The Vermont Secretary of State’s Office was warned earlier this year of potential vulnerabilities in new software being developed by the company that manages the state’s voter registration system, officials said.
However, they maintained that staff there are confident that the issues — which were first reported last week by Politico — never put voter information at risk.
The warning, Politico reported, stemmed from a discovery in 2023 by election officials in New Hampshire that a firm building new voter registration software for that state, and managing the existing registration software in Vermont, had outsourced some of its programming work.
WSD Digital — which is based in Connecticut — is also developing new voter registration software for Vermont, though unlike New Hampshire’s, the system will not be ready to use until next year, according to Lauren Hibbert, Vermont’s deputy secretary of state.
According to Politico, a cybersecurity probe of the system being developed for New Hampshire found software misconfigured to connect to servers in Russia, as well as the use of code that is freely available online — known as open-source code — and that is overseen by a Russian computer engineer convicted of manslaughter.
A programmer had also coded the Ukrainian national anthem into New Hampshire’s voter database, an apparent nod to Russia’s ongoing invasion of that country, the news outlet reported. The presence of the anthem, however, posed no threat to the software itself.
Politico reported that WSD Digital resolved the coding issues before New Hampshire’s software went into use ahead of its presidential primary election this spring. It also noted that there was no evidence of wrongdoing. But the outlet did, broadly, find a lack of oversight across the country of the supply chain states tap to build the software that manages their elections.
Hibbert said the specific issues identified in the Politico article, while concerning, were found to have had no impact on the software that WSD Digital is building for Vermont. Moreover, she said, the security review — conducted by a firm called ReversingLabs — is a standard part of software development and is designed to identify problems such as those found in New Hampshire’s software.
Vermont and some its contractors have since been “taking a closer look” at where the code they use to build election management systems comes from, Hibbert said, but maintained there was no threat to election integrity in the state.
“It did not happen in Vermont code,” Hibbert said. “We decided that we didn’t need to change the security parameters within our contract, or the way that our contract was being executed in our build, because all of the appropriate security measures are already in there.”
The Politico story prompted pushback from New Hampshire Secretary of State David Scanlan’s office. In comments to the New Hampshire Union Leader newspaper, Scanlan disputed Politico’s reporting that the state’s software used open-source code linked to Russia.
The state had a forensic expert remove “Ukrainian anthem” malware, he said, though noted it would have only been viewable to users in Russia. He said the Granite State’s voter registration database was never at risk of being compromised.
In Vermont, officials have known for years that the current software the state uses for election management — which was developed in 2014 by a company called PCC Technology Group — needed to be replaced.
An independent consultant’s review last year found that support and maintenance of the system “began to deteriorate” in 2020, around the time that PCC Technology’s parent company unified its subsidies under the brand name Civix. Support requests took “unreasonably long,” the review by Plainfield-based Paul Garstki Consulting states, and proposed upgrades “were slow in coming or never arrived at all.”
The system — which included more than just a voter registration database — then had significant challenges displaying election results on the night of the 2022 general election, the review said. By that point, it adds, the state had “lost confidence in Civix’s ability to maintain and support the system adequately and began to pursue a replacement.”
Hibbert, in an interview, said Civix “made good faith efforts” to maintain and improve the existing system but that it’s clear new software is needed. The state has since essentially made a copy of the Civix system, she said, and given control of it to WSD Digital. Meanwhile, the latter firm is also developing new software including the voter registration database.
“WSD is managing that system for us and helping us troubleshoot all of the issues that may come up within it through the end of this (2024) election cycle,” she said.
Hibbert said the state does not believe its election systems are vulnerable and that officials have taken numerous other steps to ensure the vote is secure. The Secretary of State’s Office recently met with all of its technology vendors to review their security protocols, she said, and is overseeing training on election procedures and digital security with town and city clerks.
Speaking about the new software, she added, “the vendor that we’re working with — and the security parameters that we built in — are at the leading edge of this industry.”
This article is part of U.S. Democracy Day, a nationwide collaborative on Sept. 15, the International Day of Democracy, in which news organizations cover how democracy works and the threats it faces. To learn more, visit usdemocracyday.org.
