GOP election outcry led to breaches
Security experts say hacks pose risk to future races
ATLANTA — Republican efforts questioning the outcome of the 2020 presidential race have led to voting system breaches that election security experts say pose a heightened risk to future elections.
Copies of the Dominion Voting Systems software used to manage elections — from designing ballots to configuring voting machines and tallying results — were distributed at an event this month in South Dakota organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year’s election.
“It’s a game-changer in that the environment we have talked about existing now is a reality,” said Matt Masterson, a former top election security official in the Trump administration. “We told election officials, essentially, that you should assume this information is already out there. Now we know it is, and we don’t know what they are going to do with it.”
The software copies came from voting equipment in Mesa County, Colorado, and Antrim County, Michigan, where Trump allies had sue unsuccessfully challenging the results from last fall.
The Dominion software is used in some 30 states, including counties in California, Georgia and Michigan.
Election security pioneer Harri Hursti was at the South Dakota event and said he and other researchers in attendance were provided three separate copies of election management systems that run on the Dominion software. The data indicated they were from Antrim and Mesa counties. While it’s not clear how the copies came to be released at the event, they were made available for public download.
The release gives hackers a “practice environment” to probe for vulnerabilities they could exploit and a road map to avoid defenses, Hursti said. All the hackers would need is physical access to the systems because they are not supposed to be connected to the internet.
A Dominion representative declined comment, citing an investigation.
U.S. election technology is dominated by just three vendors comprising 90% of the market, meaning election officials cannot easily swap out their existing technology. Release of the software copies essentially provides a blueprint for those trying to interfere with how elections are run. They could sabotage the system, alter the ballot design or even try to change results, said election technology expert Kevin Skoglund.
“This disclosure increases both the likelihood that something happens and the impact of what would happen if it does,” he said.
The effort by Republicans to examine voting equipment began soon after the November presidential election as Trump challenged the results and blamed his loss on widespread fraud, even though there has been no evidence of it.
Judges appointed by both Democrats and Republicans, election officials of both parties and Trump’s own attorney general have dismissed the claims. A coalition of federal and state election officials called the 2020 election the “most secure” in U.S. history, and postelection audits across the country found no significant anomalies.
In Antrim County, a judge had allowed a forensic exam of voting equipment after a brief mix-up of election results led to a suit alleging fraud. It was dismissed in May. Hursti said the date on the software release matches the date of the forensic exam.
Calls seeking information from Antrim County’s clerk and the local prosecutor’s office were not immediately returned; a call to the judge’s office was referred to the county clerk. The Michigan secretary of state’s office declined comment.
In Colorado, federal, state and local authorities are investigating whether Mesa County elections staff might have provided unauthorized individuals access to their systems. The county elections clerk, Tina Peters, appeared onstage with Lindell in South Dakota and told the crowd her office was being targeted by Democrats in the state.
Colorado Secretary of State Jena Griswold said she alerted federal election security officials of the breach and was told it was not viewed as a “significant heightening of the election risk landscape at this point.” This past week, Mesa County commissioners voted to replace voting equipment that Griswold had ordered could no longer be used.
Geoff Hale, who leads the election security effort at the U.S. Cybersecurity and Infrastructure Security Agency, said his agency has always operated on the assumption that system vulnerabilities are known by malicious actors. Election officials are focused instead on ways they can reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous postelection audits, Hale said.
He said having Dominion’s software exposed publicly doesn’t change the agency’s guidance.
Security researcher Jack Cable said he assumes U.S. adversaries already had access to the software. He said he is more concerned the release would fan distrust among the growing number of people not inclined to believe in the security of U.S elections.