The Wisconsin Elections Commission has moved to bolster local election security efforts in light of concerns that some clerks’ use of outdated computer operating systems could open up the state to cyberattacks in future election cycles.
The efforts, approved unanimously by the panel on Tuesday, aim to address potential vulnerabilities across the state, where some clerks are using out-of-date computer systems or failing to install software patches and updates, according to a memo released ahead of the meeting.
Commission Chair Dean Knudson noted that while the panel has “hardened our defenses tremendously over recent years,” it’s important to continue identifying potential issues and addressing them.
“This is about looking at what we can do to further strengthen our defenses,” the Republican appointee said.
Commissioners Tuesday agreed to direct existing federal dollars to implement software to track the security levels of local elections officials’ computers, at a cost of up to $69,000, create a $30,000 emergency loan program to secure 25 devices that could be temporarily handed out to local clerks who aren’t able to comply with security protocols and take preliminary steps to hire a technical support position.
The action came after WEC's election security lead Tony Bridges detailed in a memo his concerns about local clerks’ use of outdated operating systems to access the WisVote database, the statewide voter registration and election management system, including Windows XP, where security patches haven’t been supported since 2014.
Meanwhile, the memo also noted others are using Windows 7 to utilize the database, and Microsoft won’t be providing free security updates for it after mid-January 2020.
Not maintaining a current operating system, Bridges’ memo states, “exposes the user to tremendous risk.” He referenced a recent incident in Georgia in which hackers orchestrated a ransomware attack using Ryuk on Jackson County systems, causing officials to pay $400,000 to regain access to their information.
If systems in Wisconsin are similarly attacked, the memo said, confidential information could be exposed, digital records could be destroyed, election night results may not be displayable and absentee ballot distribution and poll book printing could be impacted, among other things.
Commissioners’ vote to direct $69,000 toward putting in place end-point testing would allow officials to monitor existing security levels of local clerks’ work computers and assess potential vulnerabilities, provide guidance to better safeguard each individual system and more. Local officials who are found to be non-compliant could be blocked from accessing WisVote.
Bridges said the commission knows of five users that are accessing WisVote on work computers with outdated operating systems including Windows XP, which may expose them to potential vulnerabilities. That number came after around 2,000 users out of 2,700 total, upon request from the commission, logged into WisVote and allowed commissioners to perform a cursory analysis of their systems.
Additionally, just under 600 users are operating with Windows 7, according to that analysis, Bridges said. While security updates will be available for those municipalities until 2023, they’d have to pay an escalating annual fee.
The memo noted staff “can reasonably assume that a large percentage of users will neither upgrade before the deadline nor choose to pay for updates.”
Commission administrator Meagan Wolfe cautioned the analysis’ figures are based on a snapshot in time from a “very primitive tool” built into the WisVote system. The logins, she noted, could’ve occurred on computers that local elections officials don’t primarily use, which could impact the numbers.
More accurate information, she said, would be available once the commission implements new end-point testing.
Still, Commissioner Ann Jacobs, a Democratic appointee to the panel, questioned whether the body should shut down the five users’ access to the WisVote system based on the initial monitoring from the commission.
Wolfe, who said she didn't know which municipalities the five users came from, pledged the commission would follow-up with them to figure out what their plans are to address their outdated systems.
Commissioners also directed staff to get started on a pilot loan program for local elections officials. Staff had initially sought permission to use up to $300,000 to secure 250 devices that could be loaned out to local clerks who aren’t able to comply with the security standards.
But the six-member commission split 3-3 on a motion to table the language, before later approving, 4-2, a program with a narrower scope: allocating up to $30,000 to purchase 25 devices. Staff at the commission’s September meeting would then report back regarding a more comprehensive, managed hardware loan or rental program.
Vice Chair Jodi Jensen, a GOP appointee to the body, urged fellow commissioners to support putting in place a pilot program ahead of the vote, arguing they “have an obligation to address vulnerabilities that are there.”
“It may not be a perfect solution, but I don’t think we can just kick it down the road,” she said.
But Commissioner Mark Thomsen, a Democratic appointee, countered the slimmed-down program — and “just buying a machine in the future” — doesn’t address the immediate problem of five elections officials possibly using outdated software.
“I don’t know why we’re spending $30,000 when it may not be absolutely necessary,” he said.
Separately, the commission is also looking to launch a campaign to educate the public about election security issues. Commissioners agreed to use up to $341,400 in federal money to hire Madison-based advertising agency KW2 to develop a statewide survey on election integrity, provide media training to local elections officials and more.
The funding for the initiatives commissioners approved Tuesday stems from the around $7 million in federal money Wisconsin received in 2018 for election security efforts. The funding is part of around $380 million the federal government allocated across the nation to bolster election administration efforts.