[ad_1]
The message from Pennsylvania was clear: the state was taking a big step forward so that its elections would not be hacked in 2020. Last April, its senior election official told counties they needed to update their systems. Up to now, nearly 60% have taken action, with $ 14.15 million, mainly federal funds, helping countries to buy new electoral systems.
But there is a problem: many of these new systems still work on old software that will soon be obsolete and more vulnerable to hackers.
Associated Press analysis has shown that, as in many counties in Pennsylvania, the vast majority of the country's 10,000 electoral jurisdictions use Windows 7 or an older operating system to create ballots, program vote, count the votes and count the results.
This is important because Windows 7 is coming to an "end of life" on January 14, which means that Microsoft is no longer providing technical support and no longer producing "fixes" to fix the software vulnerabilities that hackers can exploit. In a statement to the AP, Microsoft announced Friday that it would offer ongoing updates to the security of Windows 7 for a fee until 2023.
Critics say the situation is an example of what happens when private companies ultimately determine the security level of electoral systems in the absence of federal requirements or oversight. Vendors say they have made constant improvements to electoral systems. In addition, many state leaders are wary of federal involvement in regional and local elections.
It is unclear whether the often cumbersome expense of security updates would be paid by providers operating on thin profit margins as well as cash-strapped jurisdictions. It is also unclear whether a version running Windows 10, which has more security features, can be certified and deployed in time for primaries.
"This is a very serious concern," said J. Alex Halderman, a professor at the University of Michigan and a renowned expert on electoral security. He added that the country might repeat "the mistakes we made in the last 15 years, when states bought voting machines but did not keep the software up-to-date and that they had no serious disposition "for doing so.
The PA interviewed the 50 states, the District of Columbia and the territories, and discovered that several states involved in the conflict had ceased to support Windows 7, including Pennsylvania, Wisconsin, Florida, the United States, and the United States. Iowa, Indiana, Arizona and North Carolina. Michigan, which has recently acquired a new system, and Georgia, which will soon announce its new system, are also concerned.
"Is this a bad joke?" Said Marilyn Marks, executive director of the Coalition for Good Governance, an organization for the defense of electoral integrity, after inquiring about the Windows 7 problem. His group sued Georgia to abandon its paperless voting machines and adopt a more secure system. Georgia recently piloted a system running Windows 7 and rented by state officials.
If Georgia chooses a system running Windows 7, the group will go to court to block the purchase, said Marks. State spokeswoman Tess Hammock declined to comment because Georgia has not officially chosen a supplier.
The electoral technology sector is dominated by three titans: Election Systems and Software LLC, based in Omaha, Nebraska; Dominion Voting Systems Inc., based in Denver, Colorado; According to a study conducted in 2017, Hart InterCivic Inc., based in Austin, Texas, represents approximately 92% of the electoral systems used nationwide. All three worked to win newly invested states with federal funds and eager for an update.
US officials determined that Russia had intervened in the 2016 presidential election and warned that Russia, China and other countries were trying to influence the 2020 elections.
Of the three companies, only Dominion's newest systems are not affected by future Windows software issues – although election systems were acquired from companies that no longer existed and could run on systems even older.
Hart's system runs on a Windows version that reaches the end of its life on October 13, 2020, a few weeks before the elections.
ES & S said it hoped to offer its customers an electoral system running Microsoft's current operating system, Windows 10. It is currently being tested by a federally accredited laboratory.
For jurisdictions that have already purchased systems running Windows 7, ES & S has announced that it will work with Microsoft to provide support until jurisdictions can update. Windows 10 was released in 2015.
Hart and Dominion did not respond to requests for comment.
Microsoft usually releases fixes for operating systems every month. Hackers have learned to target older unsupported systems. Its systems have been zeroed to neutralize cyber attacks, including the WannaCry ransomware attack, which froze 200,000 computer systems in 150 countries in 2017.
For many people, the end of Microsoft 7 support simply means an update. However, for electoral systems, the process is heavier. ES & S and Hart do not have federally certified systems on Windows 10, and the path to certification is long and costly, often taking at least a year and costing six digits.
ES & S, the country's largest supplier, completed its latest certification four months ago on Windows 7. Hart's latest certification was on May 29 on a Windows version that will not be supported by November 2020.
Although ES & S is testing a new system, it is unclear how long it will take to complete the process – federal and prospective recertification of states, as well as the deployment of updates – and if this is done before the start of primary, in February.
Election administrators are notoriously understaffed. Recently, many jurisdictions have proliferated over new electoral systems, some using $ 380 million in federal funds provided to states. The counties of South Dakota, South Carolina and Delaware have all recently purchased electoral systems, while many others are evaluating their purchases.
The use of electoral systems still running Windows 7 "is a source of concern and should be," said Christy McCormick, chair of the US Commission for Electoral Assistance. The CCE develops guidelines on the electoral system.
McCormick noted that while electoral systems are not supposed to be connected to the Internet, the different stages of the electoral process require information transfers, which can be vulnerabilities for attackers. She said some election administrators are working to solve the problem.
Officials from Pennsylvania, Michigan, and Arizona said they discussed the problem of software with their suppliers. The other states mentioned in this article have not responded to AP's requests for comment.
Pennsylvania election spokeswoman Wanda Murren said the contract language allowed for such a free software update. C. Murphy Hebert, spokesman for the Arizona elections, said that ES & S had also assured the state that it would support the counties for a modernization.
Susan Greenhalgh, Director of Policy for the National Defense Election Defense Coalition, said that even the best possible scenario is for election administrators to prepare for the primaries while trying to upgrade their systems, which is "crazy" ". His group has expressed concerns about Windows 7 to AP.
Certification, which is voluntary at the federal level, but sometimes required by state law, ensures that vendors' software works properly on the operating systems on which they have been tested. But there is no cybersecurity check and the process often fails in the face of rapidly changing technologies.
Kevin Skoglund, chief technologist for Citizens for Better Elections, said county election officials refer to EAC and certifications as compelling evidence that their systems are secure, but do not realize that suppliers certify systems that meet 2005.
Local officials rely on vendors to set up secure systems, while EAC and states have high standards, Skoglund said.
After the PA began investigating, Senator Ron Wyden, D-Ore, wrote to McCormick to ask what the EAC, which has no regulatory powers, is taking to deal with the "crisis" imminent electoral cybersecurity "which essentially puts the" red carpet "in its place. the hackers.
"Congress needs to pass a law giving the federal government the power to impose basic cyber security on electoral infrastructure," Wyden told AP in a statement.
[ad_2]
Source link