MADISON, Wis. (AP) — Hundreds of local clerks are using outdated computer systems and aren’t installing security patches on their current systems, leaving Wisconsin’s election system vulnerable to potentially devastating cyberattacks, state elections officials fear.
Federal and state elections officials across the country have stepped up their efforts to block hackers from wreaking havoc during the 2020 contests after Russians interfered with the 2016 presidential election. Congress has been warned that there could be more foreign interference in next year, when Wisconsin is expected to be a presidential swing state again, making its systems a bigger target.
But Wisconsin Elections Commission Election Security Lead Tony Bridges said in a memo to commissioners released Friday that some local clerks are still logging into the state election system using Windows XP or Windows 7.
Microsoft stopped supporting Windows XP in 2014 and said it will stop providing free security updates for Windows 7 starting next January, after which time updates will become increasingly more expensive. Bridges wrote that it’s safe to assume a large percentage of clerks won’t upgrade before the deadline or pay for updates. Even clerks with current operating systems often fail to install security patches, he said.
The failure to maintain current operating systems exposes state elections to tremendous risk, Bridges wrote. He pointed to an incident in March in which a ransomware variant called Ryuk shut down vital systems in Jackson County, Georgia, including computers supporting emergency dispatch. Ransomware is software designed to shut down computer systems or data until a ransom is paid.
Ryuk gained access to the systems through a file-sharing vulnerability in older networks. An update that eliminated the vulnerability had been available since 2017 but no one had bothered to install it. The county ended up paying a $400,000 ransom to unlock the system and still spent five weeks repairing the damage.
Such an attack on Wisconsin’s elections system could expose confidential information, prevent the distribution of absentee ballots and printing of poll books, disrupt communications with voters, destroy records and prevent the display of election night results, the memo warns.
The Wisconsin Municipal Clerks Association’s top officers didn’t immediately respond to an email seeking comment.
The memo asks the commission to spend hundreds of thousands of dollars on a multi-prong plan to bolster local clerks’ cyber defenses.
The first component calls for the purchase of software that can test state elections system users’ vulnerabilities and require users to attest that they’re following security protocols before they’ll be allowed access to the system. Such software would cost up to $69,000 per year, according to the memo.
The second proposal would create a program in which the commission would loan up-to-date computers to clerks. The memo estimates that as many as 527 state elections system users are using a computer configuration that has reached the end of its life or will reach it in the next six months. Some users have their own plans to upgrade, leading commission staff to propose loaning out 250 new machines, initially, with an option to buy 50 more. The initial phase would cost up to $300,000.
The third part of the plan calls for the creation of a new federally funded position to that would provide technical support for clerks. The position could cost up to $100,000, according to the memo.
The last part of the plan calls for the hiring of Madison-based advertising agency KW2 to develop a public outreach program designed to inform people about election security. This could cost up to $341,400, the memo said. WEC spokesman Reid Magney said the effort is designed to alleviate pressure on clerks who must answer questions from local residents about election security.
The money would come from a $7 million federal grant the state received in 2018 to harden its elections systems.
The commission has already used funding from the grant to make multiple security upgrades, including switching to a new elections system that’s more stable and more difficult to hack and installing multi-factor authentication requirements, including requiring every clerk to insert a USB key into their machines before they can access the system, Magney said.
Vice’s Motherboard, a technology news website, reported Thursday that clerks in several states, including Wisconsin, Michigan and Florida, left voting machines connected to the internet for months, even though the machines’ manufacturer, Election Systems and Software, recommends that they be connected only while they’re being tested or used, to minimize the chance for possible threats.
Magney said that ES&S advised clerks not to leave the machines connected online but the word apparently wasn’t received “by the right people.” He said the seven Wisconsin counties have been contacted and all but one — Milwaukee County, which is using its machines for a special election — unplugged their machines.
He said there’s no evidence that anyone infiltrated Wisconsin’s system through the machines, but the commission plans to inform all clerks using ES&S machines to keep them unplugged when not in use.
This story has been updated to correct the name of the media outlet that reported voting machines remained connected to the internet to Vice’s Motherboard, not Vice News.