A Wisconsin Elections Commission security official is expressing concern that outdated operating systems are being used by local elections clerks across the state, raising the prospect of foreign interference in Wisconsin's elections ahead of the 2020 presidential race.
In a memo, Election Security Lead Tony Bridges details how a number of local clerks are using Windows XP or Windows 7 on office computers to access the WisVote voter database. According to Bridges, failure to maintain an up-to-date operating system poses "a tremendous risk."
Security patches on Windows XP have not been supported since 2014, while Windows 7 will reach its end-of-life cycle in January 2020, meaning Microsoft will no longer provide free security updates.
Bridges pointed to a recent cyberattack in Georgia that brought down systems across Jackson County and warned a similar attack could "dramatically impact voter confidence in the electoral process" in Wisconsin.
"It could, for example, expose confidential information, prevent the timely distribution of absentee ballots, prevent the timely printing of poll books, disrupt communications with voters, expose voters to potential cyberattack, destroy digital records, prevent the display of election night results," he wrote recently.
To prevent those hypotheticals from becoming reality, Bridges recommended steps to boost cybersecurity:
• Instituting so-called "end-point testing" to determine vulnerability. The software to carry out this testing carries a price tag of $69,000.
• Starting a loaner program that would provide up-to-date computers to municipalities on a temporary basis, which Bridges estimates could cost as much as $300,000.
• Adding a federally funded position to manage services and provide technical support for clerks.
Office computers are not the only pieces of election technology running out-of-date software. A WisPolitics.com check found municipalities across Wisconsin using voting machines from Election Systems & Software that are still running Windows 7.
In a memo obtained by WisPolitics.com, ES&S informed local clerks Microsoft will continue to offer extended security updates for Windows 7 through 2023 for a "nominal cost per license" after the software reaches its end of life cycle. Multiple clerks told WisPolitics.com they were unsure who would pick up the tab for the extended security but indicated it would most likely fall on the local municipalities.
That alarmed election security expert Doug Jones, a computer science professor at the University of Iowa who specializes in electronic voting security. He told WisPolitics.com that "by continuing to use this archaic system, people are leaving themselves open to attack."
"Windows 7 has been on the market for years and just about every security vulnerability in it is known to the malware creators and hackers of the world," he said.
Several clerks, as well as WEC spokesman Reid Magney, downplayed these concerns to WisPolitics.com in recent interviews. Magney stressed the fact that both the vote tabulation devices and the election management computers used to program them are air-gapped, meaning they are never connected to the Internet.
Still, Jones says the election security world has tools for jumping the so-called air gap, including a method widely attributed to the U.S. and Israeli national security agencies that wreaked havoc on the Iranian nuclear program in 2010.
"That framework for attacking systems across air gaps is part of the global malware toolkit these days," he said. "Air gaps are useful, but it takes more than mere air gaps. It takes more than the mere claim that these systems aren't attached to the Internet."
ES&S said in the memo to local clerks that it began the process of integrating Windows 10 into its hardware shortly after the software was launched and is on target to complete federal testing through the U.S. Election Assistance Commission by early fall Windows 10 has been on the market since 2015.
"Once federal certification is complete, ES&S will take the new software to each respective state for state testing and approval," the memo said.
But that might be too late for some clerks, such as Dane County's Scott McDonell.
He told WisPolitics.com in a recent interview that any software update would need to be in place by this November. Otherwise, he said, he would carry on using Windows 7 on some devices through the 2020 presidential election to ensure his local clerks would be familiar with the systems they would be using.
"I don't like changing anything going on a presidential year," he said. "If there's a snafu in an off-year, then it's in the (Wisconsin) State Journal or WisPolitics. If it's in a presidential year, it's in the Wall Street Journaland the New York Times."
The Capitol Report is written by editorial staff at WisPolitics.com, a nonpartisan, Madison-based news service that specializes in coverage of government and politics, and is distributed for publication by members of the Wisconsin Newspaper Association. (c) WisPolitics.com