Same company is Vermont election software vendor
By Guy Page
The vendor for Vermont election software offshored part of its work for New Hampshire’s elections to Russian software developers. Although caught in time, the “disaster averted” could have led to falsifying state voter rolls, according to a Politico news story last week.
The vendor, WSD of Connecticut, offshored the work trying to meet a deadline for a New Hampshire voting system. Today, the Vermont Secretary of State’s Office confirmed that WSD is also Vermont’s vendor, and that state officials have been aware of the ‘disaster averted’ since spring.
“WSD is our vendor for our elections management system,” Deputy Secretary of State Lauren Hibbert confirmed to VDC today.
The Politico news story reported several troubling aspects about the flawed core-js software:
- The software was “misconfigured to connect to servers in Russia and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter.”
- Also, “A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv.” And,
- Hackers could have exploited the issues to surreptitiously edit the state’s voter rolls.
The problem was reported by WSD to the Secretary of State’s office earlier this year, Hibbert said.
“The Vermont Secretary of State’s Office was notified of this issue by our vendor, WSD, in the spring and we met with them and Vermont’s CISO [Editor: Chief Information Security Officer],” Hibbert said.
The use of the open-source code in question was discovered in pre-production, Hibbert said.
“The code where the issue was found is a piece of code on the open market that is used by developers across many different software application types. We have no indication that it was targeted at election management systems,” Hibbert said.
“Additionally, WSD uses industry-leading tools to conduct continuous code reviews in development and production environments. The issue found in the code was found using those industry tools in a pre-production environment. Vermont does not have concerns about the work that WSD is doing for our state,” Hibbert said. “WSD adheres to NIST [National Institute of Standards and Technology] standards and leading practices with regard to DevSecOPS [a framework that integrates security into all phases of the software development lifecycle],” Hibbert said.
This isn’t the first time Vermont’s election software has been called into question. This year’s state primary results were delayed for a day after the Secretary of State’s office reported problems with the reporting software. They were resolved in collaboration with the vendor, the office reported at the time. The election software system is a ‘legacy’ of the Condos administration and is scheduled to be replaced, SOS officials said.