Written by Arbitrage • 2021-09-05 00:00:00
Republican efforts questioning the outcome of the 2020 presidential race have led to voting system breaches that election security experts say pose a heightened risk to future elections. Copies of the Dominion Voting Systems software used to manage elections - from designing ballots to configuring voting machines and tallying results - were distributed at an event this month in South Dakota organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year's election. The software copies came from voting equipment in Mesa County, Colorado, and Antrim County, Michigan, where Trump allies had sue unsuccessfully challenging the results from last fall. The Dominion software is used in some 30 states, including counties in California, Georgia, and Michigan.
Election security pioneer Harri Hursti was at the South Dakota event and said he and other researchers in attendance were provided three separate copies of election management systems that run on the Dominion software. The data indicated they were from Antrim and Mesa counties. While it is not clear how the copies came to be released at the event, they were posted online and made available for public download. The release gives hackers a "practice environment" to probe for vulnerabilities they could exploit and a road map to avoid defenses, Hursti said. All the hackers would need is physical access to the systems because they are not supposed to be connected to the internet.
U.S. election technology is dominated by just three vendors comprising 90% of the market, meaning election officials cannot easily swap out their existing technology. Release of the software copies essentially provides a blueprint for those trying to interfere with how elections are run. They could sabotage the system, alter the ballot design, or even try to change results.
The effort by Republicans to examine voting equipment began soon after the November presidential election as Trump challenged the results and blamed his loss on widespread fraud, even though there has been no evidence of it. Judges appointed by both Democrats and Republicans, election officials of both parties, and Trump's own attorney general have dismissed the claims. A coalition of federal and state election officials called the 2020 election the "most secure" in U.S. history, and post-election audits across the country found no significant anomalies.
In Antrim County, a judge had allowed a forensic exam of voting equipment after a brief mix-up of election results led to a suit alleging fraud. It was dismissed in May. Hursti said the date on the software release matches the date of the forensic exam. Calls seeking information from Antrim County's clerk and the local prosecutor's office were not immediately returned; a call to the judge's office was referred to the county clerk. The Michigan secretary of state's office declined comment.
In Colorado, federal, state, and local authorities are investigating whether Mesa County elections staff might have provided unauthorized individuals access to their systems. The county elections clerk, Tina Peters, appeared onstage with Lindell in South Dakota and told the crowd her office was being targeted by Democrats in the state.
Geoff Hale, who leads the election security effort at the U.S. Cybersecurity and Infrastructure Security Agency, said his agency has always operated on the assumption that system vulnerabilities are known by malicious actors. Election officials are focused instead on ways they can reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous post-election audits, Hale said. He said having Dominion's software exposed publicly doesn't change the agency's guidance. Security researcher Jack Cable said he assumes U.S. adversaries already had access to the software. He said he is more concerned the release would fan distrust among the growing number of people not inclined to believe in the security of U.S elections.
Concerns over access to voting machines and software first surfaced this year in Arizona, where the Republican-controlled state Senate hired Cyber Ninjas, a firm with no previous election experience, to audit the Maricopa County election. The firm's chief executive also had tweeted support of conspiracy theories surrounding last year's election. After the county's Dominion voting systems were turned over to the firm, Arizona's top election official said they could not be used again. The GOP-controlled Maricopa County Board of Supervisors voted in July to replace them.
Dominion has filed suits contesting various unfounded claims about its systems. In May, it called giving Cyber Ninjas access to its code "reckless," given the firm's bias, and said it would cause "irreparable damage" to election security. Election technology and security expert Ryan Macias, in Arizona earlier this year to observe that review, was alarmed by a lack of cybersecurity protocols. There was no information about who was given access, whether those people had passed background checks or were asked to sign nondisclosure agreements. Cyber Ninjas did not respond to an email with questions about the review and their security protocols.