the list of government facilities.
A cyber attack on America’s critical infrastructure — such as power grids or transport systems — on election day could reduce voter turnout, incapacitate voting systems or facilities, and diminish trust in electoral results.
Risk level: Low
An attack on America’s critical infrastructure would likely incite swift and aggressive retaliation by the US, acting as a deterrent to countries such as Iran, Russia, and China.
However, the precedent for such attacks exists. In 2020, Israel experienced an attack on its water supply, and a ransomware attack in the US took a natural gas operator offline. In the past, Russian hackers have compromised Ukraine’s power grid, and more recently have targeted German critical infrastructure.
The Council on Foreign Relations identified “a highly disruptive cyber attack on US critical infrastructure, including its electoral systems,” as a top threat in 2020.
Critical infrastructure attacks pose a significant threat to health and safety — an attack on the power grid, for example, could take vital systems like traffic and internet offline. An attack’s intangible impact, however, could be even more meaningful and lasting.
For example, taking the power grid offline could cause traffic congestion and confusion, reducing voter turnout in affected jurisdictions. This regional impact on turnout could pale in comparison to the broader impact that news of the interference would have on the country, potentially undermining trust in the electoral outcome.
Cyber defenses: protecting IT & ot Systems
The federal government has devoted resources and oversight to critical infrastructure, while startups and incumbents alike provide cyber defenses to thwart evolving threats.
A wide range of companies aim to protect critical infrastructure, including defense contractors (e.g. Lockheed Martin, BAE Systems), technology companies (e.g. Cisco, Tenable), and industrial equipment providers (e.g. Siemens, General Electric). These companies typically focus on protecting either a company’s IT systems or its operational technology (OT) systems — the machines and equipment conducting critical operations.
Focusing on protecting these industrial systems, Cisco acquired industrial internet of things (IIoT) cybersecurity company Sentryo in 2019. Siemens, an equipment manufacturer, is building security into its products and purchased UltraSoC in June 2020 to, in part, detect malicious attacks.
Many cybersecurity startups also focus on the critical infrastructure market:
- Mission Secure provides a control system protection solution for OT environments, specifically within the energy, chemicals, maritime, and defense industries.
- Nozomi Networks helps companies identify vulnerabilities on their network from OT and IoT devices.
- Tempered Networks rolled out an updated IIoT security platform in September 2019 that isolates and segments industrial systems from IT networks.
Mail-in ballots (USPS)
Mail-in voting will play a prominent role in the November 2020 collection as the country largely avoids in-person activities amid the pandemic.
The facilitator of this voting process, the United States Postal Service (USPS), will introduce an element of centrality to a customarily distributed voting system with its national presence.
Like any large logistics organization, the USPS relies on technology to enable its operations and workforce. Therefore, an attack on its IT systems could disrupt its operations, delaying an electoral outcome.
Risk level: Low
The USPS relies on a workforce of 500,000+ workers and a host of technologies from barcode readers to tray sorters to support a mail volume that surpassed $142B in 2019. This breadth of operation creates a large attack surface.
In July 2020, CISA released a note outlining specific threats to mail-in voting and steps to mitigate them. The potential for delays exists at several phases of the voting process, such as inbound and outbound ballot processing.
An attack on the USPS’ IT systems could impact the organization’s ability to support voting by mail in a timely fashion. This tampering could delay the collection and tabulation of results, creating uncertainty surrounding the outcome of the election on election night.
Delays, however, are expected, and therefore may pose a reduced risk to the integrity of the election.
Cyber defenses: incident response
Following a breach in 2014, the USPS took numerous steps to improve its cybersecurity, creating a Corporate Information Security Office, establishing a Cybersecurity Operations Center (CSOC), and receiving funding to develop its threat monitoring and incident response capabilities.
In March 2020, the Office of Inspector General conducted a test of USPS’ incident detection and response capabilities. The redacted report detailing the outcome of the test indicated areas of improvement, including developing key performance metrics, establishing a process to review incident response tickets, and completing the implementation of certain detection capabilities.
Many cybersecurity companies offer incident response solutions, including BlueVoyant, which seeks to support election security by providing services at a reduced cost to political campaigns and parties. Exabeam and Securonix also support incident response by leveraging data science techniques.
Foreign campaign finance
Candidates for public office and their campaigns often rely on fundraising to support their operations (e.g. renting office space, hiring campaign staff, etc.) and finance advertisements. These activities encourage voter participation, increase awareness for the candidate, and help craft the candidate’s public image.
Campaign financing comes from numerous sources, including individual donations, corporations, and labor organizations, as well as through various organizations or financial structures like political action committees (PACs) and political parties. However, foreign entities — individuals, corporations, and governments — are prohibited from donating to a candidate’s campaign, directly or indirectly.
An attack that circumvented financial safeguards to deliver foreign funds could provide one candidate with an unfair advantage in the election, sidestepping the will of the American people. Alternatively, the inappropriate receipt of foreign funds could taint a candidate’s reputation.
Risk level: Low
There has historically been little evidence of foreign money in US elections. To meaningfully influence an electoral outcome, a foreign entity would need to inject a substantial sum of money into a candidate’s campaign. This requirement applies both for impacting an electoral outcome or tainting a politician’s credibility.
Funneling such a significant sum of money into a campaign without detection poses a technical challenge. Further, many foreign entities may deem such an investment unworthy of the uncertain outcome.
In the 2015-2016 election cycle, presidential candidates raised and spent $1.5B on campaign expenditures, while affiliated entities (PACs and party committees) spent an additional $5.6B. Moving the needle would require a foreign entity to spend big without detection.
Further, researchers have not identified a causal link between spending and electoral outcome — so even vast sums of foreign money would not necessarily ensure a candidate’s victory. However, if a candidate receives foreign funds, it could hurt their reputation, depending on whether it was an intentional or unintentional receipt.
Cyber defenses: compliance and regulatory tech to monitor fraud
Corporations across the globe employ complicated legal structures that can obfuscate the origin of funding. Online donations have further introduced the ability to scale small donations into significant sums.
To protect elections from the influence of foreign money, fundraising organizations can apply compliance technology to identify and mitigate financial risks. Financial technology companies acquainted with regulatory frameworks and financial systems increasingly employ machine learning algorithms to identify unusual activity.
ComplyAdvantage, for example, monitors transactions with artificial intelligence to identify and flag those that are non-compliant (i.e. come from a sanctioned country). Trulioo, meanwhile, offers an identity verification solution to ensure compliance with regulations and reduce fraud.
Many of the solutions employed by financial institutions to ensure financial systems’ integrity could modernize campaign fundraising tracking.
Countdown to the election
In a matter of weeks, Americans will head to the polls to vote, capping an impressive 4 years of collaboration among big tech companies (e.g. Microsoft, Google, Facebook), startups (e.g. Area 1 Security, Synack, NewsGuard), and federal and local governments. The results on election day will ultimately determine the effectiveness of these entities’ efforts, from network monitoring to cyber training to anti-phishing tools.
Attempts to influence the 2020 election, however, are already underway. Disinformation traffics the internet and foreign hackers attempt to infiltrate campaign and governmental systems with phishing and brute-force (e.g. automated password guessing) attacks. In just the past few weeks, Microsoft’s threat intelligence team uncovered attempts to infiltrate at least 200 organizations connected to the upcoming election.
While the foreign actors targeting the election may pursue different ends, they are united in casting a shadow on the integrity of the voting process and of democracy as a whole.
America’s greatest defense in the 2020 election, therefore, will be its citizens. On election day, every citizen can make a choice to vote and place their trust in verified sources of information.If you aren’t already a client, sign up for a free trial to learn more about our platform.