Hundreds of local clerks are using outdated computer systems or aren’t installing security patches, leaving Wisconsin’s election system vulnerable to potentially devastating cyberattacks, state elections officials fear.
Election officials across the country have stepped up efforts to block hackers from wreaking havoc during the 2020 contests after Russians interfered with the 2016 presidential election. Congress has been warned that there could be more foreign interference next year, when Wisconsin is expected to be a presidential swing state again.
But Wisconsin Elections Commission Election Security Lead Tony Bridges said in a memo to commissioners released Friday that some local clerks are still logging into the state election system using Windows XP or Windows 7.
Microsoft stopped supporting Windows XP in 2014 and said it will stop providing free security updates for Windows 7 in January. Bridges wrote that it’s safe to assume a large percentage of clerks won’t upgrade before the deadline or pay for updates. Even clerks with current operating systems often fail to install security patches, he said.
The failure to maintain current operating systems exposes state elections to tremendous risk, Bridges wrote. He pointed to an incident in March in which a ransomware variant called Ryuk shut down vital systems in Jackson County, Georgia, including computers supporting emergency dispatch. Ransomware is software designed to shut down computer systems or data until a ransom is paid.
Ryuk gained access to the systems through a file-sharing vulnerability in older networks. An update that eliminated the vulnerability had been available since 2017, but no one had bothered to install it. The county ended up paying a $400,000 ransom to unlock the system.
Such an attack on Wisconsin’s elections system could expose confidential information, prevent the distribution of absentee ballots and poll book printing, disrupt communications with voters, destroy records and prevent the display of election night results, the memo warns.
The memo asks the commission to spend hundreds of thousands of dollars to bolster clerks’ cyber defenses.
The commission would buy software that can test clerks’ vulnerabilities and require them to attest that they’re following security protocols before they can access the system. Such software would cost up to $69,000 per year, according to the memo.
The commission also would loan up-to-date computers to clerks. The memo estimates that as many as 527 state elections system users are using a computer configuration that has reached the end of its life or will reach it in the next six months. Some users have their own plans to upgrade, leading commission staff to propose loaning out 250 new machines, initially, with an option to buy 50 more. The initial phase would cost up to $300,000.
The plan calls for creating a new position to provide technical support for clerks and hiring Madison-based advertising agency KW2 to inform people about election security. The support position could cost as much as $100,000 and the ad campaign as much as $341,000.
The money would come from a $7 million federal election security grant the state received in 2018. The commission has already used funding from the grant to switch to a new elections system that’s more difficult to hack and install multi-factor authentication requirements. The commission is set to vote on the new plan Tuesday.
Diane Coenen, first vice president of the Wisconsin Municipal Clerks Association, said the organization “believes in security of elections and we stand behind all necessary security measures to ensure the integrity of the election process.”
“What (the commission) is proposing to do is help those municipalities that cannot fund upgrades,” she added.
Vice’s Motherboard, a technology news website, reported Thursday that clerks in several states, including Wisconsin, Michigan and Florida, left voting machines connected to the Internet for months, even though the machines’ manufacturer, Election Systems and Software, recommends that possible threats be minimized by connecting them only while they’re being used.
Magney said that recommendation apparently wasn’t received “by the right people” in at least eight counties: Outagamie, Dodge, Milwaukee, Columbia, Waukesha, Eau Claire, Kenosha and Jefferson. He said the counties have been contacted and all but one — Milwaukee County, which is using its machines for a special election — unplugged their machines.
He said there’s no evidence anyone infiltrated Wisconsin’s system through the machines. The commission plans to inform all clerks using ES&S machines to keep them unplugged when not in use.