A federal judge Wednesday unsealed two previously confidential reports that shed light on the security of Georgia’s election system.
One report detailed vulnerabilities that could allow a hacker to change votes. The other determined that the risk of someone committing such acts is remote.
A federal assessment found no evidence that the vulnerabilities had ever been exploited. And despite claims by former President Donald Trump, numerous investigations and recounts determined his 2020 loss to Democrat Joe Biden was not tainted by fraud.
But the reports unsealed Wednesday likely will continue the debate over whether Georgia should replace its $138 million voting system.
The reports were released as part of an ongoing lawsuit that seeks to force Georgia to drop its Dominion Voting Systems hardware and software in favor of hand-marked paper ballots.
The first report was produced by Alex Halderman, a computer science professor at the University of Michigan and an expert witness for the plaintiffs in the lawsuit. U.S. District Judge Amy Totenberg gave Halderman access to Georgia voting equipment and passwords.
His 2021 analysis said the voting system “suffers from critical vulnerabilities that can be exploited to subvert all of its security mechanisms.”
Halderman said votes could be altered by someone with physical access to a voting touchscreen, such as a voter in a polling place. Such a hack could target only one voting machine at a time, limiting the number of ballots that could be changed. But an attack by someone who gained access to the election management system computers could have a wider impact.
Secretary of State Brad Raffensperger, a defendant in the lawsuit, has rejected the report’s conclusions. He’s said Halderman was able to find vulnerabilities only because he had unique access to the voting system, and security procedures would thwart an attack in the real world.
Dominion Voting Systems hired the MITRE National Election Security Lab, an organization that analyzes election equipment and evaluated the risk of vulnerabilities, to assess the Halderman report.
Totenberg sealed both reports out of concern they could be used to hack Georgia’s system during an election. But she unsealed them after critics and supporters of the system asked for them to be made public. Halderman’s report has been redacted to prohibit the release of sensitive information.
The reports provide previously undisclosed details of the vulnerabilities Halderman found.
For example, he concluded that a software update Georgia installed in 2020 left ballot marking devices, or BMDs, “in a state where anyone can install malware with only brief physical access to the machines.” He also found that altering a certain electronic file, installed during election preparation, could allow a hacker to spread malware to all ballot marking devices across a county or the entire state.
“No grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia’s elections already possess,” Halderman said. “Unfortunately, even if such an attack never comes, the fact that Georgia’s BMDs are so vulnerable is all but certain to be exploited by partisan actors to suppress voter participation and cast doubt on the legitimacy of election results.”
The MITRE report assessed the difficulty and technical skill needed to successfully achieve the kinds of attacks Halderman outlined. It also assessed the time required, whether such attacks would be detectable and the ability of such attacks to affect enough ballots to tip the outcome of an election.
MITRE said the attacks Halderman envisions are “operationally infeasible” given the normal operating procedures of voting precincts and election officials. Even if successful, it concluded most kinds of attacks would affect “a statistically insignificant number of votes on a single (voting) device at a time.”
MITRE also said most kinds of the attacks would be detectable through the kind of risk-limiting audit performed after the 2020 presidential election.
The Coalition for Good Governance, a plaintiff in the lawsuit, disputed the MITRE report, which it said was premised on the false claim that existing security measures are sufficient. In a press release, the group cited a 2021 election data breach in Coffee County.
Surveillance video and other evidence show Trump supporters — aided by county election officials — copied Georgia’s statewide voting software. The GBI is investigating the incident, but no charges have been filed.
The coalition also noted that the secretary of state’s office won’t update Georgia’s Dominion software as recommended until after the 2024 election.
Last month Raffensperger said it would pilot the latest software update this year, but he noted it has not yet been deployed by any jurisdiction. In the meantime, he outlined other security measures his office is taking to secure elections.
As to the Coffee County incident, any system — including the usage of hand-marked ballots — is vulnerable to a bad actor such as an election official who provides access, said Gabriel Sterling, chief operating officer for the secretary of state’s office.
The U.S. Cybersecurity and Infrastructure Security Agency conducted its own review of Dominion systems last year. It confirmed that the type of vulnerabilities outlined by Halderman pose a risk. But it found no evidence those weaknesses had ever been exploited. And it said many of the precautions needed to mitigate the risk are standard practices in jurisdictions that use the system.
“We were already doing essentially everything CISA said to mitigate these issues before the Halderman report came out,” Sterling said.
About the Author
