As the presidential election nears, lawmakers and security experts are raising questions about the security of electronic voting machines used in many parts of the country.
The latest concerns focus on devices running Windows 7 and other older operating systems. The Associated Press reports that the “vast majority” of the nation’s 10,000 election jurisdictions use Windows 7 or older operating systems to create ballots, program voting machines, tally votes, and report counts.
Microsoft plans to stop supporting Windows 7 on Jan. 14, ten months before the 2020 election. Sen. Ron Wyden of Oregon sent a letter on July 12 to the U.S. Election Assistance Commission, asking if electronic voting machines will be updated before November.
In addition to the widespread use of Windows 7, Wyden noted that during the 2018 election, voting machines in Georgia ran Windows 2000, which Microsoft stopped supporting in 2010. In addition, until 2015, Virginia used WiFi-connected electronic voting machines that last received a security update in 2005 and used “abcde” as the administrator password.
Given ongoing attempts of Russian hackers to target U.S. elections, out-of-date software on voting machines is a serious concern, Wyden wrote. The use of old software “lays out the red carpet for foreign hackers,” he claimed. “Now more than ever, the American people expect that the government is taking the necessary steps to secure our elections from foreign attacks.”
Election security legislation is stalled in the Senate, where Wyden is the sponsor of a bill that would give the Department of Homeland Security the authority to set mandatory security requirements for voting systems.
Election Systems & Software, a major electronic voting machine vendor, says it is in the process of updating the operating systems on its devices. Its most recent release, scheduled to be available this fall, will incorporate Windows 10, a spokeswoman said. “For systems that currently use Windows 7 and ES&S, Microsoft will provide ongoing support for that software until jurisdictions can upgrade to newer versions of Windows.”
“Please keep in mind none of these systems are connected to the internet, reducing potential security issues,” she added.
Wyden’s concerns are legitimate, said Tom DeSot, executive vice president and chief information officer at Digital Defense, a cybersecurity vendor. The senator’s worries about old operating systems are “no different than any CIO would pose to potential software vendors for an enterprise.”
Machines running on end-of-life operating systems are “especially vulnerable,” he added. “In enterprise environments, additional attention is applied to systems running unsupported software, if no updated alternatives are available in the form of increased access control, segmentation, and monitoring to prevent data compromise.”
DeSot called on the Election Assistance Commission to set minimum standards for software developers to update their applications to work on modern, supported operating systems. Those who don’t should face significant fines, he proposed.
Meanwhile, some election security experts say the use of old operating systems is only one concern of many. Electronic voting machines are vulnerable to security risks, claimed Marian Schneider, president of Verified Voting, a group pushing for paper audits of electronic voting machines.
“Software can present risks,” she said. “This is a software issue.”
Electronic voting machines should undergo regular security audits, suggested Jamie Cambell, a security consultant and founder of GoBestVPN, which is a site that reviews virtual private networks. Those security audits should be open-sourced so that multiple security experts can review them, he recommended.
“There are many things that can make electronic voting machines insecure,” Cambell added. “It’s not just the machines or operating systems. It can be the way that the machines store and transmit the data.”
