There’s a big hacking danger facing the 2020 election that's so far been overlooked: software so old that companies aren’t updating it anymore.
The “vast majority" of the nation’s 10,000 election jurisdictions rely on Microsoft’s Windows 7 operating system, which was introduced in 2009 and will reach the end of its technological life span in January, according to a report this weekend from the Associated Press’s Tami Abdollah. And some of those jurisdictions are relying on software that’s even older.
That means those systems — which are running in numerous swing states’ election systems — won’t get automatically updated to protect against newfound computer bugs, leaving the systems far more vulnerable to hackers who exploit those bugs, Abdollah reports.
The report highlights yet another way in which elections remain vulnerable to hacking despite calls for vastly improved election cybersecurity after the 2016 contest was upended by Russian hacking and disinformation operations — and amid warnings from Intelligence officials that Russia and other U.S. adversaries want to similarly compromise the 2020 contest. The vulnerable software is deployed on systems to create ballots, program voting machines, tally votes and report counts, per the AP.
It also demonstrates how many election cybersecurity challenges evade easy fixes.
Indeed, many of the election systems running outdated software were bought after the 2016 contest proved the need for vastly improved security — and often with help from $380 million Congress appropriated in 2018 aimed at replacing outdated election systems that were even more vulnerable to hacking.
Georgia’s 2016 system, for example, didn’t even keep paper records of votes, meaning there was no way to tell whether hackers changed ballots after they were cast. The state decided to switch to voting machines with paper records in 2020 but it may still be relying on Windows 7 to update those machines, depending on the vendor its selects, the AP reports.
Marilyn Marks, executive director of the Coalition for Good Governance, which sued Georgia over the 2016 machines, compared that to buying a product that has been recalled for safety issues:
Big news in GA re: new $150 million voting system planned. ES&S machines that Kemp and Raffensperger favor run on Windows 7! Losing MS support in January. Like buying a call that is under safety recall and paying full price. https://t.co/bGXJnIZHr8— Marilyn Marks (@MarilynRMarks1) July 13, 2019
Marks told the AP that her group will sue Georgia again if necessary to block the state from purchasing machines that rely on Windows 7.
Other election security advocates were also quick to criticize the reliance on outdated software.
Sen. Ron Wyden (D-Ore.), who has sponsored legislation that would mandate new cybersecurity protections for election equipment, slammed the three main election systems providers — Election Systems and Software, Dominion Voting Systems and Hart InterCivic — which he said “have proven they cannot be trusted to protect our elections":
These shady third-party voting machine manufacturers have proven they cannot be trusted to protect our elections.— Ron Wyden (@RonWyden) July 14, 2019
This pattern of state and local governments bankrolling election systems with millions of taxpayer dollars that leave our democracy vulnerable must end. https://t.co/9Ppp8EBxWz
Josh Lawson, a former chief attorney for North Carolina’s State Board of Elections, accused those companies of unfairly shutting out market competition from other election vendors that might challenge them by offering better security:
These companies enjoy monopolies and minimal oversight, but they keep failing to steward that trust—now scrambling to make basic software updates before 2020. Preprinted paper ballots are the way to go. https://t.co/0OlKa4Ut7q— Josh Lawson (@josh_lawson) July 13, 2019
“Of the three companies, only Dominion’s newer systems aren’t touched by upcoming Windows software issues — though it has election systems acquired from no-longer-existing companies that may run on even older operating systems,” the AP reported.
Election Systems and Software said it expects to offer all its customers the ability to run on Windows 10 by the fall, the AP reported, but it’s not clear whether election jurisdictions will have time to make the upgrade.
Microsoft, meanwhile, said it would continue to offer security updates for Windows 7 through 2023 for a fee, the AP reported. But the operating system is likely to grow more vulnerable during that time because outside security researchers and the company's own bug hunters are likely to spend less time searching for hackable vulnerabilities in outdated software that's less widely used.
Voting machines should be segregated from the Internet during a vote but they're often connected at other times, such as for testing or to deliver vote tallies to county or state officials — giving hackers an opportunity to pounce.
Susan Greenhalgh, policy director at the National Election Defense Coalition, put some of the blame on election officials who she said often aren’t well-enough educated on cybersecurity issues and so don’t demand more secure technology from election equipment companies:
Better education &knowledge base for EOs so they can require vendors to provide better products. Better guidance from the EAC. This could be a free market solution problem-if you sell inferior product which will be outdated, we won’t buy it. But EOs need to know what to demand— Susan Greenhalgh (@SEGreenhalgh) July 13, 2019
Greenhalgh also criticized the Election Assistance Commission — which divvied up the $380 million in new election security money — for continuing to certify election systems running software that will soon be out of date:
EAC needs to do a better job of highlighting this issue. EAC has previously certified a system with CE when it was already end of life. EOs depend on that certification.— Susan Greenhalgh (@SEGreenhalgh) July 13, 2019
Those certifications are voluntary, but many states and localities rely on them to make decisions about what voting systems to purchase.
EAC Chair Christy McCormick told the AP that election systems running Windows 7 “is of concern, and it should be of concern.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: House lawmakers passed a provision Friday requiring the White House to share a memorandum it wrote last year granting the Pentagon increased authority to launch offensive cyberattacks, CyberScoop's Shannon Vavra reports. The amendment would also require the defense secretary to notify Congress within 15 days of giving permission for an offensive cyber operation.
“It is unacceptable that the White House continues to stonewall our attempts to oversee sensitive operations,” Rep. Jim Langevin (D-R.I.), who led the provision, told Cyberscoop. It's not clear if the provision, which was included in the House version of a must-pass defense policy bill, will be agreed to in the Senate.
The White House slammed an early version of the House provision, saying it would “unduly hinder cyber operations.” Military leaders have praised the Trump administration’s looser reins on offensive hacking, crediting it with helping secure the 2018 midterm elections against foreign interference
Members of both parties have long expressed concern that Congress lacks sufficient oversight of digital operations that could ratchet up foreign tensions. Those concerns ramped up after the White House granted U.S. Cyber Command greater authority to launch offensive hacking operations last September and again when the New York Times reported that the United States launched a cyberstrike against Iranian military systems in June.
PATCHED: The Federal Election Commission gave the green light late Thursday for cybersecurity firm Area 1 Security to provide “low- to no-cost” protections against phishing attacks to 2020 campaigns, Nicole Perlroth at the New York Times reports. The FEC advisory opinion applies specifically to the request by Area 1, but other companies could use it as legal backing to offer similar free and reduced price cybersecurity services to campaigns.
The commission ruled that Area 1 could offer services costing between $0 and $1,337 per year to campaigns because it offers similarly discounted services to similar-size nonprofits, humanitarian organizations and start-ups that provide a “significant research opportunity." Working for campaigns will also help Area 1's business because it gives the company unique access to information about sophisticated hacking groups that are targeting political campaigns,” CEO Oren Falkowitz previously told The Cybersecurity 202.
FEC commissioners earlier appeared poised to reject Area 1's request as an illegal campaign contribution, citing concerns that it would open the door for other companies to offer discounted services in exchange for influence on campaigns and elected officials.
PWNED: The standards organization that oversees American power systems will ask energy companies this week to provide a list of all the equipment from Chinese companies ZTE and Huawei still running on their networks, Mark Rockwell at FCW reports. The North American Electric Reliability Corporation, or NERC, will also ask companies to submit a plan to remove the devices, a sign that America's energy regulators are cracking down on the potential risks Chinese devices may pose to the U.S. power grid.
NERC expects to have those plans by the "end of summer," CEO Jim Robb told lawmakers at a hearing Friday.
During the hearing, lawmakers also touted the Cyber Sense Act, introduced by Rep. Robert Latta (R-Ohio), which would require the Energy Department to set up a voluntary cyber vulnerability testing program for power systems. Energy's National Labs are working on ways to test electric grid components for digital vulnerabilities regardless of legislation, Karen Evans, who leads the department's cybersecurity effors, told lawmakers.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad