A document prepared last Friday by the top cybersecurity official for the Wisconsin Elections Commission revealed that more than 500 local clerks around the state are logging into the statewide voter registration and election management system on computers running versions of Microsoft Windows that are no longer supported or about to reach their end of life.
And while many of those jurisdictions do not have plans to upgrade their systems any time soon, the memo proposed that the commission spend about $800,000 to loan up-to-date equipment to cash-strapped election administrators, hire a new employee to provide technical support to local clerks and run an ad campaign letting the public know about the state’s election-security efforts.
The memo from Tony Bridges, Wisconsin’s election security lead, found that 527 local officials with access to WisVote, the statewide election administration platform, are logging in from machines that still run Windows XP, which Microsoft stopped updating in 2014, or Windows 7, which which will conclude its support cycle next January. Along with accessing the voter registration database, these computers are also used to maintain local data, send and receive absentee ballot applications and create correspondence with voters.
Bridges wrote that continued use of outmoded software expose elections administrators to risks like ransomware attacks seen in local governments that were using outdated or unpatched operating systems. He cited Jackson County, Georgia, which paid $400,000 to hackers after being infected with the Ryuk virus, which shut down computers supporting many critical functions — including 911 dispatch — after exploiting a vulnerability for which an available patch had not been installed. He warned a similar attack against an elections administrator could have crippling effects on the democratic process.
“It could, for example, expose confidential information, prevent the timely distribution of absentee ballots, prevent the timely printing of poll books, disrupt communications with voters, expose voters to potential cyberattack, destroy digital records, prevent the display of election night results, and dramatically impact voter confidence in the electoral process,” Bridges wrote.
Wisconsin is unique in how it administrates elections. While most states leave it to counties to supervise the voting process, Wisconsin gives that authority to individual localities, resulting in 1,852 distinct election offices, with voter rolls ranging from fewer than 50 in the smallest villages to nearly 300,000 in Milwaukee. And like small, local governments everywhere, the tiniest election offices are typically strapped for IT resources, Bridges’ report continued.
Under the proposed loaner program, the Wisconsin Elections Commission would spend about $300,000 on 250 new computers that would be shipped out to local clerks for free on a first-come-first-served basis. Bridges wrote that the commission could order 50 more if all the computers were claimed by June 30, 2020. He also suggested that the loan program be run by a vendor, as the commission does not have the bandwidth to manage such a program itself.
The new technical-support hire would oversee the hardware loan program and other future election-security measures, earning an annual salary of up to $100,000. Bridges also recommended the commission invest up to $69,000 on an endpoint testing platform to get up-to-date assessments of the local users connecting WisVote.
“Most users do not have the technical expertise to adequately assess their own systems,” the memo reads. “Furthermore, even if the WEC could physically inspect each clerk’s computer, that inspection would only be valid for that day.”
Funding for the computer loan program, new IT support position, endpoint testing software and a $300,000 ad campaign would all come from a $7 million election-security grant Wisconsin received last year from the U.S. Election Assistance Commission, the memo read.