Georgia won’t update Dominion voting machines before 2024, despite cybersecurity expert warnings

The Georgia secretary of state’s office is relying on a report commissioned by Dominion regarding the company’s voting machines.

By Natalia Mittelstadt, JUST THE NEWS June 21, 2023

Georgia is delaying a software update for its Dominion voting machines until after the 2024 presidential election, despite cybersecurity experts warning of  vulnerabilities.

A nearly 2-year-old report was finally made public last week and showed Dominion voting machines had significant vulnerabilities, which led the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue a public advisory last year based on the findings.However, Georgia election officials say that the machines won’t be updated until after the 2024 elections because it’s such a massive undertaking.

The report was completed in July 2021 by University of Michigan Professor of Computer Science and Engineering J. Alex Halderman with Professor Drew Springall, of Auburn University, and focused in part on vulnerabilities they found after examining Dominion’s ImageCast X Ballot Marking Devices for three months.

A redacted copy of the report was released June 14 by the U.S. District Court for the Northern District of Georgia, Atlanta Division. ?

The report was completed on behalf of the plaintiffs in the case of Curling v. Raffensperger and found the Dominion machines are vulnerable to vote flipping.

Halderman suggested the machines were capable of being manipulated in mere minutes by bad actors, saying the QR codes on printed ballots could be altered and malware installed on individual machines “with only brief physical access.”

The broader voting system could be attacked if bad actors have the same access to it as certain county-level election officials, the report also concluded.

However, Halderman stated there is no evidence such vulnerabilities have been exploited in past elections.

“My technical findings leave Georgia voters with greatly diminished grounds to be confident that the votes they cast on [the current Dominion ballot-marking devices] are secured, that their votes will be counted correctly, or that any future elections using Georgia’s [ballot-marking devices] will be reasonably secure from attack and produce correct results,” he wrote.

Last June, in response to Halderman’s report, CISA urged election officials to mitigate the risks caused by the vulnerabilities in the Dominion machines but also stated the agency “has no evidence that these vulnerabilities have been exploited in any elections.”

Following the Halderman report, Dominion commissioned the nonprofit MITRE Corp.’s National Election Security Lab to respond to the findings. The report, completed in July 2022, was released along with the Halderman report.

The MITRE report said the Halderman report findings were “operationally infeasible” when considering adherence to strict security measures, normal voting practices, and scale considerations.

Georgia Secretary of State Brad Raffensperger said in a statement following the release of the MITRE report that it “confirms that Georgia’s election infrastructure is secured by the toughest safeguards.”

He also said: “For years, election deniers have created a cottage industry of ever-shifting claims about conspiracies to change votes, steal elections and undermine voter confidence. This report says it all: Voting machines do not flip votes. Cast ballots are counted as the voter intended. Georgia elections are secure.”

Dominion on Wednesday referred Just the News to its website for a response to the MITRE report.

The statement in part says the report found “none of the alleged vulnerabilities listed in [the] Plaintiff’s Expert Report would allow a bad actor to change the outcome of an election, particularly given scale considerations.”

The statement also reads, “As noted in the report’s conclusions, ‘The researcher’s proposed attacks were assessed by MITRE NESL to be operationally infeasible.’”

Gabriel Sterling, the secretary of state office’s chief operating officer, said Georgia will wait until 2025 to update the voting machines because “legally, logistically and just risk-management wise, this was the safest wisest course.”

He also said the new software, to his knowledge, has never been used in any election in the world.

In addition, Sterling said the new software has been certified by the U.S. Election Assistance Commission, “which is great, but like any new software, real-world deployment always finds things that may not work the way people intended it to.”

Halderman wrote in a Twitter thread: “MITRE’s analysis is wrong because it fails to account for how elections are operated in the real world. It is entirely predicated on a false assumption: MITRE says it ‘assumes strict and effective controlled access to Dominion election hardware and software.’”

Following the MITRE report, a group of more than 20 experts in cybersecurity and elections wrote MITRE a letter requesting its report be retracted.

“MITRE’s logic is that if procedural defenses are perfectly implemented, then the system is immune from attack,” the experts wrote. “This is a completely inappropriate methodology for assessing real-world risk, since actual risk hinges on how well defenses are implemented and operate in practice.

“MITRE’s analysis isn’t simply wrong – it is dangerous, since it will surely lead states like Georgia to postpone installing Dominion’s software updates and implementing other important mitigations.”

The lawsuit for which the Halderman report was written was originally filed in 2017 by the Coalition for Good Governance and individual voters, challenging the paperless voting machines that Georgia was using at the time.

After Georgia purchased the current system in 2019, the case shifted to those voting machines, also saying that they have vulnerabilities.

The U.S. district judge overseeing the lawsuit initially resisted making public Halderman’s report because of concerns about the possibility of it being exploited by bad actors.

However, in the judge’s order making the report public, she said CISA and the parties in the lawsuit agreed that the proposed redactions to the report appropriately safeguarded against election security concerns.

June 22, 2023 | 2 Comments »

Leave a Reply

2 Comments / 2 Comments

  1. By the time that the 2024 elections roll around, they will have had four years to make any necessary voting machine updates. That’s plenty of time. Heck, you can even get a college degree in four years. The fact that they will not do this before the next election shows that they intend to “influence” the next election, and then maybe after that one, it won’t matter anymore, anyway.

  2. It is easy to say there is no proof of fraud if you keep both eyes wide shut. The unwillingness to examine the proof is evidence enough of the fraud.