The Atlanta Journal-Constitution
Voting software vulnerable in some states, cyber agency says
Electronic voting machines from a leading vendor used in at least 16 states have software vulnerabilities that leave them susceptible to hacking if unaddressed, the nation’s leading cybersecurity agency said in an advisory sent to state election officials.
The U.S. Cybersecurity and Infrastructure Agency, or CISA, said there is no evidence the flaws in the Dominion Voting Systems’ equipment have been exploited to alter election results. The advisory is based on testing by a prominent computer scientist and expert witness in a long-running lawsuit that is unrelated to false allegations of a stolen election pushed by former President Donald Trump after his 2020 election loss.
The advisory, obtained by The Associated Press in advance of its expected Friday release, details nine vulnerabilities and suggests protective measures to prevent or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA seems to be trying to walk a line between not alarming the public and stressing the need for election officials to take action.
CISA Executive Director Brandon Wales said in a statement that “states’ standard election security procedures would detect exploitation of these vulnerabilities and, in many cases, would prevent attempts entirely.” Yet the advisory seems to suggest states aren’t doing enough. It urges prompt mitigation measures, including both continued and enhanced “defensive measures to reduce the risk of exploitation of these vulnerabilities.” Those measures need to be applied ahead of every election, the advisory said, and it’s clear that’s not happening in all of the states that use the machines.
University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the advisory is based, has long argued that using digital technology to record votes is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that aren’t uniformly followed. He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.
“These vulnerabilities, for the most part, are not ones that could be easily exploited by someone who walks in off the street, but they are things that we should worry could be exploited by sophisticated attackers, such as hostile nation states, or by election insiders, and they would carry very serious consequences,” Halderman told the AP.
Concerns about possible meddling by election insiders recently were underscored with the indictment of Mesa County Clerk Tina Peters in Colorado, who has become a hero to election conspiracy theorists and is running to become her state’s top election official. Data from the county’s voting machines appeared on election conspiracy websites last summer shortly after Peters appeared at a symposium about the election organized by Mypillow CEO Mike Lindell. She also recently was barred from overseeing this year’s election in her county.
One of the most serious vulnerabilities could allow malicious code to be spread from the election management system to machines throughout a jurisdiction, Halderman said. The vulnerability could be exploited by someone with physical access or by someone who is able to remotely infect other systems that are connected to the