A divided Wisconsin Elections Commission has settled on a scaled-back proposal to provide temporary replacement computers to clerks to tighten security of the state’s voter database ahead of the 2020 elections.
Ahead of Tuesday’s special meeting, WEC staff raised concerns about clerks accessing the database on machines running on critically outdated software, leaving the system vulnerable to hackers. They also pressed commissioners to approve $300,000 to purchase 250 temporary replacement computers.
Instead, a divided commission voted 4-2 to approve $30,000 to cover 25 computers.
Commissioner Ann Jacobs argued the staff’s recommended approach would create a “perverse incentive” for municipalities who chose not to upgrade their IT systems.
“In other words, we’re literally saying keep running on the other thing because we’ll give you a free one,” she said.
Elections Commission Administrator Meagan Wolfe countered that the program would be an “emergency stopgap” to shore up security in the short term with the 2020 presidential election drawing closer.
“We want to make sure that the resource challenges faced at the municipal level don’t impact our overall security of elections here in Wisconsin,” she said.
The commission also approved: purchasing software that would allow staff to undertake a thorough review of the security posture of all users of the WisVote voter database; adding a federally funded position to support the temporary replacement program; and the hiring of a marketing firm to lay the groundwork for a public information campaign.
Election Security Lead Tony Bridges told commissioners a review of the roughly 2,7000 users with access to the WisVote database identified at least five municipal clerks accessing the system using computers that were running Windows XP.
That software program was first rolled out in 2001 and has not been supported with security updates since 2014.
Bridges added that just under 600 users were using computers running Windows 7, an operating that will stop receiving free security updates in Jan. 2020. While Microsoft will continue to provide security updates for a fee through 2023, Bridges estimated roughly half of the 600 would “not find a path to compliance.”
Quizzed by commissioners as to why so many clerks would allow their systems to fall out of date, Wolfe said software updates and IT maintenance can be a “really big decision” financially for municipalities.
“In some of these places, buying a computer and buying the IT support necessary to keep them in compliance is the same cost as keeping their lights on in a town hall for the year,” Wolfe said. “For some of them, that choice has already been made.”
Bridges added that a full-fledged software update could prevent clerks from using programs they need to fulfill other duties, such as line-of-business software, if those programs were not compatible with the new operating system.
In order to bridge that gap and get a clearer picture of security risks among all users, commissioners unanimously agreed to purchase software to conduct so-called “end-point” testing.
There was far less consensus among commissioners as to how to address the out-of-date software once its users had been identified.
Bridges said the 250 computers staff wanted to buy could be loaned out if the end-point testing revealed security threats or if a clerk’s computer was confiscated for investigation by the Division of Enterprise Technology in the wake of a cyber incident.
Commissioners balked at the request.
Several found the price — well over $1,000 per unit — to be unreasonable when scaled-down laptops could be purchased for one-tenth of the cost.
Wolfe replied that the new computers would be managed devices, meaning the vendor would be responsible for providing IT support along with the hardware and software. Bridges said the computers would likely price out around $250 per unit, with remaining cost going toward service fees such as licensing costs, office support, tech support, warehousing, delivery and warranty.
Wolfe said the long-term goal was to ensure all municipal clerks were in compliance on their own.
She also dismissed the notion that clerks in municipalities that had upgraded their computers would be aggrieved by the move. She said that WEC’s Clerk Advisory Committee was supportive of the move and had indicated concern to the commission “multiple times” that “any weakness could impact all of them.”
Still unconvinced, Jacobs and Commission Chair Dean Knudson pushed for the loaner program to be converted into a rental program in which municipalities would have to pay a recurring fee to use WEC computers. Knudson said such a move would make the program “more sustainable.”
“Wouldn’t a monthly rental fee encourage them to budget for upgraded hardware? Wouldn’t that provide an incentive for them to become independent?” Knudson asked.
Bridges argued that if the goal is to get clerks into compliance, a fee structure would likely not work. Instead, he said it would encourage clerks in cash-strapped municipalities to work around the WisVote system by maintaining separate voter databases on spreadsheets, further exacerbating the security risk.
Wolfe added that WEC likely did not have the infrastructure in place to manage payments from hundreds of municipalities and was unsure such rentals would be allowed under the state procurement system.
The commission ultimately settled on the scaled-back pilot program with a number of conditions that would add the 25 computers. In the short term, commissioners said, the security risks posed by the five clerks using Windows XP and the need for temporary replacement computers during DET investigations mandated that a small number of loaner devices be made available.
Commissioners directed staff to study the feasibility of a rental program and complete as much of the end-point testing as possible ahead of the commission’s Sept. 24 meeting to determine whether the initial proposal for 250 devices was adequate.