Also concerning, there is no mention in the law or any indication that Georgia will lease, rather than buy, its voting equipment. Leasing was a popular recommendation that emerged from the SAFE Commission, but I fear the idea was forgotten.
I still see a lack of understanding about cybersecurity in this discourse. Frequent news about organizations falling victim to cyberattacks should make it abundantly clear that no system is ever secure. Even when not directly connected to the Internet, a system still can be attacked. For example, the Stuxnet virus infected an Iranian nuclear facility with malware that was introduced into the system via USB or memory card. Therefore, to claim, “our voting machines are not connected to the Internet, and therefore secure” is preposterous. To also say, “Our voting machines have not been attacked yet, and are therefore secure” is unreasonable. No one would believe their home is secure because it has not been burglarized yet.
As part of a cybersecurity research community that works regularly with the Defense Department and global organizations, I am able to study many forms of cyberattack. New attacks are continuously discovered while “hardened systems” are proven to be flawed. This is why I remain an advocate for a hand-marked, paper ballot-based voting system, which guarantees that cyberattacks cannot alter votes.
In summary, we still do not have a secure voting system. Georgia must not presume that a new bill means new voting equipment will be fail-safe. Lawmakers, poll workers, and citizens must become more educated about the methods of attack and more vigilant to protect the cyber-integrity of our election equipment – today, tomorrow, and every year hereafter.
Wenke Lee, Ph.D., is a professor of computer science and co-executive director of the Institute for Information Security and Privacy at the Georgia Institute of Technology. He has published nearly 150 cybersecurity research papers and is a Fellow of the Association of Computer Machinery (ACM).