Some election-related websites still run on vulnerable software older than many high schoolers

Websites in dozens of towns and counties voting on Super Tuesday have security weaknesses. Richmond, Va., still uses software from 2003.

This story first appeared on ProPublica and was co-published with The News & Observer and The Herald Sun in Raleigh, N.C.

The Richmond, Va., website that tells people where to vote and publishes election results runs on a 17-year-old operating system. Software used by election-related sites in Johnston County, N.C., and the town of Barnstable, Mass., had reached its expiration date, making security updates no longer available.

These aging systems reflect a larger problem: A ProPublica investigation found that at least 50 election-related websites in counties and towns voting on Super Tuesday -- accounting for nearly 2 million voters -- were particularly vulnerable to cyberattack. The sites, where people can find out how to register to vote, where to cast ballots and who won the election, had security issues such as outdated software, poor encryption and systems encumbered with unneeded computer programs. None of the localities contacted by ProPublica said that their sites had been disrupted by cyberattacks.

ProPublica also spotted files that should have been kept hidden because, when identified, they could give hackers a roadmap to the computer system’s weaknesses. Some election websites shared the same computer server with many other local government sites, magnifying the potential repercussions of an attack. “Shared hosting environments are rarely appropriate for critical infrastructure,” researchers Bob Rudis and Tod Beardsley of the security firm Rapid7 wrote in a February report for ProPublica.

At a time when cybersecurity concerns have come to the forefront of American elections, ProPublica’s findings reveal the frailty of some local computer networks. Fake Election Day information could disenfranchise voters by sending them to the wrong polling place. Tainted results could stall a campaign, since primary wins drive momentum with financial contributions and political support.

After the Iowa caucuses fiasco, in which a mobile app’s flaws apparently unrelated to security delayed results for days, any security breach could test voters’ confidence in the integrity of the election process. Counties and towns increasingly seek the Department of Homeland Security’s assistance in scanning their systems for security problems, but the federal government can’t make them do so.

“Public websites are an area of concern as we look at county-level election offices,” especially those that lack financial resources and expertise, said a senior U.S. official, who wasn’t authorized to speak on the record. The federal government isn’t aware of specific plans by foreign adversaries to attack county websites, the official said, but “we know it’s in the playbook.”

Three localities -- Barnstable, Johnston County and Sebastian County, Ark. -- said they would fix their systems after ProPublica notified them of their vulnerabilities last month. At least three other sites examined are still powered in part by software from the early 2000s, contrary to guidance from the government and industry. Besides Richmond, they include Belchertown, Mass., and Virginia’s King and Queen County.

“It’s not surprising to me at all that these platforms haven’t been updated in more than a decade,” said Sara Moriarty, a Richmond voter who works for a local nonprofit. “I don’t think they have the resources to think about how their systems could be hacked or turned against them to spread disinformation.”

Election security concerns have focused at times on machines used for voting and tabulating at polling places. But localities often publish unofficial results and provide other election-related information on their own sites. Districts with problematic sites ranged from rural areas such as King and Queen County, with about 5,000 registered voters, to cities such as Richmond, with more than 153,000. Smaller counties and towns may lack the IT staff and financial resources to operate the most up-to-date computer systems.

Senate Democrats have proposed several bills that would appropriate $1 billion for local election security and set federal guidelines for websites that publish voting results, but they haven’t gained traction. “We have to focus holistically on the security of our voting systems, ranging from voting machines to registration databases to election-results reporting systems,” said Democratic Sen. Mark Warner of Virginia, vice chair of the Senate’s intelligence panel. “Nothing less than voter confidence in the integrity of our elections is at stake.”

ProPublica uncovered the problems by using software that scans websites for vulnerabilities. Although such scanners can produce false-positives, ProPublica confirmed its findings through interviews with government officials or additional reporting.

At our request, Rapid7 independently examined a broad swath of municipal websites, including some that don’t publish voting results, since they could be hijacked to provide election misinformation. It declined to provide specifics on individual websites but said smaller counties and towns tended to run “dangerous or inappropriate” software. Those districts, Rapid7’s Rudis and Beardsley wrote in their report, “certainly could use help securing election-related websites. This help should come from their states, their higher-population neighbors, or the federal government.”

Security flaws caused hiccups during the 2018 midterms. In one case, a flood of internet traffic briefly brought down a website in Knox County, Tenn., that published primary-night returns. A security consultant later said that the problem may have stemmed from a software glitch on the website.

Lawrence Norden, the director of the election-reform program at NYU’s Brennan Center for Justice, said experts have already seen attacks on election-reporting systems abroad, such as in Bulgaria. “It seems, unfortunately, an easy way to undermine voter confidence,” he said.

While there is no evidence hackers intercepted or tampered with the results, a security firm consulted by ProPublica found that the app lacks key safeguards.

Johnston County, a reliably Republican district about 40 minutes southeast of Raleigh, has roughly 131,600 registered voters. Its site lists polling place addresses and election results. ProPublica found it was running software that, in late 2019, reached what is known as its end of life. (Like milk or medicine, software often carries an expiration date when manufacturers no longer sell or support it.)

Jeff Howard, Johnston’s IT manager, said that in response to ProPublica’s findings, his staff updated the obsolete parts of the website, which primarily helps residents research septic tank permits. He said updates must be done carefully. Rushing to install the latest software to fix critical security problems can backfire because newer versions may lack features that the website relied on to function. At worst, such a change would require revising thousands of lines of computer code.

Barnstable in Massachusetts and Sebastian County, Arkansas, ran an even older version of the same software used by Johnston County. Barnstable IT Director Dan Wood said that the software -- which expired in September 2015 -- was removed from the town’s website after our inquiries. Officials in Sebastian County said they would also turn off the software, and ProPublica confirmed the website has been fixed.

Johnston’s was also one of about two dozen Super Tuesday sites that ran file-sharing software, which security experts say could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its weaknesses. Lu Hickey, a county spokeswoman, said it hasn’t been a problem.

Richmond, Virginia’s capital, tends to vote Democratic and is roughly 48% African-American. It still uses the Windows Server 2003 operating system, which the U.S. government has warned hasn’t received “automatic fixes, updates, or online technical assistance” from Microsoft since July 2015. “Running an unsupported operating system carries security and compliance risks. Therefore, we don’t recommend that users run their apps on Windows Server 2003,” a Microsoft spokesperson said in a statement.

J. Kirk Showalter, Richmond’s elections chief, said her website publishes PDFs of state and federal election results about one to two weeks after Election Day, although city council and school board results are usually posted online election night or the next day. Showalter said her systems passed security tests as recently as December. Richmond IT officials said their website still receives periodic “out of band” security updates from Microsoft -- meant to plug significant, ad-hoc security holes -- and stressed that officials have spent millions of dollars to safeguard and upgrade the city’s IT infrastructure. Only 2% of city servers still run Windows 2003, they said.

“We are absolutely prepared to protect the integrity of our elections and have taken significant steps to do so. The technology that supports and secures our information systems has been regularly updated and is continuously tested, and we will continue to take the necessary steps to be prepared and make sure these systems are protected,” said Richmond spokesman Jim Nolan.

Besides Richmond, Belchertown, Mass., and King and Queen County, Va., are also Super Tuesday locales that run Windows 2003. The two areas account for about 15,600 registered voters. King and Queen elections director Diane Klausen said she was unaware of the outdated operating system until ProPublica notified her office about it. Klausen said she hopes that the server will be updated this year, adding that the county recently underwent a cybersecurity review by Virginia’s elections department and that she feels confident that its site is reliable. Virginia Department of Elections Commissioner Christopher Piper said his state’s elections site “remains the source of truth for all election activities and information.”

Kevin Hannon, Belchertown’s IT director, confirmed that its server is running Windows 2003, and that “there are vulnerabilities.” He said an upgrade will be in place by the general election in November. Still, he said, the server is not “at great risk” because it’s behind a firewall and is isolated from the rest of the network. “I am not concerned that while we are waiting on the updated server that information … will be compromised,” he said.

Erroneous or delayed results could sour the public’s trust even if voters don’t visit the websites themselves. Local journalists often rely on the kinds of county websites ProPublica investigated to inform their readers about election results, newspaper archives show. The Associated Press’ vote count draws from multiple sources, including stringers, state data feeds and tallies from local government websites, AP spokeswoman Lauren Easton said.

Last month, ProPublica discovered that the mobile app used during the Iowa caucuses was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed. Veracode, a security firm that reviewed the software at ProPublica’s request, said the lack of safeguards meant phone transmissions were left largely unprotected. There’s no evidence that hackers intercepted or tampered with the Iowa results.

“Think #IowaCaucus meltdown is bad?” Florida Sen. Marco Rubio, a member of the chamber’s intelligence committee, tweeted. “Imagine very close presidential election. Russian or Chinese hackers tamper with preliminary reporting system in key counties. When the official results begin to be tabulated, it shows a different winner than the preliminary results online.”

Acting Homeland Security Secretary Chad Wolf has said his agency “fully expects” Russia to attempt to interfere in this year’s elections. The government’s concerns echo a minority view by Democratic Sen. Ron Wyden of Oregon in a Senate intelligence committee report on Russian interference in the 2016 election, warning that county officials could be outgunned against nation-state hackers.

“America is facing a direct assault on the heart of our democracy by a determined adversary,” Wyden wrote. “We would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army. We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army.

“That approach failed in 2016,” it continued, “and it will fail again.”

Jessica Huseman and Derek Willis contributed reporting.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.