Noon Wednesday: County Election Websites Vulnerable
Andy Moore:
Hello, happy Noon Wednesday, everybody. I’m Andy Moore, I’m sitting in for Marisa Wojcik, who’s on assignment this week. We’ve learned this hour that UW-Madison will suspend face-to-face student instruction effective March 23 when students will be asked not to return to campus. That’s the day after spring break’s scheduled end. Employees will are instructed to remain in their regular work schedules until further notice. But students effective March 23 are being asked to not even return to the dorms. We’re learning more about this and Will Cushman, our digital editor and reporter, will be on-site at a 2 p.m. UW-Madison press conference and he’ll have more online for you on that. But again, Chancellor Blank announcing this hour and elaborating at 2:00 p.m. that student face-to-face instruction will be suspended effective March 23. We’ll also have more on that on Friday’s Here & Now, as you would expect. And I’ll tell you about that at the conclusion of our interview with Will Cushman, who’s here with us from WisContext.org, reporter for WisContext.org. In the flight of work that’s happening around coronavirus, the primary election season is marching on with results overnight primary results from Michigan and an assortment of other states just from yesterday. And even as we get closer to the April 7 primary in Wisconsin, the Wisconsin Elections Commission is concerned about county securities and the integrity of local county election and vote count for two reasons. And they’re describing two cyber practices that are of concern that apply to some, but not all counties in Wisconsin. Will have been doing some deep research on this and reporting that went up on WisContext just in the last 24 hours. And let’s talk about those two practices that are of concern. One at a time. What is one of those practices that is putting election security at risk?
Will Cushman:
Sure. So I want to first start out with this is a related but separate issue from the Elections Commission recent decision to essentially threaten local committee — communities who have, who are still using devices that are maybe operating under old software or otherwise unsecure. They’re threatening to identify those counties publicly to get them to move over to more secure devices. So this that’s a separate issue, but a related issue to this. What I looked at was a couple, as you said, basic kind of web practices that cyber security experts and the Elections Commission are both considering kind of best practices for county elections websites. And the primary concern is that in Wisconsin, county elections websites are where the unofficial results are reported on election night. So they’re important, even though they’re unofficial results. That’s where people go on election night to find out who won a specific county.
Andy Moore:
Wisconsin is somewhat unique in their reliance on the local machinery, are we not?
Will Cushman:
Totally unique. Yep. It’s the only state where that happens in that way. And so that’s why the security of county websites is all the more important in Wisconsin than it is basically anywhere else, at least in terms of election integrity. And so I read a report that was published last month by McAfee, cyber security vendor, that described two practices. The first one is encryption security. So what we commonly known that no, as HTTPS, all websites — it’s basically it’s been around for years now. I talked to some cybersecurity experts here in Wisconsin who said actually that it’s a standard practice in the business world. And one expert I talked to who’s a faculty at Milwaukee School of Engineering said that he was really surprised to see that there are counties in the state that still are operating websites that are not using that encryption security. There are actually 13 counties in the state that don’t use that encryption security, at least as of yesterday. And what that encryption security does is it protects the connection between a website visitor. So on election night, if you want to check out unofficial results in your local county, when you visit that, your county’s website, if you don’t see that, a little icon in the left-hand side of the web address bar of a padlock or some other indication that it’s an HTTPS website, you can’t be totally confident that someone isn’t snooping on that connection between you, the website visitor, and the website server. And the primary concern here is what is called a man-in-the-middle attack. And this is where a bad actor could conceivably snoop on that connection, on any communications that are going through. But the main concern with reporting unofficial election results is that a bad actor could basically hijack that connection and secretly, without your knowledge, redirect you to essentially a dummy website that looks potentially exactly the same.
Andy Moore:
And you think you’re getting county results.
Will Cushman:
Yeah, and they could alter them, especially in Wisconsin, where in a lot of counties election results are razor thin. You don’t even have to do that much manipulation to maybe change the winner in a county or make it appear that way. I need to emphasize that this is — would have no effect on the actual vote or the actual
Andy Moore:
That’s important.
Will Cushman:
— voting infrastructure. What is a primary concern here is that such a man in the middle attack could cause quite a bit of confusion. And so election night chaos, which is, as we learned from a special counsel, Robert Mueller’s year’s-long investigation into the 2016 elections, was a primary objective of the Russian government.
Andy Moore:
Will, it’s done an incredible job mapping where these counties and these concerns are in some graphics online at WisContext.org. How many counties, if you can tell us off top your head, are qualified in this encryption zone problem?
Will Cushman:
Yeah. 13. So there’s 13 counties that as of yesterday, were not using an encrypted website.
Andy Moore:
What are those counties say when you’ve checked in with them with regards to, I’m searching for better words than noncompliance, but using their status quo?
Will Cushman:
Right. And it is good to point out that they’re not necessarily out of compliance with any rule or anything and that the Elections Commission only serves an advisory role. They can’t, they don’t really have a mechanism for forcing a county to do anything maybe other than revealing their identity if they don’t like what they’re doing in terms of security practices. But I spoke to a few counties who know that they are woefully behind in adding this encryption security and they know that there are resources. Actually, the Elections Commission provides grant funding and technical support. To add this encryption security to a county website. And they say that they are moving as quickly as they can over to — at least the ones I spoke to, I did not speak to all 13 counties, but the ones I spoke to said that they are moving as quickly as they can over the encryption security. It just is taking some time. They’re trying to couch in kind of like a wholesale upgrade to the website along with adding this encryption security. And that obviously is going to slow down the process.
Andy Moore:
I believe your report indicated that there are state funds to help localities with this. So which has to be very welcome. Let’s move on to the second practice that is causing consternation about local election security and tell us about that.
Will Cushman:
That is the use of .gov as a domain name. So basically the end of a web address. So it’s like DaneCounty.gov vs. DaneCounty.com. That’s just, that’s not actually the web address of Dane County, but just using that as an example. So the cyber security experts — so the McAfee report also suggested that counties move over to using the dot gov domain. That hasn’t been a standard practice. And the Elections Commission, while they say they agree that that is a best practice, that to them is a lower priority than the use of encryption security. And that’s primarily because the use of a .gov domain and additionally .gov email addresses is not itself inherently more secure than using any other domain. But what it is really important for election administration officials say, is it can help queue citizens to the legitimate — excuse me, the legitimacy of a website. That is legitimately being operated by a government entity, and that is because the federal government that’s the use of .gov domains. So if you are a local county or municipality, what have you, you have to apply for use of a .gov domain, federal government checks out, make sure you’re legit before you get approved to use that domain. That’s not the case with any other domain. .com even, even ones that seem more official like .org or .us. Anyone who has a credit card and has or has the means to pay for it can scoop up one of those domains.
Andy Moore:
It’s useful information to know about that vetting with the .gov. Even out of the context of this story, and I don’t know how widely known that .gov stamp of approval is really understood. So that’s an interesting sidebar to this whole thing anyway. It seems for sure. So you did a statewide review of this, as I alluded to, in which you can see on WisContext.org. But what kinds of things did you find as you as you looked at the entire Badger State?
Will Cushman:
A really wide variation in the web practices of counties across the state. So as I mentioned, there are 13 counties that don’t use encryption security still. There are 58 counties in the state that do not use a .gov domain. In the counties that do use a .gov domain, those are for the most part are counties that have moved over to that domain relatively recently because I think as I said before, it was not a standard practice before or even really a standard recommendation. And there’s a huge variation in the domains that counties actually use. There’s .com, there’s .org, there’s .wi.us, there’s all sorts of stuff. So there’s no standardization there which can make it kind of all the more difficult and important for citizens to I guess feel that they can trust the validity of these web pages that they’re visiting. And it makes it more important to be, I guess, well informed visitor to these websites and also more important that these websites are vetted.
Andy Moore:
We have a minute or two left. And can you think of a story to tell about a specific county that you can use to show how these themes are ascending and being dealt with?
Will Cushman:
Yeah, I talked to a few counties who are struggling with the speed of making these transitions over to more secure web practices. I specifically spoke to some officials in Door County who — Door County has been working on moving over to an encrypted website since mid2019, they said. They already use a .gov domain, they’re actually one of the few counties in the state that uses a .gov domain. But they still don’t have encryption security. And they said it’s been it’s been much more challenging a larger project than they thought because they are one of the counties that is using this as an opportunity to upgrade the entire website. They were hoping to have their new encrypted website completed by January 1st. It’s not quite ready yet. They are really hopeful. And in fact, the assistant I.T. director for the county who I spoke to who was kind of managing the rollout of the new website, said that if she has to be there 24 hours a day, seven days a week, this new website will be live before that April 7th primary. But she said, and I’ve heard this from at least one other county as well, that part of the slower than expected pace in upgrading the website is that they also have to make sure that the new websites are ADA compliant. So they’re accessible to people with vision impairments or other disabilities. And so that testing that and making sure that the websites are fully accessible is a slow process. But they want to make sure that once they go live with a new upgraded website, that it’s not only secure, but that it’s able to serve all of their citizens.
Andy Moore:
Well, thank you Will. Thanks so much. It’s an important topic in the midst of many important topic. Wisconsin — WisContext.org is where you can see Will’s report. By the way, and not accidentally, Will and his team have done an amazing job staying ahead of and forecasting the impact of the pandemic and the coronavirus situation in Wisconsin. So that’s also a great place to go for more on that. And as I said at the top of this segment, we learned this hour, Chancellor Rebecca Blank has informed students that face-to face-instruction will be suspended effective March 23. That’s the day after spring break. Essentially asking students not to return after spring break, asking them not to return to residence halls. Employees work will continue as scheduled. There’s a 2:00 p.m. press conference, our digital reporter Will Kenneally will be covering that. So keep your eye on us online, PBS Wisconsin, Here & Now news online. And we’ll have more for you on that. And finally, we have a confirmation for Friday’s Here & Now from Associate Vice Chancellor at UW-Madison, Jake Baggett. He’s also the executive director of UW-Health Services. And he’ll be outlining the university’s plan in greater detail for us on Friday’s Here & Now program. Marisa Wojcik will be back next Wednesday for Noon Wednesday. I am Andy Moore. Thanks for watching Noon Wednesday.
Passport
Follow Us