With 76 days until Election Day in the United States I’ve successfully reached one county out of 3,143. Only 3,142 counties, and 50 states, to go!
So far as I can tell from randomly sampling websites, Missoula County, Montana, became the first county in the United States of America to fully adopt HTTP Security Response Headers for their website. Congratulations, team Missoula!

Since I live here, and I knew I could reach them for face-to-face meetings if need be, I decided to save that for a fall-back plan, and instead use Missoula for a bit of an experiment in outreach.
I sent email to the County Commissioners.
This strategy, of sending an email, had been suggested by several people that I’ve spoken with about this project.
It seems reasonable enough.
You can find the email addresses of County Commissioners and other parties likely to be interested in the problem and have authority over the systems in question pretty easily. They get email from constituents pretty often about day to day operations and issues.
Naturally, even a carefully constructed email describing a security issue with their website, recommending a course of action, and which included a link to my LinkedIn profile, was still more similar to the steady firehose of phishing attempts they receive than it was to a typical email from a resident of the county. (This was confirmed after I did reach the Commissioners.)
There’s probably no good way to cold-email about a problem like this, and get a useful response rate.
Spammers and scammers don’t need a 100% response rate, they get by with response rates well under 1% usually.
To defend these systems, I need to reach all the counties, not 31 of them.
The experiment was worthwhile, but it’s clear that a mass email from a random security researcher won’t likely get through the psychological callouses built up over years of being on the receiving end of more or less continuous psychological hacking efforts.
Every person, every organization, every network, every device is under attack from everywhere, all the time, via both technical and psychological attempted exploits.
So, in order to reach 3,142 remaining counties with the message that their web servers, data, and customers currently bear unnecessary risk which can be easily retired by way of fairly simple configuration of security headers, it’s clear that I’ll need to find organizations that have existing and trusted relationships with the counties.
Working with a handful of organizations that have established relationships with the counties will be more scalable than trying to break through to someone in each county, demonstrate sincerity and trustworthiness — 3,142 times.
If you have contacts at any state governments, NGOs, election security related federal agencies, or IT support companies that specialize in working with city and county governments, contact me.
I could use an introduction.
”You take a walk and you try to understand” — REM (Crazy, Dead Letter Office)
Share this post