On Wednesday, Federal Court Judge Amy Totenberg disclosed a formerly classified document that will stir up a fresh storm around the safety of Georgia’s election infrastructure. The report pinpointed exploitable weaknesses that could potentially enable a cyber intruder to tamper with voting data. Hopefully, the freshly unsealed report might add fuel to the ongoing argument over Georgia’s decision to retain or discard its $138 million voting system.
The report was released In relation to a pending lawsuit aimed at forcing Georgia to trade in its Dominion Voting Systems hardware and software for traditional hand-marked paper ballots. In the report, Alex Halderman, a computer science professor from the University of Michigan and the plaintiffs’ expert witness, was given access to Georgia’s voting equipment and passwords by Judge Totenberg.
In his 2021 examination, Halderman asserted that the voting system was plagued with “serious vulnerabilities that could be manipulated to override all security measures in place.” According to Halderman, a single voting machine could be targeted for vote alteration by someone with physical access to the voting touchscreen and an intruder with access to the election management system’s computers could potentially wreak havoc on a wider scale.
Secretary of State Brad Raffensperger, who is defending the lawsuit, has dismissed the report’s findings. He contends that Halderman managed to identify these vulnerabilities due to his privileged access, asserting that real-world security measures would successfully counter any such attack.
In response to Halderman’s findings, Dominion Voting Systems commissioned the MITRE National Election Security Lab, an organization renowned for examining election apparatus and assessing vulnerability risks. The report was initially sealed by Totenberg out of fear it might be used for nefarious purposes during an election. But upon requests from both critics and supporters of the system, the report was finally unsealed, albeit with Halderman’s report having been redacted to prevent sensitive data from being disclosed.
The report brings to light the specific vulnerabilities uncovered by Halderman – that a 2020 software update in Georgia left ballot marking devices (BMDs) in a state where malware could be easily installed by anyone with short-term access to the machines. He further pointed out that meddling with a particular electronic file, installed during election preparation, could enable a hacker to disseminate malware to all BMDs within a county or even across the entire state.
MITRE’s report analyzed the technical expertise and time required to carry out the types of attacks Halderman suggested, as well as their detectability and their potential to alter enough votes to impact election outcomes. MITRE deemed Halderman’s proposed attacks as “operationally infeasible,” stating that most kinds of attacks would affect a negligible number of votes and would likely be identified through risk-limiting audits like those used after the 2020 presidential election.
However, the Coalition for Good Governance, one of the plaintiffs in the lawsuit, disputed MITRE’s report, alleging it to be based on the incorrect assumption that existing security protocols are adequate. They referenced a 2021 election data breach in Coffee County as a case in point.
The coalition also called out the Secretary of State’s office for postponing updates to Georgia’s Dominion software until after the 2024 election. Raffensperger stated last month that while the latest software update would be piloted this year, it has yet to be deployed by any jurisdiction. He did, however, outline other security measures that his office is implementing to ensure the integrity of the elections.
The current Dominion machines are running software version 5.5. Dominion wants to move to 5.17, but this represents a major update and would take between 15 to 20 minutes per machine. The new version has many changes – not many are visible to the voter or poll worker, but 5.17 would still require new manuals and training. Georgia’s Election Director, Blake Evans, is worried that rolling out GRVIS (the new voter registration system that moves Georgia’s election data to Salesforce) along with this major change to Dominion would be too much, so he has decided that for 2024 they will continue to use the same software version in the Dominion machines. They will update a few machines with the new version to test in small municipal elections but will not let them out to the counties. A version 5.5 project can’t be opened with a 5.17 machine, and a 5.17 project can’t be opened with a 5.5 machine, so once you upgrade, we can’t go back.
Gabriel Sterling, chief operating officer for the secretary of state’s office, claimed that “We were already doing essentially everything CISA said to mitigate these issues before the Halderman report came out.” But this ignores a key line from Halderman – “I explain how such malware can alter voter’s votes while subverting all of the procedural protection practiced by the State, including acceptance testing, hash validation, logic and accuracy testing, external firmware validation, and risk limiting audits.”
The U.S. Cybersecurity and Infrastructure Security Agency conducted an independent evaluation of the Dominion systems last year, validating the potential risks highlighted by Halderman. But perhaps the most damaging line in the report is what the authors label as their Main Conclusion #1:
“The ICX BMDs are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia. Adversaries with the necessary sophistication and resources to carry out attacks like those I have shown to be possible include hostile foreign governments such as Russia—which has targeted Georgia’s election system in the past— and domestic political actors whose close associates have recently acquired access to the same Dominion equipment that Georgia uses through audits and litigation in other jurisdictions.”