The Richmond, Virginia, web site that tells individuals wherever to vote and publishes election outcomes operates on a 17-year-outdated running process. Program employed by election-relevant web sites in Johnston County, North Carolina, and the town of Barnstable, Massachusetts, had attained its expiration date, earning protection updates no lengthier obtainable.

These getting older programs replicate a greater challenge: A ProPublica investigation identified that at least 50 election-linked internet sites in counties and towns voting on Tremendous Tuesday — accounting for approximately two million voters — have been specifically vulnerable to cyberattack. The sites, where by folks can come across out how to register to vote, exactly where to cast ballots and who gained the election, experienced safety concerns these kinds of as outdated software, lousy encryption and methods encumbered with unneeded computer plans. None of the localities contacted by ProPublica claimed that their web pages had been disrupted by cyberattacks.

ProPublica also noticed data files that should have been saved concealed due to the fact, when identified, they could give hackers a roadmap to the pc system’s weaknesses. Some election web-sites shared the identical computer server with several other regional governing administration websites, magnifying the opportunity repercussions of an assault. “Shared internet hosting environments are seldom ideal for significant infrastructure,” researchers Bob Rudis and Tod Beardsley of the protection business Rapid7 wrote in a February report for ProPublica.

At a time when cybersecurity fears have arrive to the forefront of American elections, ProPublica’s conclusions expose the frailty of some nearby pc networks. Bogus Election Day information and facts could disenfranchise voters by sending them to the improper polling place. Tainted effects could stall a campaign, because key wins push momentum with monetary contributions and political guidance.

Following the Iowa caucuses fiasco, in which a cell app’s flaws evidently unrelated to safety delayed success for times, any security breach could exam voters’ confidence in the integrity of the election procedure. Counties and cities significantly seek the U.S. Section of Homeland Security’s support in scanning their systems for safety challenges, but the federal govt just can’t make them do so.

“Public web sites are an spot of issue as we appear at county-stage election offices,” particularly those people that lack financial methods and knowledge, explained a senior U.S. official, who wasn’t authorized to discuss on the record. The federal federal government isn’t aware of precise strategies by foreign adversaries to assault county internet sites, the formal said, but “we know it is in the playbook.”

3 localities — Barnstable, Johnston County and Sebastian County, Arkansas — explained they would repair their units just after ProPublica notified them of their vulnerabilities past month. At least 3 other web-sites examined are even now driven in section by computer software from the early 2000s, contrary to direction from the federal government and marketplace. Moreover Richmond, they include Belchertown, Massachusetts, and Virginia’s King and Queen County.

“It’s not astonishing to me at all that these platforms haven’t been up-to-date in much more than a ten years,” reported Sara Moriarty, a Richmond voter who will work for a area nonprofit. “I really don’t believe they have the methods to assume about how their programs could be hacked or turned from them to unfold disinformation.”

Election safety problems have targeted at times on equipment utilised for voting and tabulating at polling spots. But localities frequently publish unofficial results and present other election-associated information on their personal web sites. Districts with problematic internet sites ranged from rural locations these kinds of as King and Queen County, with about five,000 registered voters, to towns this kind of as Richmond, with extra than 153,000. Lesser counties and cities may lack the IT staff and economic methods to work the most up-to-day pc programs.

Senate Democrats have proposed many payments that would correct $1 billion for community election safety and established federal recommendations for web-sites that publish voting outcomes, but they have not obtained traction. “We have to concentration holistically on the security of our voting devices, ranging from voting devices to registration databases to election-final results reporting units,” reported Democratic Sen. Mark Warner of Virginia, vice chair of the Senate’s intelligence panel. “Nothing a lot less than voter self-assurance in the integrity of our elections is at stake.”

ProPublica uncovered the troubles by working with software package that scans websites for vulnerabilities. While these scanners can develop bogus-positives, ProPublica confirmed its conclusions as a result of interviews with government officers or added reporting.

At our ask for, Rapid7 independently examined a broad swath of municipal web-sites, including some that never publish voting final results, given that they could be hijacked to provide election misinformation. It declined to supply particulars on specific web-sites but claimed scaled-down counties and towns tended to operate “dangerous or inappropriate” software package. People districts, Rapid7’s Rudis and Beardsley wrote in their report, “certainly could use assist securing election-related web-sites. This enable must come from their states, their increased-populace neighbors, or the federal government.”

Security flaws induced hiccups throughout the 2018 midterms. In 1 scenario, a flood of world-wide-web site visitors briefly introduced down Knox County, Tennessee’s, web site that revealed key-evening returns. A security expert afterwards explained that the problem may have stemmed from a software glitch on the web page.

Lawrence Norden, the director of the election-reform application at NYU’s Brennan Centre for Justice, explained industry experts have by now witnessed assaults on election-reporting programs abroad, these as in Bulgaria. “It would seem, regrettably, an effortless way to undermine voter self-assurance,” he stated.

Johnston County, a reliably Republican district about 40 minutes southeast of Raleigh, has approximately 131,600 registered voters. Its web page lists polling place addresses and election outcomes.



ProPublica discovered it was operating software that, in late 2019, arrived at what is acknowledged as its close of life. (Like milk or drugs, software typically carries an expiration day when manufacturers no more time promote or assistance it.)

Jeff Howard, Johnston’s IT manager, said that in response to ProPublica’s findings, his staff members updated the out of date areas of the website, which generally allows residents analysis septic tank permits. He mentioned updates will have to be finished cautiously. Rushing to put in the latest software program to resolve significant protection difficulties can backfire mainly because newer versions might lack options that the web site relied on to purpose. At worst, this kind of a modify would have to have revising hundreds of lines of personal computer code.

Barnstable in Massachusetts and Sebastian County, Arkansas, ran an even older version of the exact software package applied by Johnston County. Barnstable IT Director Dan Wood stated that the software — which expired in September 2015 — was taken off from the town’s web site following our inquiries. Officials in Sebastian County claimed they would also transform off the software program, and ProPublica confirmed the web page has been fastened.

Johnston’s was also a single of about two dozen Super Tuesday web pages that ran file-sharing software, which stability industry experts say could act as a gateway for hackers to receive critical specifics of a server’s running program and exploit its weaknesses. Lu Hickey, a county spokeswoman, mentioned it has not been a trouble.

Richmond, Virginia’s money, tends to vote Democratic and is about 48% African-American. It continue to employs the Windows Server 2003 functioning method, which the U.S. federal government has warned has not acquired “automatic fixes, updates, or online specialized assistance” from Microsoft since July 2015. “Running an unsupported working process carries safety and compliance risks. Therefore, we don’t recommend that buyers operate their applications on Home windows Server 2003,” a Microsoft spokesperson said in a assertion.

J. Kirk Showalter, Richmond’s elections main, stated her web page publishes PDFs of point out and federal election effects about 1 to two months after Election Day, though city council and college board results are usually posted on-line election night or the up coming day. Showalter said her devices passed security tests as not too long ago as December. Richmond IT officials explained their website however gets periodic “out of band” stability updates from Microsoft — intended to plug substantial, advertisement-hoc stability holes — and pressured that officers have expended thousands and thousands of pounds to safeguard and improve the city’s IT infrastructure. Only 2% of town servers nonetheless run Home windows 2003, they claimed.

“We are definitely well prepared to secure the integrity of our elections and have taken important ways to do so. The know-how that supports and secures our information devices has been on a regular basis up-to-date and is repeatedly tested, and we will proceed to just take the required actions to be well prepared and make confident these devices are shielded,” mentioned Richmond spokesman Jim Nolan.

Other than Richmond, Belchertown, Massachusetts, and King and Queen County, Virginia, are also Tremendous Tuesday locales that operate Windows 2003. The two spots account for about 15,600 registered voters. King and Queen elections director Diane Klausen stated she was unaware of the outdated working method right until ProPublica notified her place of work about it. Klausen stated she hopes that the server will be updated this 12 months, including that the county lately underwent a cybersecurity review by Virginia’s elections department and that she feels confident that its web-site is reputable. Virginia Department of Elections Commissioner Christopher Piper explained his state’s elections web page “remains the source of real truth for all election pursuits and data.”

Kevin Hannon, Belchertown’s IT director, verified that its server is managing Home windows 2003, and that “there are vulnerabilities.” He reported an up grade will be in spot by the normal election in November. Nevertheless, he mentioned, the server is not “at good risk” since it is driving a firewall, and is isolated from the relaxation of the network. “I am not concerned that even though we are waiting around on the current server that information … will be compromised,” he reported.

Faulty or delayed effects could sour the public’s rely on even if voters don’t go to the web-sites on their own. Local journalists frequently rely on the varieties of county web-sites ProPublica investigated to advise their readers about election final results, newspaper archives exhibit. The Connected Press’ vote depend attracts from multiple resources, which include stringers, point out details feeds and tallies from regional authorities websites, AP spokeswoman Lauren Easton claimed.

Previous month, ProPublica found that the mobile app utilized all through the Iowa caucuses was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed. Veracode, a protection company that reviewed the program at ProPublica’s ask for, explained the lack of safeguards meant cell phone transmissions have been remaining largely unprotected. There’s no proof that hackers intercepted or tampered with the Iowa results.

“Think #IowaCaucus meltdown is undesirable?” Florida Sen. Marco Rubio, a member of the chamber’s intelligence committee, tweeted. “Imagine very close presidential election. Russian or Chinese hackers tamper with preliminary reporting program in essential counties. When the formal outcomes start to be tabulated, it shows a unique winner than the preliminary success on the web.”

Performing Homeland Stability Secretary Chad Wolf has claimed his agency “fully expects” Russia to attempt to interfere in this year’s elections. The government’s problems echo a minority check out by Democratic Sen. Ron Wyden of Oregon in a Senate intelligence committee report on Russian interference in the 2016 election, warning that county officers could be outgunned in opposition to nation-state hackers.

“America is dealing with a immediate assault on the coronary heart of our democracy by a determined adversary,” Wyden wrote. “We would not question a nearby sheriff to go to war from the missiles, planes and tanks of the Russian Army. We shouldn’t question a county election IT worker to battle a war in opposition to the full capabilities and large resources of Russia’s cyber army.

“That technique failed in 2016,” it ongoing, “and it will fail all over again.”