Wisconsin’s Campaign Finance Information System (CFIS) was compromised in late November and nobody from the Wisconsin Ethics Commission seems to want to talk on the record about it.
But audio recordings obtained by The Federalist raise serious questions about the CFIS breach and the responsibility government agencies have to notify the legislature of integrated technology security threats.
Through the Backdoor
The breach occurred on the eve of Thanksgiving and continued for several days, a commission staff member told Adrianne Melby, a self-described “moral conservative” and arguably one of Wisconsin’s more passionate open government and election integrity activists. In attempting to check campaign finance reports that are stored on the CFIS site, Melby found the system inoperable and called the agency to find out what the problem was.
While Ethics Commission Administrator Daniel Carlton has refused to return multiple requests for comment from The Federalist about the breach, Melby had an illuminating conversation with an agency staff member identified only as Richard following the long Thanksgiving holiday weekend. The only “Richard” listed online as part of the Ethics Commission’s program staff as of June 2020 is a Richard Bohringer. Since Wisconsin is a one-party consent state, Melby recorded the conversation and provided the audio to The Federalist.
First, Melby spoke with a different staff member who wouldn’t say what caused the system shutdown, only that there were “some things that are currently out of our hands right now.” The staff member described the problem as a “maintenance issue,” and that the agency was trying to get the CFIS back up and running “as soon as possible.”
When she spoke with Richard, Melby asked whether the site was hit by a cyber attack. It wasn’t, he said, acknowledging “there was some unauthorized acts” and the state’s Division of Enterprise Technology (DET) was “just figuring out how they gained access,” he said.
Richard claimed that the invaders didn’t attack the database server, but did manage to access the website server beginning around 4:30 p.m. on Wednesday, Nov. 22. Why? Apparently whoever got in wanted to use the server to host videos. They found a “backdoor” into the internals of the 15-year-old campaign finance and lobbying database website.
“From what we can tell … it doesn’t look like anybody did anything nefarious on the site,” Richard told Melby. “From what they [DET] can tell, it got triggered Wednesday. They were showing, like, a huge demand on the site, and what they found out was there was videos streaming. It was like somebody else was hosting their video on the site and people watching it.”
“They were just using the server resources to broadcast their videos, basically,” he said.
The official reiterated that the site pirates did not access the campaign finance database itself.
“Out of an abundance of caution,” the Division of Enterprise Technology apparently shut down the site in advance of Black Friday and Cyber Monday, high online traffic days littered with scammers and hackers, Richard said. An official with the DET referred The Federalist’s questions to the Wisconsin Department of Administration. DOA has not returned a call seeking comment.
But the Ethics Commission agent told Melby that the state had to “bring in someone at the national level even to kind of look stuff over.” Just who that “national level” individual was, he didn’t elaborate.
A Breach of Confidence
Republican State Rep. Janel Brandtjen raised the breach concern last month at a hearing on an Ethics Commission-related bill. At the hearing, Carlton, the commissioner’s administrator, noted that the Campaign Finance Information System is looking at a significant overhaul, at a cost of $325,000. He told the Assembly Campaign Finance and Elections Committee that the old system, built in 2008, is a “dinosaur.”
“Why exactly are they going through this process right now? It’s because they were hacked, and they were hacked through a backdoor,” Brandtjen said at the hearing. The lawmaker wants to establish protocol mandating government agencies “promptly notify the legislature in the event of a system breach.”
“Establishing a protocol for timely notification of system breaches to the legislature is vital for maintaining transparency, fostering public trust, enabling swift legislative action, mitigating risks, and ensuring government systems’ overall security and integrity. I eagerly anticipate CFIS’s report on their recent system breach,” Brandtjen said in a press release.
A memo from the Wisconsin Legislative Reference Bureau notes state law already requires all “entities” that maintain personal information “notify the subjects of that information if unauthorized persons gain access to it.” State policies also include “security standards and incident response standards and procedures,” the bureau noted.
“The incident response procedures set baseline requirements for all state agencies, who must have policies for incident response training, testing, reporting, and more,” the memo states.
The question is, did the Ethics Commission fail to follow the law and incident response procedures?
Brandtjen said Carlton and his team at the Ethics Commission have not responded to her office’s request for information. That’s why she brought the matter up at the hearing. The conservative firebrand lawmaker, who has paid the price politically for her focus on election integrity, said grave concerns remain about the security of Wisconsin’s campaign finance and elections systems. The Wisconsin Elections Commission’s controversial administrator Meagan Wolfe, who has thus far successively staved off efforts to remove her from office, has boasted about how she helped build the Badger State’s WisVote system.
“How many other agencies have this problem, particularly in this age of AI?” Brandtjen said.
State Rep. Donna Rozar, a Republican who serves on the Assembly’s Campaign Finance and Elections Committee, said she was a little taken aback by Brandtjen’s “allegations” at the hearing on the campaign finance bill. She said it was “a little out of context.” Rozar said she has spoken with Carlton and he explained the upgrade to the Campaign Finance Information System wasn’t “triggered” by the breach in November. She acknowledged, however, that “she never could get good details [from the administrator] about what happened.”
“We have got to be so savvy about our computer security,” Rozar said. “I am very concerned about cybersecurity and I’m worried we are not doing enough to protect all levels of government and business.”
Adrianne Melby, who brought the security issue to light, said the breach is “deeply concerning.”
“Apparently this is some sort of breach or hack that took a federal official to come in and fix,” she said. “What confidence can I have that information wasn’t wiped or information wasn’t inserted? … For it to be down for seven days — from Nov. 22 to 29, that’s concerning.”
Listen to Melby’s conversations with Ethics Commission staff members here.