A recently unsealed expert report arguing that Georgia’s Dominion Voting Systems machines are vulnerable to vote-rigging and hacking has sparked alarm in Georgia, even as the state downplayed the risks and its plans to mitigate them.
This week, a federal judge in Atlanta unsealed two reports in a federal court case regarding the use of Dominion ballot marking devices in Georgia elections. A report written by University of Michigan computer science professor Alex Halderman for plaintiffs in a federal court case seeking to block the use of Dominion machines in the Georgia election argued that the Machines are extremely vulnerable to hacker attacks. The other, paid by Dominion, argued the identified vulnerabilities are virtually improbable, while Georgia officials say they are exaggerated and unrealistic.
But federal agencies have identified the same vulnerabilities, and more than 20 cybersecurity experts rushed to defend Halderman’s report this week. Some of the problems could be alleviated by upgrading Dominion’s software, but Georgia officials say the upgrade is unrealistic — a massive undertaking they won’t begin until after the 2024 election.
There is no evidence that hackers have attempted to exploit any of the identified vulnerabilities, or that such a hack has taken place in previous elections. But Georgia has been at the center of election conspiracy theories propagated by President Donald Trump and his allies, many of whom have highlighted Dominion Voting Machines and claimed the election was hacked. Fox News recently agreed to pay Dominion $787 million to address allegations that Dominion voting machines were rigged in the 2020 election.
Halderman was granted access to the voting machines by the federal judge in that case and argues in his report that the state’s ballot marking machines are vulnerable to voter fraud, including ballot fraud.
The warnings are dire and suggest that Georgia’s voting machines could be tampered with by malicious actors within minutes. Halderman argued that attackers could modify the QR codes on printed ballots and install malware on individual voting machines “with only brief physical access.” They could attack the broader electoral system if they had the same access as certain county-level election officials, his report said.
“My technical insights give Georgia voters significantly less reason to rely on the votes they cast [the current Dominion ballot-marking devices] are assured that their votes will be counted correctly or that future elections will use Georgia’s votes [ballot-marking devices] will be reasonably safe from attack and give correct results,” he wrote.
A second report, also unsealed by the judge, was written by nonprofit national security organization MITER. This group argued that the hacks identified by Halderman were “operationally unfeasible” based on normal voting practices, size considerations, and adherence to strict security measures.
This view is shared by Georgian officials, including the MITER report in a press release criticizing Halderman’s report.
“The risks outlined in the researcher’s report are theoretical and imaginary,” Georgia Secretary of State Brad Raffensperger said in a statement. “Our security measures are real and mitigate them all.”
Voting cybersecurity professionals have long struggled to characterize the vulnerabilities they find in voting machines. Such flaws are rarely exploited in an actual election, especially to a degree that could alter the results, and can be used by election deniers as fuel for false claims.
Recommended
But the Halderman report’s findings of a vulnerability that could potentially spread nationwide, coupled with Georgia’s refusal to update the machines before 2024, are of particular concern to some experts.
Mark Lindeman, director of policy and strategy at voting technology group Verified Voting, said Halderman’s identified vulnerabilities were “rightfully frightening” and Georgia’s response was worrying.
“They made a decision to race on flat tires in the storm season and he may have reasons for that, but you can’t say it’s safe,” he said.
“Dangerous” or “safest and smartest way”?
Halderman argues that the MITER analysis, which Georgia officials use to defend their decision, is flawed because security measures are not always followed. In a Twitter thread criticizing Georgia for not updating the software, Halderman pointed to Coffee County, Georgia, where on Jan. 7, 2021, a Republican Party official instructed outsiders to copy part of the voting system. Election experts are increasingly warning of the risks that insider threats pose a threat to American elections.
“The known breaches in Georgia would be enough to uncover and exploit every vulnerability we found — and likely others we missed,” he wrote in a tweet.
A group of more than 20 cybersecurity and elections researchers agreed and wrote a letter to MITER demanding the retraction of the analysis.
“MITRE’s entire analysis is based on an assumption that has been proven wrong,” it said in an open letter. “MITRE’s analysis isn’t just plain wrong — it’s dangerous, as it will surely cause states like Georgia to delay installing Dominion’s software updates and implementing other important remedial actions.”
Updating the software — a fix that Halderman says will mitigate some of the risks — is a massive, time-consuming endeavor that can take months and cause problemsS It comes with its own risks, said Gabriel Sterling, the chief operating officer in the Georgia Secretary of State’s office.
“The new software has not, to my knowledge, been used in any elections in the world,” Sterling said called. “It’s certified by the EAC, which is great, but as with any new software, there are always things found in real-world deployment that may not work the way people intended.”
The state also considered updating part of it systems, Sterling said, but Georgia Lawyers concluded that the law requires a unified system.
“Legally, logistically and simply in terms of risk management, this was the safest and wisest way to go,” he said, saying he would have to wait until 2025 to update the voting machine’s software.
Sterling also warned that Halderman’s report would be used to “stoke the fire” of election denial.
And it’s already being called a bombshell by those who tried to overturn the 2020 election results, despite the lack of evidence of actual hacking of the contest.
Steve Bannon, a former Trump strategist, spoke about Halderman’s report with several guests on his War Room show, including Garland Favorito, an activist who heads an election integrity group in Georgia.
“There are some amazing findings that basically mirror what we’ve been saying all along,” Favorito told Bannon. “What Mike [Lindell] said what you and I said and so many people that the system is very insecure – it can be hacked.”