This story was co-published with The News & Observer and The Herald Sun in Raleigh, North Carolina.
The Richmond, Virginia, website that tells people where to vote and publishes election results runs on a 17-year-old operating system. Software used by election-related sites in Johnston County, North Carolina, and the town of Barnstable, Massachusetts, had reached its expiration date, making security updates no longer available.
These aging systems reflect a larger problem: A ProPublica investigation found that at least 50 election-related websites in counties and towns voting on Super Tuesday — accounting for nearly 2 million voters — were particularly vulnerable to cyberattack. The sites, where people can find out how to register to vote, where to cast ballots and who won the election, had security issues such as outdated software, poor encryption and systems encumbered with unneeded computer programs. None of the localities contacted by ProPublica said that their sites had been disrupted by cyberattacks.
ProPublica also spotted files that should have been kept hidden because, when identified, they could give hackers a roadmap to the computer system’s weaknesses. Some election websites shared the same computer server with many other local government sites, magnifying the potential repercussions of an attack. “Shared hosting environments are rarely appropriate for critical infrastructure,” researchers Bob Rudis and Tod Beardsley of the security firm Rapid7 wrote in a February report for ProPublica.
At a time when cybersecurity concerns have come to the forefront of American elections, ProPublica’s findings reveal the frailty of some local computer networks. Fake Election Day information could disenfranchise voters by sending them to the wrong polling place. Tainted results could stall a campaign, since primary wins drive momentum with financial contributions and political support.
After the Iowa caucuses fiasco, in which a mobile app’s flaws apparently unrelated to security delayed results for days, any security breach could test voters’ confidence in the integrity of the election process. Counties and towns increasingly seek the U.S. Department of Homeland Security’s assistance in scanning their systems for security problems, but the federal government can’t make them do so.
“Public websites are an area of concern as we look at county-level election offices,” especially those that lack financial resources and expertise, said a senior U.S. official, who wasn’t authorized to speak on the record. The federal government isn’t aware of specific plans by foreign adversaries to attack county websites, the official said, but “we know it’s in the playbook.”
Three localities — Barnstable, Johnston County and Sebastian County, Arkansas — said they would fix their systems after ProPublica notified them of their vulnerabilities last month. At least three other sites examined are still powered in part by software from the early 2000s, contrary to guidance from the government and industry. Besides Richmond, they include Belchertown, Massachusetts, and Virginia’s King and Queen County.
“It’s not surprising to me at all that these platforms haven’t been updated in more than a decade,” said Sara Moriarty, a Richmond voter who works for a local nonprofit. “I don’t think they have the resources to think about how their systems could be hacked or turned against them to spread disinformation.”
Election security concerns have focused at times on machines used for voting and tabulating at polling places. But localities often publish unofficial results and provide other election-related information on their own sites. Districts with problematic sites ranged from rural areas such as King and Queen County, with about 5,000 registered voters, to cities such as Richmond, with more than 153,000. Smaller counties and towns may lack the IT staff and financial resources to operate the most up-to-date computer systems.
Senate Democrats have proposed several bills that would appropriate $1 billion for local election security and set federal guidelines for websites that publish voting results, but they haven’t gained traction. “We have to focus holistically on the security of our voting systems, ranging from voting machines to registration databases to election-results reporting systems,” said Democratic Sen. Mark Warner of Virginia, vice chair of the Senate’s intelligence panel. “Nothing less than voter confidence in the integrity of our elections is at stake.”
ProPublica uncovered the problems by using software that scans websites for vulnerabilities. Although such scanners can produce false-positives, ProPublica confirmed its findings through interviews with government officials or additional reporting.
At our request, Rapid7 independently examined a broad swath of municipal websites, including some that don’t publish voting results, since they could be hijacked to provide election misinformation. It declined to provide specifics on individual websites but said smaller counties and towns tended to run “dangerous or inappropriate” software. Those districts, Rapid7’s Rudis and Beardsley wrote in their report, “certainly could use help securing election-related websites. This help should come from their states, their higher-population neighbors, or the federal government.”
Security flaws caused hiccups during the 2018 midterms. In one case, a flood of internet traffic briefly brought down Knox County, Tennessee’s, website that published primary-night returns. A security consultant later said that the problem may have stemmed from a software glitch on the website.
Lawrence Norden, the director of the election-reform program at NYU’s Brennan Center for Justice, said experts have already seen attacks on election-reporting systems abroad, such as in Bulgaria. “It seems, unfortunately, an easy way to undermine voter confidence,” he said.
Johnston County, a reliably Republican district about 40 minutes southeast of Raleigh, has roughly 131,600 registered voters. Its site lists polling place addresses and election results. ProPublica found it was running software that, in late 2019, reached what is known as its end of life. (Like milk or medicine, software often carries an expiration date when manufacturers no longer sell or support it.)
Jeff Howard, Johnston’s IT manager, said that in response to ProPublica’s findings, his staff updated the obsolete parts of the website, which primarily helps residents research septic tank permits. He said updates must be done carefully. Rushing to install the latest software to fix critical security problems can backfire because newer versions may lack features that the website relied on to function. At worst, such a change would require revising thousands of lines of computer code.
Barnstable in Massachusetts and Sebastian County, Arkansas, ran an even older version of the same software used by Johnston County. Barnstable IT Director Dan Wood said that the software — which expired in September 2015 — was removed from the town’s website after our inquiries. Officials in Sebastian County said they would also turn off the software, and ProPublica confirmed the website has been fixed.
Johnston’s was also one of about two dozen Super Tuesday sites that ran file-sharing software, which security experts say could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its weaknesses. Lu Hickey, a county spokeswoman, said it hasn’t been a problem.
Richmond, Virginia’s capital, tends to vote Democratic and is roughly 48% African-American. It still uses the Windows Server 2003 operating system, which the U.S. government has warned hasn’t received “automatic fixes, updates, or online technical assistance” from Microsoft since July 2015. “Running an unsupported operating system carries security and compliance risks. Therefore, we don’t recommend that users run their apps on Windows Server 2003,” a Microsoft spokesperson said in a statement.
J. Kirk Showalter, Richmond’s elections chief, said her website publishes PDFs of state and federal election results about one to two weeks after Election Day, although city council and school board results are usually posted online election night or the next day. Showalter said her systems passed security tests as recently as December. Richmond IT officials said their website still receives periodic “out of band” security updates from Microsoft — meant to plug significant, ad-hoc security holes — and stressed that officials have spent millions of dollars to safeguard and upgrade the city’s IT infrastructure. Only 2% of city servers still run Windows 2003, they said.
“We are absolutely prepared to protect the integrity of our elections and have taken significant steps to do so. The technology that supports and secures our information systems has been regularly updated and is continuously tested, and we will continue to take the necessary steps to be prepared and make sure these systems are protected,” said Richmond spokesman Jim Nolan.
Besides Richmond, Belchertown, Massachusetts, and King and Queen County, Virginia, are also Super Tuesday locales that run Windows 2003. The two areas account for about 15,600 registered voters. King and Queen elections director Diane Klausen said she was unaware of the outdated operating system until ProPublica notified her office about it. Klausen said she hopes that the server will be updated this year, adding that the county recently underwent a cybersecurity review by Virginia’s elections department and that she feels confident that its site is reliable. Virginia Department of Elections Commissioner Christopher Piper said his state’s elections site “remains the source of truth for all election activities and information.”
Kevin Hannon, Belchertown’s IT director, confirmed that its server is running Windows 2003, and that “there are vulnerabilities.” He said an upgrade will be in place by the general election in November. Still, he said, the server is not “at great risk” because it’s behind a firewall, and is isolated from the rest of the network. “I am not concerned that while we are waiting on the updated server that information … will be compromised,” he said.
Erroneous or delayed results could sour the public’s trust even if voters don’t visit the websites themselves. Local journalists often rely on the kinds of county websites ProPublica investigated to inform their readers about election results, newspaper archives show. The Associated Press’ vote count draws from multiple sources, including stringers, state data feeds and tallies from local government websites, AP spokeswoman Lauren Easton said.
Last month, ProPublica discovered that the mobile app used during the Iowa caucuses was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed. Veracode, a security firm that reviewed the software at ProPublica’s request, said the lack of safeguards meant phone transmissions were left largely unprotected. There’s no evidence that hackers intercepted or tampered with the Iowa results.
“Think #IowaCaucus meltdown is bad?” Florida Sen. Marco Rubio, a member of the chamber’s intelligence committee, tweeted. “Imagine very close presidential election. Russian or Chinese hackers tamper with preliminary reporting system in key counties. When the official results begin to be tabulated, it shows a different winner than the preliminary results online.”
Acting Homeland Security Secretary Chad Wolf has said his agency “fully expects” Russia to attempt to interfere in this year’s elections. The government’s concerns echo a minority view by Democratic Sen. Ron Wyden of Oregon in a Senate intelligence committee report on Russian interference in the 2016 election, warning that county officials could be outgunned against nation-state hackers.
“America is facing a direct assault on the heart of our democracy by a determined adversary,” Wyden wrote. “We would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army. We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army.
“That approach failed in 2016,” it continued, “and it will fail again.”