Activists say cyber agency weakens voting tech safety
CISA: No evidence vulnerabilities were exploited in elections
ATLANTA – The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.
The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”
Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.
The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.
The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained by watchdog Verified Voting.
In most of those places, they are used only for people who can’t physically fill out a paper ballot by hand. But in some places, including Georgia, almost all inperson voting is done on the affected machines.
Dominion has defended the machines as “accurate and secure.”
As they’re used in Georgia, the machines print a paper ballot that includes a bar code – known as a QR code – and a human-readable summary of the voter’s selections. The votes are tallied by a scanner that reads the bar code. Security experts have warned that the QR codes could be manipulated to reflect different votes than the voter intended.
A previous version of the advisory sent to election officials said, “When bar codes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the bar code is inconsistent with the human-readable portion of the paper ballot.” To reduce that risk, the advisory suggested that jurisdictions configure the machines, where possible, to “produce traditional, full-face ballots, rather than summary ballots with QR codes.”
A full-face ballot looks like a hand-marked paper ballot with all of the choices for each race listed and a bubble next to the voter’s choice filled in by the machine. A summary ballot, in contrast, lists only the voter’s selection for each race.
The recommendation to use full-face ballots rather than summary ballots with QR codes is not included in the final version of the advisory released Friday.
Instead, after noting that the vulnerabilities could be exploited to change the bar code so it doesn’t match a voter’s selections, it includes a note in parentheses that says, “If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print bar codes for tabulation.”
Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes.
Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the lawsuit that led to Halderman’s examination of the machines, said it appears that CISA bent to political pressure to dilute the recommendation.
“It’s gravely concerning that self-serving election officials can muscle their way through CISA to dilute the agency’s compelling essential security measure to remove bar code votes from ballots – a needless, severe vulnerability that puts millions of voters’ votes at risk,” she said.
A CISA spokesman said the change was not based on complaints from any party and said that when the agency is alerted to potential vulnerabilities, it’s common to update an advisory as it works with researchers, vendors and other partners to provide information on mitigation measures.