We have been reporting for at least two years now on the analysis by the plaintiffs' expert in a Georgia voting system lawsuit said to reveal vulnerabilities so alarming that the U.S. District Court judge overseeing the federal case actually sealed the report, even from the plaintiffs themselves! On today's BradCast, that report is finally unsealed. [Audio link to full show follows below this summary.]
But, first up, just a quick reminder of what some folks on the right seem willing to do to try and game elections anyway they can possibly think of, even if it involves the Republican candidate for Secretary of State in Michigan using nonsense claims to sue to prevent voters in the state's largest city (Detroit) from being allowed to vote by mail. That's what Trump-endorsed SoS candidate Kristina Karamo did last year, before losing to the incumbent Sec. of State Jocelyn Benson by nearly 15 points. After losing, the conspiracy theorist Karamo "failed up" to be elected as GOP state chair. And, this week, she and several top state Republican lawyers and candidates were sanctioned for more than $58,000 for their wildly frivolous attempt to use the state courts to steal the 2022 election.
Meanwhile, some of us actual election integrity advocates continue to fight for actual election integrity that doesn't prevent any legal voter from casting a vote, and that attempts to make sure that all of those votes are known to have been counted as per every voter's intent.
Which brings us back to Georgia once again today, and the lawsuit that we have been covering for years now. In 2019 it resulted in a federal judge banning the state's 20-year old Diebold touchscreens after finding them to be (as we'd long argued), insecure and unverifiable. Shamefully, the state's Republican Sec. of State Brad Raffensperger defied the no-uncertain-terms advice from the nation's top voting system and cybersecurity experts and replaced them with new unverifiable touchscreen systems in 2020, rather than a simple, inexpensive, verifiable hand-marked paper ballot systems. Instead, Raffensperger purchased a $150 million touchscreen system made by Dominion with many of the very same vulnerabilities as the state's old Diebold touchscreens.
Frequent BradCast guest, Marilyn Marks of Coalition for Good Governance, a plaintiff in the case that succeeded in banning the old Diebold systems, expanded the suit to challenge Raffensperger's new Dominion systems, seeking to ban them as well (other than for disabled voters who wish to use them) in favor of hand-marked paper ballots. The expert for plaintiffs in the so-called Curling case, Dr. J. Alex Halderman of the University of Michigan, was then allowed to examine the new Dominion touchscreen Ballot Marking Device (BMD) systems. His report, however, finding multiple vulnerabilities was said to be so damning that it was sealed by U.S. District Judge Amy Totenberg and kept from both plaintiffs and the public for the past two years.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) --- which oversees the nation's critical infrastructure, including computerized voting and tabulation systems --- was allowed to review Halderman's sealed report last year. They were so alarmed they issued an advisory citing “vulnerabilities...that should be mitigated as soon as possible.” And yet, as we reported exclusively on The BradCast last month, even though Dominion has now completed and certified the necessary upgrades, Raffensperger's office has told Judge Totenberg that they plan to wait until 2025 --- after the critical 2024 Presidential election in the battleground state --- to install the security enhancements on the state's 35,000 voting machines and more than 35,000 printers, scanners, and election management computers that support them.
All of that is made even more alarming by the fact that the day after the January 6th 2021 insurrection at the U.S. Capitol --- as we have also been reporting on in detail over the past year --- a group of MAGA folks, organized by Trump attorney Sidney Powell, were allowed by members of Georgia's Republican Party and the Coffee County Board of Elections to breach the Dominion voting systems in the small rural county to make unlawful copies of the system software before distributing it over the Internet. It was part of a multi-state scheme that we now know to have been hatched in Trump's Oval Office in December of 2020. The matter is believed to be under investigation as part of the broad conspiracy probe by Fulton County D.A. Fani Willis into Trump's efforts to steal the state's election in 2020. But, in the meantime, the Coffee County breach has allowed these lawless rightwingers to find and potentially plan to exploit all of the vulnerabilities that Halderman discovered and lawfully documented two years ago.
These same flawed Dominion systems are also now used in more than a dozen states, though only Georgia mandates that every county use the same system and requires that every voter at every polling place cast their vote on one of these terrible, unverifiable touchscreens.
Which brings us to today's very big news. The U.S. District Judge overseeing the Curling case has finally allowed Halderman's report to be unsealed! It is now posted here along with a simplified, summarized analysis of his own report that he has now published here. The Coalition for Good Governance's press release and additional context on the unsealing is here. (They all take care to note that Halderman's report neither alleges nor supports any claims of election fraud in the 2020 election.)
Among just some of the report's disturbing findings, according to Halderman today: "We discovered vulnerabilities in nearly every part of the system ... The most critical problem we found is [a] vulnerability that can be exploited to spread malware from a county's central election management system to every BMD [touchscreen Ballot Marking Device] in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them."
He adds, "Our report explains how attackers could exploit the flaws we found to change votes or potentially even affect election outcomes in Georgia."
One vulnerability allows an attacker to simply place a USB drive into a slot to install malicious code that could modify the election definition file to change election results. Another allows voters to print as many ballots as they like. Another allows malware to change both QRCodes printed on the ballots, which are used by the system to tally votes, and to even change the text of the printed ballots themselves.
We're joined today to discuss all of this by longtime cybersecurity and voting system expert RICHARD DEMILLO, professor at the Georgia Institute of Technology, where he recently founded Georgia Tech's new School of Cybersecurity and Privacy. He formerly served as Chief Technology Officer at Hewlett-Packard, in a leadership position at the National Science Foundation, and on the board of the Verified Voting Foundation. He has also advised plaintiffs in the Curling case.
"What we learned," from Halderman's report, he tells me today, "is that these voting machines are approximately like every other computer that we have in our daily lives. They don't work all the time, they're subject to being hacked, they get misconfigured easily, they get lost, they get stolen, sometimes people use them for illegal activities. And all the assurances that we have from voting machine companies and Secretaries of State --- about how well these machines are curated, vetted and tested --- is what experts have known all along as just a bunch of crap."
"The level of naivete, I think, involved in managing this technology is mind-boggling," DeMillo argues, citing Raffensperger's resistance to hardening the systems --- or, better yet, moving to hand-marked paper ballots --- "as a personal affront to his abilities."
"The headline here is that the things that you worry about --- and, kind of embarrassingly, the things that the election deniers are setting their hair on fire about --- is pretty close to what the vulnerability is. With modest capabilities, someone who had resources could attack, in the case of Georgia on a statewide basis, and install malware that could change votes."
"The Sec. of State's office in Georgia is tied emotionally to this idea of Ballot Marking Devices," says DeMillo. "You would think that saner minds would prevail and they would step back and say 'Why don't we move to a technology that is safer? We know how to manage the risk that is hand-marked paper ballots.' Which, by the way, 70% of Americans use to cast their votes anyway."
So, will unsealing Halderman's report make the system more vulnerable or less so? That, and much more, is part of today's must-listen conversation with DeMillo...
(Snail mail support to "Brad Friedman, 7095 Hollywood Blvd., #594 Los Angeles, CA 90028" always welcome too!)