Out of date: Bartholomew County upgrading computers from fading Windows 7

In this June 13, 2019, photo, Steve Marcinkus, an Investigator with the Office of the City Commissioners, demonstrates the ExpressVote XL voting machine at the Reading Terminal Market in Philadelphia. An analysis by The Associated Press has found that the vast majority of the nation’s 10,000 election jurisdictions will be managing their elections on Windows 7 or an even older operating system. (AP Photo/Matt Rourke)

County officials are in the process of upgrading about 600 computers, including those used for election voting and tabulations, in anticipation of Microsoft ending support for one of its popular, but aging, computer operating systems.

Microsoft, the maker of the operating system, Windows 7, will stop providing security updates and other support for the system on Jan. 14.

Currently, at least some of the county’s computers still use Windows 7, said Scott Mayes, Bartholomew County director of information technology.

“The plans have already been in motion for the past two years, actually,” he said. “And all those upgrades are in process and will be completed.”

[sc:text-divider text-divider-title=”Story continues below gallery” ]

Mayes said all county computers, including those used in the voting process, would be upgraded to Windows 10 or another operating system before Microsoft ends support for Windows 7 in January, but wouldn’t say how many of the county’s computers have been upgraded so far, citing security concerns.

However, other county officials confirmed that at least the standard desktop computers in the county’s voter registration and election office, child support payment office and clerk’s office have not yet been upgraded.

The city of Columbus uses Windows 10, city officials said.

The effort to upgrade the county’s computers comes as Microsoft began reminding users in March that Windows 7 would reach “end of life” on Jan. 14. End of life means that Microsoft will no longer provide technical support or security updates for the operating system, including patching security vulnerabilities after the end-of-life date, according to Microsoft’s website.

Currently, around one in five desktop computers in the United States still use Windows 7, according to data analytics firm StatCounter.

“That’s a very serious concern,” said J. Alex Halderman, a University of Michigan professor and renowned election security expert. He said the country risks repeating “mistakes that we made over the last decade or decade-and-a-half when states bought voting machines but didn’t keep the software up-to-date and didn’t have any serious provisions” for doing so.

The AP surveyed all 50 states, the District of Columbia and territories, and found multiple battleground states affected by the end of Windows 7 support, including Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona and North Carolina. Also affected are Michigan, which recently acquired a new system, and Georgia, which will announce its new system soon.

“If you continue to use Windows 7 after support has ended, your PC will still work, but it will become more vulnerable to security risks and viruses,” according to Microsoft’s website. “Your PC will continue to start and run, but you will no longer receive software updates, including security updates, from Microsoft.”

However, Microsoft officials told the The Associated Press earlier this month that it will offer security updates for a fee through 2023. The Jan. 14 end of life does not apply to some specialized versions of Windows 7, including some embedded versions of the operating system, which are designed to perform tasks on specific devices that aren’t computers — including some voting machines, ATMs and gas pumps. Depending on the version, support for those specialized systems may still be available through October 2021, according to Microsoft’s product lifecycle database.

Windows 7 was released in 2009, according to Microsoft. Two versions of Windows have been released since then. The latest, Windows 10, was released in 2015.

Mayes said the county has software assurance contract with Microsoft that ensures that the county “the latest operating systems are always available to us for all Microsoft products.” The county budgeted $125,000 in 2018 and $91,000 in 2017 for the agreement, which includes all of the county’s Microsoft licenses and services, Mayes said.

“It’s just a typical lifecycle of Microsoft products,” Mayes said. “As you move forward with using those products, you just have to upgrade them as they reach their end of lifecycle.”

Nation’s voting machines use ‘7’

Many of the nation’s voting machines also use Windows 7.

By the end of the month, Bartholomew County’s voting machines will not be among them, said Bartholomew County Clerk Jay Phelps.

Two weeks ago, MicroVote, the manufacturer of the voting machines the county uses, picked up all of the county’s 137 voting machines, as well as the two computers that the county uses to count votes and program the voting machines, took them to Indianapolis and is in the process of upgrading them to Windows 10, Phelps said.

“Definitely, we’re updating everything to full capacity, which is wonderful,” Phelps said.

Bartholomew County is one of 29 counties in Indiana that use the MicroVote Infinity 4.1 direct-recording electronic voting machine, which initially ran on Windows 7, according to public records obtained from the Indiana Election Division.

Phelps said he expects voting machines and the two computers to be ready by the end of the month. The machines are being upgraded under the terms of the county’s $12,000 annual maintenance agreement with MicroVote.

Bartholomew County, however, is not the only election jurisdiction in the United States that needed upgrades to its voting system.

The “vast majority” of the nation’s 10,000 election jurisdictions use Windows 7 or an older operating system “to create ballots, program voting machines, tally votes and report counts,” according to an analysis by The Associated Press.

Microsoft said this week that it “has notified nearly 10,000 customers they’ve been targeted or compromised by nation-state attacks” that originated in Iran, North Korea and Russia, including some attacks that were related to the democratic process, according to a blog post by Tom Burt, the company’s corporate vice president for customer security and trust.

“Many of the democracy-focused attacks we’ve seen recently target NGOs (non-government organization) and think tanks, and reflect a pattern that we also observed in the early stages of some previous elections,” Burt said in the blog post. “In this pattern, a spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns, serve as a precursor to direct attacks on campaigns and election systems themselves. We saw such attacks in the U.S. presidential election in 2016 and in the last French presidential election.”

In 2017, federal officials told election officials in 21 states that hackers had targeted their computer systems in the run up to the 2016 presidential election, according to wire reports. Indiana was not among the 21 states.

Cybersecurity risks

There are several potential risks associated with continuing to use an operating system that has reached end of life — including not receiving security “patches,” or fixes, when a security vulnerability is uncovered, cyber security experts said.

“The biggest risk, I would say, is that security vulnerabilities that are discovered more than likely won’t be fixed by the vendor,” said Dylan Owen, senior manager for cyber services at Raytheon Intelligence, Information and Services, a business unit of international aerospace and defense firm Raytheon Company, which reported $27.1 billion in sales last year. “In the case of Windows 7, Microsoft more than likely won’t fix a security vulnerability that’s found after the end of life.”

“Once somebody like Microsoft announces end of life, the bad guys kind of go back and pay more attention to those (operating systems) because they know that there aren’t going to be people actively working to fix the security vulnerabilities,” Owen added. “That becomes a better target because they don’t have to worry about the vulnerability being patched.”

Another problem that can arise when using an operating system past its end-of-life date is software compatibility.

“If you’re running Windows 7 and let’s say you have some accounting software — it could be election-related software — and the vendor comes up with a new version of that software, it may be incompatible with the whole operating system,” Owen said.

“So there’s a problem there that you can’t run the latest version of a piece of software. If the old version (of that software) has security vulnerabilities in it as well, now there’s two places where somebody could come and try to attack you or compromise your system, through the operating system and now through this old, outdated piece of software because you can’t use the newest versions of the software because you have an old (operating system). They kind of build on each other.”

However, there are some alternatives to upgrading the operating systems, the experts said.

If you don’t upgrade, “you can’t avoid the vulnerability entirely, but you can prevent someone from taking advantage of them,” said Jason Ortiz, senior integration engineer at Pondurance, an Indianapolis-based cybersecurity firm.

Some of those options include, among others, strong anti-virus and anti-malware systems, as well as end-point detection and response tools, which provides ongoing monitoring and detection of events that happen on a network, Ortiz said.

Ryan Gould, director of business technology at KSM Consulting, an Indianapolis-based technology, data, and management consulting firm, said he has seen a trend in the industry of using an artificial intelligence tool to scan all the traffic in and out of an organization.

Another option that was identified by cyber security experts included paying Microsoft for additional support.

“(Microsoft has) extended security support that you actually can buy for after end of life of a product, and they will then issue security patches to customers who pay that money,” Owen said. “But it’s really expensive. I haven’t seen per-desktop costs, but talking to customers who have gone that route, it’s a pretty significant cost. They don’t usually take that kind of step lightly.”

The experts agreed that it’s relatively common for security vulnerabilities to be discovered after an operating system’s end-of-life date.

After Windows XP when through end of life in 2014, “a bunch of new vulnerabilities were published,” Ortiz said.

“People are constantly finding new vulnerabilities in operating systems,” Gould said. “It is purely a matter of time before vulnerabilities are released for an operating system. It’s not if, it’s when.”

[sc:pullout-title pullout-title=”About Windows 7 end of life” ][sc:pullout-text-begin]

Microsoft began reminding users in March that Windows 7 would reach "end of life" on Jan. 14.

End of life means that Microsoft will no longer provide technical support or security updates for the operating system, including patching security vulnerabilities after the end-of-life date, according to Microsoft’s website.

Visit microsoft.com/en-ww/windowsforbusiness/end-of-windows-7-support for more information.