The decision marks the first time CISA has executed voting machine flaws through its Vulnerability Disclosure Program, which since 2019 has reviewed and disclosed hundreds of vulnerabilities in commercial and industrial systems that have been identified by researchers from the whole world. (The program aims to help businesses and consumers better protect devices against breaches.
The security of Dominion voting machines has become a flashpoint in the tense politics of the 2020 election, with supporters of former President Donald Trump saying the results were marred by manipulated machines, while election officials — including the secretary of state and Republican governor of Georgia — insisted there was no evidence of violations or altered results.
Georgia judge dismisses lawsuit alleging voter fraud in 2020 presidential election
There are nine flaws affecting versions of the machine called Dominion Voting Systems Democracy Suite ImageCast X, according to a copy of an advisory prepared by CISA and obtained by The Washington Post. The ImageCast X allows voters to mark their candidate choices on a touch screen and then produce a paper record, as was the case in Georgia. It can also be used as a paperless electronic voting machine. The flaws, many of which are highly technical and stem primarily from machine design as opposed to coding errors, typically require an attacker to have physical access to devices or other equipment used to administer the election, the agency said. CISA.
“We have no evidence that these vulnerabilities were exploited and no evidence that they affected election results,” CISA executive director Brandon Wales said in a statement to the Post. “It should be noted that standard state election security procedures would detect exploitation of these vulnerabilities and, in many cases, prevent attempts altogether. It is therefore very unlikely that these vulnerabilities could affect an election. »
The CISA conducted its review in response to a report by two researchers prepared in the context of long-running litigation over the security of Georgia’s electoral system. Lead researcher, computer scientist J. Alex Halderman of the University of Michigan, served as an expert for the plaintiffs who filed the case in 2017. The Plaintiffs – a group of voters and security activists voting – argued that the paperless touchscreen machines Georgia was then using, made by another company, were so lacking in security that they violated voters’ civil rights.
Georgia agreed to acquire a new system and purchased Dominion ImageCast X “ballot marking devices” in 2019, which were first used in 2020. The plaintiffs now argue that this replacement system is still too vulnerable to manipulation and that Georgia should adopt a system of hand-marked paper ballots that can be scanned and tabulated by machine.
CISA’s five-page opinion is based in part on Halderman’s 100-page report, which remains sealed in federal court in Atlanta. The advisory is expected to be released next week after officials in all 50 states are briefed.
CISA’s disclosure, however, is unlikely to settle the matter. The machine safety lawsuit is about to enter its sixth year, and unsubstantiated fraud allegations continue to animate Republican voters and elected officials.
Georgia’s primary went well. Voting supporters worry about November.
The advisory comes as a report released Friday by The Miter Corporation, a federally-funded research and development center, reached conclusions similar to those of CISA, according to the Georgia Secretary of State’s office. , Brad Raffensperger. The report, commissioned by Dominion, has not been made public.
“The CISA and Miter reports show what reasonable people already know – if bad actors have full and unfettered access to any system, they can manipulate that system,” said Gabriel Sterling, one of the main Raffensperger employees, in a press release. “That is why measures of procedural, operational and legal integrity of elections are crucial.”
Sterling said that, like CISA, Miter has found that existing procedural safeguards observed by election offices “make it extremely unlikely that a bad actor will actually exploit … vulnerabilities,” Halderman found.
But Halderman, who has said publicly that he has no evidence the machines’ flaws have been exploited, told the Post that the vulnerabilities were serious and could be used by an attacker. Most significant, he said, is a coding flaw that allows an attacker who accesses a jurisdiction’s central election computers to spread malware to ImageCast X machines.
“Voting systems rely on multiple layers of defense, including physical and electronic safeguards,” he said. “These vulnerabilities show that unfortunately electronic protections are not as secure as they should be.”
The revelations follow Tuesday’s primary elections in Georgia, which saw record turnout for a midterm primary. No evidence of tampering was found.
Georgia County under scrutiny after post-election violation
In the 2020 presidential election, officials conducted a statewide manual recount, reading the names of candidates from ballots and not just re-scanning them.
Election security experts have raised concerns about insider threats from election officials who subscribe to conspiracy theories about voting machines. Tina Peters, the Mesa County, Colorado, clerk was indicted in March on charges stemming from her efforts to copy Dominion hard drives. Peters said she did nothing wrong. Georgia officials are investigating an allegation that people looking for evidence of fraud accessed machines in Coffee County.
Election experts say the measures implemented over the years make it extremely unlikely that a malicious insider could perform a hack that alters votes to launch an election. “In many jurisdictions, two people are present when handling voting and tabulation materials,” Maria Benson, spokeswoman for the National Association of Secretaries of State, told The Post. Election officials have also implemented extensive security measures, she said, “including controlling physical access to election-related systems, ensuring they have adequate safeguards, and testing the ‘accuracy of systems and processes before and after each election’.
Dominion was aware of the vulnerabilities and told CISA that its systems could be updated to address them, the agency said.
Emma Brown contributed to this report.