The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting systems that use outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting equipment secure after a vendor ceases offering support for a product.
While a voting system would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the system is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained.
To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update.
In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is credible information that a voting system no longer complies with the guidelines. However, in the case of Election Systems & Software, the country’s largest voting vendor, for example, the EAC said it didn’t have “grounds to decertify any ES&S product that uses software that is no longer supported by a third-party vendor.” The commissioners also said that there is no stipulation for how far into the future operating systems must support security patches for them to be certified.
In January, Microsoft will stop providing security updates for Windows 7 (users can opt in to a program to pay for them through January 2023), an operating system still used in some voting equipment. Election security advocates say election officials and vendors are closely attuned to the risk posed by vulnerable and outdated software.
“State and local election officials and software vendors are working collaboratively to address the issue of old operating systems like Windows 7,” said Ryan Macias, a voting equipment expert who until May was the EAC’s acting director of testing and certification. “The people on the ground administering election systems are very aware of the problem and are getting support from vendors and their software providers.”
In the meantime, some voting systems with Windows 10, the latest Windows system, are gradually becoming available. The EAC said it is in the process of validating an ES&S voting system that uses Windows 10, and expects to certify it in mid-October.
The election security community is tackling the challenge of outdated software as part of its preparation for the 2020 presidential election. U.S. officials say foreign powers will again try to intervene in the electoral process, following the Russian government’s sweeping efforts in support of Donald Trump in 2016. Since then, the Department of Homeland Security has invested heavily in election security in coordination with state and local officials.
Maurice Turner, senior technologist at the nonprofit Center for Democracy & Technology, said the EAC letter was a reminder of the need to update the VVSG to streamline the certification and de-certification process.
“We are no longer in a time where we can think of computer systems as appliances where you can just plug them in and they’ll be fine,” Turner told CyberScoop. “They need to be regularly updated.”
“We need to get ahead of this before we’re right back in the same scenario with Windows 10,” he added.