U.S. cybersecurity agency reviews hacking risk to Georgia voting system

Georgia election officials say the state’s voting systems are secure and that vulnerabilities discovered in a lab would be difficult to exploit in a real election.

There’s no indication that Georgia’s election computers manufactured by Dominion Voting Systems were hacked in the 2020 election, but an ongoing election security lawsuit alleges the touchscreens could be exploited in future elections. Three ballot counts and multiple investigations checked the 2020 election results.

Both Secretary of State Brad Raffensperger and plaintiffs in the lawsuit have called for a redacted version of the hacking report to be made public, but CISA urged a judge not to disseminate further information for now.

“Such premature disclosure increases the risk that malicious actors may be able to exploit any vulnerabilities and threaten election security,” CISA, an agency within the U.S. Department of Homeland Security, said in the filing.

CISA will analyze the extent of potential vulnerabilities, work with Dominion and develop mitigation measures, according to the agency’s court filing.

If vulnerabilities are confirmed and fixes required, CISA’s review could reverberate beyond Georgia. Dominion touchscreens that print out paper ballots, called ballot-marking devices, are used in jurisdictions in 12 states, including California, Michigan and Missouri.

The report was produced by University of Michigan computer science professor Alex Halderman, who as an expert for the plaintiffs was able to examine Georgia’s voting equipment for 12 weeks and look for flaws.

Halderman found that malicious software could be installed on voting touchscreens so that votes are changed in QR codes printed on paper ballots, which are then scanned to record votes, according to court documents.

The secretary of state’s office reviewed Halderman’s report after a judge made clear last month that it could be shared with election officials, following reporting about the potential vulnerability by The Atlanta Journal-Constitution. But the report remains sealed from public view.

Raffensperger said Halderman is “way off base.”

“I’m sure that anyone who has that kind of unlimited access could do something, but it’s not the real world,” Raffensperger said during an Atlanta Press Club interview Thursday.

David Cross, an attorney for the plaintiffs, said more information should be revealed about the risks to Georgia’s voting system after CISA has an opportunity to review it. Cross asked a judge last week to release a redacted version of the report within 30 days.

“Sending it to CISA for this purpose so that they can basically make the independent decision of how to do that balancing act is appropriate,” Cross said in court Feb. 2. “The public is entitled to have an understanding of the general matters covered in the report.”

It’s unclear how long CISA’s review would take, but the agency said it would provide an update in 30 days.

After CISA finishes its evaluation and develops safeguards, it will disclose information about vulnerabilities and mitigations but not necessarily release Halderman’s full report.

“CISA works regularly with companies and researchers to identify, mitigate and disclose vulnerabilities in a timely and responsible manner,” according to a statement by an agency spokesman. “CISA will continue to work closely with state and local election officials and the vendor community to help them ensure the security and integrity of our elections.”

Our reporting

The Atlanta Journal-Constitution last month reported on a sealed report alleging that Georgia’s voting touchscreens could be vulnerable to tampering by someone who had physical access to them. Since then, Secretary of State Brad Raffensperger and plaintiffs in the lawsuit have called for the report to be made public. Now, the U.S. Cybersecurity and Infrastructure Agency has begun a review of the potential risks.