Experts warn of dangers of breach of electoral system software
ATLANTA (AP) – Republicans’ efforts to question the outcome of the 2020 presidential race have led to voting system violations that election security experts say pose an increased risk for future elections.
Copies of the Dominion Voting Systems software used to manage elections – from designing ballots to setting up voting machines and counting results – were handed out at an event this month in South Dakota hosted by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who made unsubstantiated claims about last year’s election.
“This is a game changer as the environment we talked about is a reality,” said Matt Masterson, former senior election security official in the Trump administration. “We told election officials, basically, that you should assume that this information is already available. Now we know it does and we don’t know what they’re going to do with it.
Copies of the software came from voting equipment in Mesa County, Colorado, and County Antrim, Michigan, where Trump allies filed a lawsuit to challenge last fall’s results unsuccessfully.
Dominion software is used in about 30 states, including the counties of California, Georgia and Michigan.
Election security pioneer Harri Hursti was at the event in South Dakota and said he and other researchers in attendance received three separate copies of election management systems running on Dominion software. Data indicated that they were from Antrim and Mesa counties. While it is not clear how the copies were released at the event, they were posted online and made available for public download.
The statement gives hackers a “convenient environment” to research vulnerabilities they could exploit and a roadmap to avoid defenses, Hursti said. All hackers would need is physical access to the systems, as they are not supposed to be connected to the internet.
“The door is now wide open,” said Hursti. “The only question is, how do you sneak in the door?”
A Dominion representative declined to comment, citing an investigation.
US election technology is dominated by just three vendors representing 90% of the market, meaning election officials cannot easily replace their existing technology. Releasing copies of the software essentially provides a model for those who try to interfere with the conduct of elections. They could sabotage the system, change the design of the ballot, or even try to change the results, said Election technology expert Kevin Skoglund.
“This disclosure increases both the likelihood of something happening and the impact of what would happen if it did,” he said.
Republicans’ effort to examine voting materials began shortly after the November presidential election as Trump contested the results and blamed his loss on widespread fraud, even though there was no evidence of it.
Judges appointed by Democrats and Republicans, election officials from both parties and Trump’s own attorney general rejected the requests. A coalition of federal and state election officials called the 2020 election “the safest” in US history, and post-election audits across the country found no significant anomalies.
In County Antrim, a judge had authorized a forensic examination of voting materials after brief confusion over election results led to a fraud prosecution. He was fired in May. Hursti said the software version date matches the date of the forensic examination.
Appeals requesting information from the County Antrim clerk and the local prosecutor’s office were not immediately referred; an appeal to the judge’s office was referred to the county clerk. The Michigan Secretary of State’s office declined to comment.
In Colorado, federal, state and local authorities are investigating whether Mesa County election officials could have provided unauthorized people with access to their systems. County Elections Clerk Tina Peters appeared on stage with Lindell in South Dakota and told the crowd her office was being targeted by Democrats across the state.
Colorado Secretary of State Jena Griswold said she alerted federal election security officials to the violation and was told it was not seen as a “significant increase in the landscape electoral risks at this stage “. Last week, Mesa County Commissioners voted to replace the voting materials Griswold had ordered that could no longer be used.
Geoff Hale, who heads election security efforts at the U.S. Cyber and Infrastructure Security Agency, said his agency has always operated on the premise that vulnerabilities in the system are known to malicious actors. Rather, election officials are focusing on ways to reduce risk, such as using ballots with a paper file that can be verified by the voter and rigorous post-election audits, Hale said.
He said publicly exposing Dominion’s software does not change the agency’s guidelines.
Security researcher Jack Cable said he assumed American adversaries already had access to the software. He said he was more concerned that the release might fuel the suspicion of the growing number of people reluctant to believe in the safety of the US election.
“It’s a concern that people, looking to show that the system is insecure, actually make it more dangerous,” said Cable, who recently joined a cybersecurity company run by the former CISA director. Christopher Krebs and former Facebook security chief Alex. Stamos.
Concerns over access to voting machines and software first surfaced this year in Arizona, where the Republican-controlled State Senate hired Cyber Ninjas, a company with no previous electoral experience, to auditing the Maricopa County elections. The company’s chief executive also tweeted his support for conspiracy theories surrounding last year’s election.
After the county’s Dominion voting systems were turned over to the company, Arizona’s top election official determined they could never be used again and ordered the county to purchase new ones.
Dominion has filed lawsuits challenging various unfounded allegations about its systems. In May, he called accessing his Cyber Ninjas code “reckless,” given the company’s bias, and said it would cause “irreparable damage” to election security.
Election security and technology expert Ryan Macias, in Arizona earlier this year to observe this review, was alarmed by the lack of cybersecurity protocols. There was no information on who had access, whether these people had passed background checks or had been asked to sign non-disclosure agreements.
Cyber Ninjas did not respond to an email with questions about the exam and their security protocols.
Macias was not surprised to learn that copies of County Antrim’s Election Management System had surfaced online given the dubious motivations of the various groups leading the exams and the central role that voting systems have. played in conspiracy theories.
“This is what I predicted would happen, and I predict it will happen once again from Arizona,” Macias said. “These actors have no responsibility and no rules of engagement.”