Amid growing concern about the vulnerability of the U.S. election system to hackers, Pennsylvania told election officials they had to upgrade their machines last year. But according to a Saturday report in the Associated Press, though some 60 percent of those systems have been upgraded—at a cost of $14.15 million—many of them are reliant on Windows 7, which Microsoft will stop supporting on January 14, 2020.
So too are numerous systems across the country, according to the AP:
An Associated Press analysis has found that like many counties in Pennsylvania, the vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts.
... The AP surveyed all 50 states, the District of Columbia and territories, and found multiple battleground states affected by the end of Windows 7 support, including Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona and North Carolina. Also affected are Michigan, which recently acquired a new system, and Georgia, which will announce its new system soon.
“Is this a bad joke?” said Marilyn Marks, executive director of the Coalition for Good Governance, an election integrity advocacy organization, upon learning about the Windows 7 issue. Her group sued Georgia to get it to ditch its paperless voting machines and adopt a more secure system... If Georgia selects a system that runs on Windows 7, Marks said, her group will go to court to block the purchase.
According to the AP, the election industry is “dominated” by three big companies: Election Systems and Software LLC (ES&S), Dominion Voting Systems Inc., and Hart InterCivic Inc, which a 2017 study found collectively control 92 percent of election systems in place in the country. Only Dominion has developed newer systems that aren’t affected by the Windows 7 issue but it has acquired other companies operating systems run on “even older operating systems,” the AP wrote. Developing newer systems requires passing a lengthy federal certification process and would be extremely difficult to accomplish by the 2020 primary elections.
“End of life” means that Microsoft will stop officially supporting the Windows 7 operating system with free patches, including security updates critical to safeguarding against malware—perhaps the biggest security concern with elections, considering that in-person voter fraud in the U.S. is extremely rare and hackers believed to be tied to Russia have reportedly poked around the edges of state election networks. When an operating system enters this phase, it becomes easy prey for hackers who can exploit unpatched vulnerabilities.
Microsoft did tell the AP that it would offer security updates for Windows 7 through 2023, though only on a paid basis. As TechSpot noted, annual fees for that support escalate year after year and are high enough that “businesses with hundreds or thousands of Windows 7 devices can expect to hand over a lot of money,” though it’s probable Microsoft will reach specific arrangements with bulk customers. As the AP noted, it is “unclear” whether those fees “would be paid by vendors operating on razor-thin profit margins or cash-strapped jurisdictions.”
While election systems are supposed to be “air-gapped,” meaning that no system directly involved in recording or tallying votes is connected to the internet, the New York Times reported last year that some systems have come packaged with remote-access software that could theoretically be penetrated by hackers. Additionally, the Times wrote, many local election sites report vote totals to their county election offices via phone lines, a practice that “election officials and vendors” say is safe because it does not use the internet.
The Times disputed that characterization, noting that many land lines now pass through cellular towers or telecom routers that are, creating a risk that hackers could use an IMSI-catcher (commonly known as a Stingray) “or subverted telecom router to hack back into election systems and alter software to affect election outcomes.” ES&S later admitted to congressional investigators that it sold systems with remote access software to a “small number of customers” from the years of 2000-2006, which would have necessitated installing a modem on election systems for managing remote access by technicians.
According to the AP, officials in Pennsylvania and Arizona said their vendors have assured support for upgrading the systems when a new version is certified:
Officials in Pennsylvania, Michigan and Arizona say they have discussed the software issue with their vendors. Other states mentioned in this story didn’t respond to AP requests for comment.
Pennsylvania elections spokeswoman Wanda Murren said contract language allows such a software upgrade for free. Arizona elections spokeswoman C. Murphy Hebert said ES&S has also assured the state that it will provide support to counties for an upgrade.
The U.S. Election Assistance Commission develops the guidelines by which systems are certified, the AP reported, but the agency has no regulatory power and compliance is voluntary on the federal level. The tests are primarily designed to check whether systems function as intended and “there is no cybersecurity check,” the AP concluded.