A new analysis by The Associated Press found the vast majority of 10,000 election jurisdictions nationwide — many of them anxious to use their portion of $380 million in federal funds provided to states — use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts.
The significance is that Windows 7 reaches its “end of life” on Jan. 14, meaning Microsoft stops providing technical support and producing “patches” to fix software vulnerabilities, which hackers can exploit.
In a statement to the AP last week, Microsoft said it would continue to offer Windows 7 security updates for a fee — more taxpayer dollars — through 2023.
The state of Pennsylvania is a case in point. Last April, the state’s top election official told counties they had to update their systems to keep elections from being hacked in 2020.
So far, nearly 60% have taken action, with $14.15 million of mostly federal funds helping counties buy brand-new electoral system.
Unfortunately, many of these systems run on the soon-to-be-outdated Windows 7 platform that is more vulnerable to hackers.
Critics say the situation is an example of what happens when private companies ultimately determine the security level of election systems without federal requirements or oversight. Vendors, on the other hand, say they have been making consistent improvements in election systems. Adding to the confusion, many state officials told the AP they are wary of federal involvement in state and local elections.
The AP surveyed all 50 states, the District of Columbia and territories, and found multiple battleground states affected by the end of Windows 7 support.
Those states included Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona and North Carolina. Also affected are Michigan, which recently acquired a new system, and Georgia, which will announce a new system soon.
The AP found the election technology industry is dominated by three titans: Omaha-based Election Systems Software LLC; Denver based Dominion Voting Systems Inc.; and Austin, Texas-based Hart InterCivic Inc. According to a 2017 study, the three companies make up about 92% of election systems used nationwide.
All are working to update to provide better — less hackable — equipment, though it’s unknown if that equipment can meet federal and possible state recertification before primaries begin in February.
Certification, which is voluntary at the federal level but sometimes required by state laws, ensures vendor software runs properly on operating systems they’re tested on. But there is no cybersecurity check and the process often fails to keep up with rapidly changing technology.
The use of election systems that still run on Windows 7 “is of concern, and it should be of concern,” U.S. Election Assistance Commission Chair Christy McCormick told the AP.
She noted that while election systems aren’t supposed to be connected to the internet, various stages of the election process require transfers of information, which could be points of vulnerability for attackers.
In light of the controversy surrounding the 2016 election, Congress, which has provided most of the funding for updates, should pass legislation giving the federal government the authority to mandate basic cybersecurity for election infrastructure.