Cyber agency releases voting tech advisory
Activists: CISA weakens security recommendation
ATLANTA – The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.
The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ Imagecast X touchscreen voting machines, which produce a paper ballot or record votes electronically.
The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”
Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.
The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.
The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained
by watchdog Verified Voting. In most of those places, they are used only for people who can’t physically fill out a paper ballot by hand. But in some places, including Georgia, almost all inperson voting is done on the affected machines.
Dominion has defended the machines as “accurate and secure.”
As they’re used in Georgia, the machines print a paper ballot that includes a bar code – known as a QR code – and a human-readable summary of the voter’s selections. The votes are tallied by a scanner that reads the bar code. Security experts have warned the QR codes could be manipulated to reflect different votes than the voter intended.
A full-face ballot looks like a handmarked paper ballot with all of the choices for each race listed and a bubble next to the voter’s choice filled in by the machine. A summary ballot, in contrast,
lists only the voter’s selection for each race.
The recommendation to use fullface ballots rather than summary ballots with QR codes is not included in the final version of the advisory released Friday. Instead, after noting that the vulnerabilities could be exploited to change the bar code so it doesn’t match a voter’s selections, it includes a note in parentheses that says, “If states and jurisdictions so choose, the Imagecast X provides the configuration option to produce ballots that do not print bar codes for tabulation.”
Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes.