Microsoft said Friday it will offer free security updates through the 2020 election in the United States — and in other interested democratic countries with national elections next year — for federally certified voting systems running on soon-to-be-outdated Windows 7 software.
An Associated Press analysis previously found that the vast majority of 10,000 election jurisdictions in the US use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts.
Windows 7 reaches its “end of life” on January 14, meaning Microsoft stops providing free technical support and producing “patches” to fix software vulnerabilities, which hackers can exploit. Cash-strapped election officials are scrambling to address this issue and what’s essentially a one-year extension on additional costs.
The promise of free updates does not address the cost of putting them in place or the time and cost of certifying such changes to a voting system. Fixing a new vulnerability requires that the companies resubmit the voting system for recertification, which can take weeks or even months.
At a US Election Assistance Commission forum last month, Microsoft’s Ginny Badanes, who heads its Defending Democracy Program, said that election administrators should not be forced to make the difficult choice of “using election systems with known vulnerabilities or applying security patches and, in so doing, taking their systems out of certification.”
The commission develops voting system guidelines.
In a blog post Friday, Microsoft’s vice president for security and trust, Tom Burt, said the company is working with government officials to try to streamline the lengthy certification process.
Even if that happens, making the fixes is still difficult because election systems cannot legally be changed, for example, while administering military absentee ballots 45 days before the election.
“If an important patch comes out three to four weeks before an election, it causes us to wait to implement because we can’t interfere in the election process that is already in motion,” said Louisiana’s top election official, R. Kyle Ardoin, at the commission forum.
The commission, in a statement, praised Microsoft’s move.
“Election administrators and advocates had rightly voiced concern that budget limitations would hinder their ability to pay for extended Windows 7 support and could lead to election security challenges,” the commission said. “Voters can now cast their ballots with confidence.”
Maria Dill Benson, a spokeswoman for the National Association of Secretaries of State, said in an email that “receiving this support will be a huge help to many.”
Critics say the situation is an example of what can happen when private companies, with commercial interests, ultimately determine the security of election systems with a lack of federal requirements or oversight.
Kevin Skoglund, chief technologist for Citizens for Better Elections, said the extension of support was helpful, but did not address the larger issues of the slow certification process and eventual labor costs.
Nor, he said, does it “change the fact that scarce federal, state, and local dollars are being spent on nearly-expired software.”
ES&S, the nation’s largest voting systems vendor, does not have a federally certified voting system with the latest, Windows 10 operating system on the market. Such a system was recently submitted for federal certification.
Spokeswoman Katina Granger said in a statement that the company was pleased by the free security updates and “will be communicating soon with our customers on the distribution of any updates.”