[Image via leopardloans]

The State of Wisconsin is considering using some of its federal cybersecurity funds to loan updated computers to municipalities after an expert warned that the state could be vulnerable because many localities are facing issues with outdated Windows boxes. The Associated Press has more:

Hundreds of local clerks are using outdated computer systems or aren’t installing security patches, leaving Wisconsin’s election system vulnerable to potentially devastating cyberattacks, state elections officials fear.

Election officials across the country have stepped up efforts to block hackers from wreaking havoc during the 2020 contests after Russians interfered with the 2016 presidential election. Congress has been warned that there could be more foreign interference next year, when Wisconsin is expected to be a presidential swing state again.

But Wisconsin Elections Commission Election Security Lead Tony Bridges said in a memo to commissioners released Friday that some local clerks are still logging into the state election system using Windows XP or Windows 7.

Microsoft stopped supporting Windows XP in 2014 and said it will stop providing free security updates for Windows 7 starting in January. Bridges wrote that it’s safe to assume a large percentage of clerks won’t upgrade before the deadline or pay for updates. Even clerks with current operating systems often fail to install security patches, he said.

Failure to update Windows systems can expose users to variety of threats, including ransomware:

The failure to maintain current operating systems exposes state elections to tremendous risk, Bridges wrote. He pointed to an incident in March in which a ransomware variant called Ryuk shut down vital systems in Jackson County, Georgia, including computers supporting emergency dispatch. Ransomware is software designed to shut down computer systems or data until a ransom is paid.

Ryuk gained access to the systems through a file-sharing vulnerability in older networks. An update that eliminated the vulnerability had been available since 2017, but no one had bothered to install it. The county ended up paying a $400,000 ransom to unlock the system.

Such an attack on Wisconsin’s elections system could expose confidential information, prevent the distribution of absentee ballots and poll book printing, disrupt communications with voters, destroy records and prevent the display of election night results, the memo warns.

In response, the state is considering a proposal that would improve cybersecurity – including a plan to purchase and lend, cost-free, updated computers to localities who need them:

The memo asks the commission to spend hundreds of thousands of dollars to bolster clerks’ cyber defenses.

The commission would buy software that can test clerks’ vulnerabilities and require them to attest that they’re following security protocols before they can access the system. Such software would cost up to $69,000 per year, according to the memo.

The commission also would loan up-to-date computers to clerks. The memo estimates that as many as 527 state elections system users are using a computer configuration that has reached the end of its life or will reach it in the next six months. Some users have their own plans to upgrade, leading commission staff to propose loaning out 250 new machines, initially, with an option to buy 50 more. The initial phase would cost up to $300,000.

In addition, the plan would create state-level staffing and work to highlight the importance of election security:

The plan calls for creating a new position to provide technical support for clerks and hiring Madison-based advertising agency KW2 to inform people about election security. The support position could cost as much as $100,000 and the ad campaign as much as $341,000.

The money would come from a $7 million federal election security grant the state received in 2018. The commission has already used funding from the grant to switch to a new elections system that’s more difficult to hack and install multi-factor authentication requirements. The commission is set to vote on the new plan Tuesday.

One representative of affected clerks welcomed the proposal:

Diane Coenen, first vice president of the Wisconsin Municipal Clerks Association, said the organization “believes in security of elections and we stand behind all necessary security measures to ensure the integrity of the election process.”

“What (the commission) is proposing to do is help those municipalities that cannot fund upgrades,” she added.

Wisconsin’s proposal is a promising approach to using federal funds to confront the kind of distributed vulnerability created by the combination of outdated operating systems and widely decentralized (and underfunded) election administration. If the state adopts the plan, I’ll be curious to see how the new computers are distributed once acquired – given that state could buy up to 300 but the number of affected users exceeds 500 – and what is done about municipalities that need but don’t get a new computer. Still, it’s a proactive step that holds the promise of addressing a key vulnerability as Wisconsin rolls into the 2020 election cycle. Stay tuned …

Posted in Uncategorized and tagged