Georgia’s top election official is disregarding a recently released report that identifies serious vulnerabilities in Georgia’s computerized election system, instead siding with a conflicting report and claiming that scientific findings about cybersecurity threats are no more than conspiracy theories.
The Georgia secretary of state, Brad Raffensperger, charged with overseeing elections, announced that despite the report’s findings, he will not update software to protect against the vulnerabilities before the 2024 presidential elections.
The dueling reports were released by a federal court as part of a lawsuit. One, a 96-page report prepared by J Alex Halderman, and Drew Springall, computer science professors at the University of Michigan and Auburn University, respectively, is based on tests of the equipment used in the increasingly important swing state. The report, which had been sealed for two years by the court, found “vulnerabilities in nearly every part of the system that is exposed to potential attackers” which could allow votes to be changed, potentially affecting election outcomes in Georgia, according to a summary by Halderman.
The other was prepared by Mitre, a research and development company, and paid for by Dominion Voting Systems, manufacturer of the state’s electronic voting system. Mitre did not have the same access to test Georgia’s voting equipment, and claimed the vulnerabilities are unlikely to be exploited on a wide scale.
In justifying his decision not to update the state’s voting system, Raffensperger pointed to the Mitre report, which says the potential attacks Halderman identifies are “operationally infeasible”.
Halderman called Raffensperger’s decision not to address the system’s vulnerabilities “irresponsible and wrong”. Raffensperger has made several statements in recent weeks calling the computer scientists’ conclusions “theoretical and imaginary”, and conflating their warnings with “Stop the Steal” efforts post-2020 – leading Halderman to label the state’s officials as “vulnerability deniers”. Computer scientists from many of the US’s leading universities signed a letter decrying the standoff, and urging Mitre to retract its report.
The scenario lands Georgia in a situation where top computer scientists and Trump-aligned election deniers appear to be sharing the same or similar concerns, even while one relies on groundbreaking research, while the other has been discredited by courts and election officials alike.
US district judge Amy Totenberg had sealed the Halderman report since 2021 because of cybersecurity concerns, as part of a lawsuit that started before the most recent presidential election and rise of election deniers. But an agreement was reached earlier this month to release a redacted version, together with the Mitre report.
Halderman, who has researched digital elections equipment for decades, said court-ordered access to Georgia’s election equipment, manufactured by Dominion, allowed them to do “the first study in more than 10 years to comprehensively and independently assess the security of a widely deployed US voting machine, as well as the first-ever comprehensive security review of a widely deployed ballot marking device”.
“The most critical problem we found,” Halderman wrote, is a “vulnerability that can be exploited to spread malware from a county’s central election management system to every ballot-marking device in the jurisdiction. This makes it possible to attack the ballot-marking devices at scale, over a wide area, without needing physical access to any of them.”
Mitre’s countering report not only lacks any testing of voting machines, it also relies on a key premise, stated in a footnote on the first page: that no one besides election workers have access to the state’s voting hardware and software.
But records obtained by the Coalition for Good Governance – the group behind the ongoing lawsuit against Georgia’s election system – show that people associated with the effort to deny the 2020 election results visited rural Coffee county’s election department in early 2021, and the Trump attorney Sidney Powell was able to copy Dominion software and other data. These records, including surveillance video, were reported by the Washington Post and are now under investigation by the Georgia bureau of investigation (GBI).
The Coffee county security breach and other issues led a group of 29 computer scientists from MIT, Harvard, Yale, Stanford, Princeton, Georgia Tech and other US universities to write a letter last week urging Mitre to retract its report, calling the company’s conclusions a “dangerously misleading analysis”.
“Mitre embarrassed themselves,” Richard DeMillo, a computer science professor at Georgia Tech and one of the letter’s signers, told the Guardian. The report is “based on representations from the secretary of state about physical security, when right before our eyes, we can see video of people marching into Coffee county’s election department”.
Mike Hassinger, a spokesperson for Raffensperger, pointed to the GBI investigation when asked about the Coffee county incident and whether people other than election workers can access voting equipment.
Hassinger also said that the “vulnerabilities identified in a lab are not real vulnerabilities, and do not pose risks” to the state’s election system. But DeMillo, who has worked in cybersecurity at Hewlett-Packard and the US Department of Defense, said: “If Alex Halderman can discover the system’s vulnerabilities, then nation states like North Korea and Russia can as well.”
DeMillo has testified as part of the lawsuit, now in its sixth year. In 2019, the Coalition for Good Governance’s efforts led Judge Totenberg to order the state to scrap its previous statewide computer election system, made by Diebold Election Systems, due to vulnerabilities – a first in election integrity court cases. Diebold no longer makes voting machines, and coalition plaintiffs have continued their efforts to force the state to use paper ballots filled out by hand for voting instead of touchscreens, as is done by nearly 70% of voters across the US, with computers available for people with disabilities.
“Ballots filled out by pencil and paper are non-hackable,” said Marilyn Marks, executive director of the coalition. Georgia’s current system prints out a ballot after voters use touchscreens, and the ballot has a barcode that scanners read to record each voter’s choices.
In the months leading up to Georgia’s 2019 decision to change its election system to Dominion’s machines, a committee formed to advise the state on the decision ignored the recommendations of its lone computer scientist, Georgia Tech’s Wenke Lee, who urged the state to move to paper ballots marked by hand.
But the state ignored the recommendations and purchased machines from Dominion, another digital system, instead. “You can see that pattern of negligent, vulnerability denialism – of not facing facts,” Halderman said.
In a statement released on 20 June, Raffensperger said that “critics of Georgia’s election security” are probably either “election-denying conspiracy theorists or litigants in the long-running … lawsuit. These two groups make ever-shifting but always baseless assertions that Georgia’s election system is at risk because bad actors might hack the system and change the result of an election.”
The statement conflates conspiracists like Cyber Ninjas – the now-defunct company that performed discredited “audits” in Arizona after the 2020 presidential election – with cybersecurity experts who have decades of research to their names at leading universities. Asked about the researchers’ claims, Hassinger dismissed the line of inquiry as an “appeal to authority fallacy” and said in an email that “election denialism comes in many forms”, again conflating researchers with conspiracists.
Halderman told the Guardian he found Raffensperger’s 20 June statement “offensive”.
“Can they actually not tell the difference?” he asked. “Are they so incompetent? Scientists can’t sit quietly while a state like Georgia continues to ignore these issues.”