Wisconsin Campaign Finance System Breach Reveals Security Vulnerabilities

Wisconsin’s​ Campaign Finance Information System (CFIS) ⁤was compromised in late November and nobody from the Wisconsin Ethics Commission seems to want to‍ talk on the record about it.

But audio recordings obtained by The Federalist raise serious‍ questions about the CFIS breach and the responsibility‍ government ⁢agencies have to notify the legislature of integrated technology security threats.

Through the Backdoor

The breach ⁢occurred on the ​eve of Thanksgiving and continued for several days,‍ a commission staff member told Adrianne⁣ Melby, a self-described “moral conservative” ⁤ and arguably one⁢ of Wisconsin’s ‌more passionate open government and election⁢ integrity activists. In attempting to check campaign finance⁣ reports that are stored​ on the CFIS site, Melby found the system⁤ inoperable ⁢and called the agency to find out what the problem was.

While Ethics Commission Administrator Daniel Carlton has refused to return multiple requests ⁣for comment from The Federalist about the breach, Melby had an illuminating conversation with an agency staff member identified only as Richard following the long Thanksgiving ⁣holiday weekend. The ⁤only “Richard” listed online as part of the Ethics Commission’s program staff as of June 2020 is a Richard Bohringer. ⁣Since Wisconsin is a one-party consent state, Melby recorded the conversation and provided the audio to The Federalist.

First, Melby⁣ spoke with a different staff member who wouldn’t‌ say what caused the system shutdown, only that there were “some things that are currently out of our hands⁢ right now.” The staff member described the problem⁤ as a “maintenance issue,” and that the agency was trying to get the CFIS‌ back up and running “as soon as possible.”

When she spoke with Richard, Melby asked whether ⁢the site was hit by a cyber ⁣attack. It wasn’t, he said, acknowledging “there was some unauthorized acts” and the state’s ‌Division of Enterprise Technology (DET) was “just figuring out how they gained access,” he said.

Richard claimed that‌ the invaders didn’t attack ⁤the database server, but did manage to access the website server beginning around 4:30 p.m. on Wednesday, Nov. 22. ​Why? Apparently whoever got in wanted to use the server to host videos. They found a “backdoor” into the internals of the‍ 15-year-old ⁣campaign finance and lobbying database website.

“From ‍what we can tell … it doesn’t​ look like anybody ‍did anything nefarious on the site,” Richard told Melby. “From what they [DET] can tell, it got triggered Wednesday. They were showing, like, a huge demand on the site, and ⁣what they found out was there was videos streaming. It was like somebody else was hosting⁤ their video on ⁤the site and ‌people watching it.”

“They were ⁢just using the server resources to broadcast their videos,‌ basically,” he said.

The official reiterated that the site‌ pirates did not access the​ campaign⁣ finance database itself.

“Out of an abundance of caution,” the ​Division of Enterprise Technology apparently shut down the site in advance of ⁣Black Friday and Cyber Monday, high online traffic days littered with scammers and hackers, Richard​ said. ⁢An official with the DET referred The Federalist’s ⁢questions to the Wisconsin Department of ‌Administration. DOA has not returned a call seeking comment.

But the⁢ Ethics Commission agent told Melby that the state had to “bring in someone at‌ the national level even to kind of look stuff over.”⁣ Just‍ who ​that “national ‌level” individual ⁢was, he didn’t elaborate.

A Breach of Confidence

Republican ⁣State Rep. ​Janel Brandtjen raised the breach concern last month at a hearing on an ⁣Ethics Commission-related bill. At the hearing, Carlton, the commissioner’s administrator, noted that the Campaign Finance Information System is looking at a significant overhaul,‌ at a‌ cost of $325,000. He‌ told the Assembly Campaign Finance and Elections Committee that the old system, built in 2008, is a “dinosaur.”

“Why exactly are they going‌ through this⁤ process right now? It’s because they were hacked, and they were⁢ hacked through a backdoor,” Brandtjen said at the hearing. The lawmaker wants to‌ establish protocol mandating government agencies “promptly notify the legislature in the event ⁤of‌ a system breach.”

“Establishing a protocol for timely notification of system breaches ⁣to the legislature is vital for maintaining transparency,⁣ fostering⁤ public ⁣trust, enabling swift legislative action, ⁣mitigating risks, and ensuring government systems’ overall security and⁣ integrity. ⁤I eagerly anticipate CFIS’s report on their recent system breach,” Brandtjen said in‌ a press release.

A memo from the Wisconsin Legislative Reference Bureau notes state law already requires all ⁤“entities” that maintain personal information “notify the subjects ​of‍ that information if unauthorized persons gain access to it.” State policies also include “security standards and incident response standards and procedures,” ⁤the bureau noted.

“The incident response procedures set baseline requirements for all state agencies, who​ must have ⁢policies for incident response training, testing, reporting, and more,” ⁤the memo states.

The question is, did the⁣ Ethics Commission fail‍ to follow​ the law and incident response procedures?

Brandtjen said Carlton and his team at the Ethics Commission have not responded​ to her office’s request for information. That’s why she brought the​ matter up at the​ hearing. The conservative firebrand lawmaker, who has paid the price politically for her focus ⁤on election integrity, said grave concerns remain about the security of⁤ Wisconsin’s campaign finance and​ elections systems. The Wisconsin Elections Commission’s controversial administrator Meagan Wolfe, who has thus far successively staved off efforts to remove her from office, has ⁢boasted about how she helped build the Badger State’s WisVote system.

“How many other agencies have this problem, ‌particularly in this age of AI?” Brandtjen said.

State Rep. Donna Rozar,​ a Republican who ‍serves on the Assembly’s Campaign Finance and ⁤Elections ‍Committee, said she was a‍ little taken aback by Brandtjen’s “allegations”⁤ at the hearing on the campaign finance bill. She said it was “a little out of context.” Rozar⁣ said she has spoken with⁣ Carlton and he explained the upgrade to the ​Campaign Finance Information System wasn’t “triggered”⁣ by the breach in November. She acknowledged, however, that “she⁣ never ​could get good details [from the administrator] about ​what happened.”

“We have⁤ got to ⁣be so savvy about our computer security,” Rozar said. “I am very concerned about cybersecurity and I’m worried we are not doing ​enough to protect all levels of government and business.”

Adrianne Melby, who ‍brought the security issue to light, ⁣said ‍the breach is “deeply concerning.”

“Apparently this is some ‍sort of breach‍ or hack that took a federal official to come in and fix,”​ she said.⁤ “What confidence‍ can I have that information wasn’t wiped or information wasn’t inserted? … For ⁣it to be‌ down for seven days — from Nov. 22 to 29, that’s concerning.”

Listen to Melby’s conversations with Ethics Commission staff members here.

---