Election security at center of voting software debate following recommendations to update

A report highlighting possible vulnerabilities in Dominion Voting Systems’s machines has spiraled into a conversation spanning multiple states over whether failing to update the software ahead of the 2024 election will compromise its security.

Vulnerabilities in Dominion’s software were identified by University of Michigan computer science professor Alex Halderman, who wrote a report in 2022 that found votes could be altered by someone who gained access to the voting equipment, such as a voter in a polling place or corrupt election officials.

NOVEMBER TO REMEMBER: SHEILA JACKSON LEE LEADS ROUNDUP OF INTRIGUING MAYORAL RACES

Halderman’s audit discovered nine vulnerabilities in Dominion’s software, each of which would require, to some extent, physical access to the electronic ballot systems. Fraudsters would also need a copy of the program’s software, which would be hard to obtain and even harder to decipher.

This caused a wide-ranging debate among election security experts and secretaries of state after some agencies determined that while there were some vulnerabilities, they found no evidence that the weaknesses had ever been exploited during an election cycle.

The controversy regarding the machines only grew after Georgia Secretary of State Brad Raffensperger said he would not update the state’s voting system, which has nearly 24,000 voting machines across 159 counties, and he called Halderman’s claims “theoretical and imaginary.” Raffensperger said the system was secure and “battle-tested” and that it would undergo health checks before the 2024 election, but the state does not have the bandwidth or time to update every machine.

Greater Georgia, a voter registration watchdog founded by former Republican Sen. Kelly Loeffler, is now going on the offense after Raffensperger’s decision not to update all the machines, saying it compromises election integrity and will financially affect Georgia’s taxpayers in the long run.

Loeffler said Raffensperger has shown “no urgency in fixing” the problem, “which invites every malign actor to come wreak havoc in our elections.”

“It’s somewhat provocative and antagonistic to people who believe that secure elections are important to say that we’re going to go through the 2024 presidential election, in which Georgia has been named the No. 1 battleground in the country and has the most voting machines, that we will not be updating them,” Loeffler said in an interview with the Washington Examiner.

“And the rationale given is that there is no time to do the work that they’ve known for two years, and four other states have already authorized the upgrade,” Loeffler added.

Other states choosing to update

Colorado, Michigan, and Washington are three states that have decided to upgrade Dominion’s voting software ahead of the 2024 election, according to certifications signed by the respective secretaries of state.

In most states, to be considered for voting updates, vendors must undergo federal laboratory testing to detect vulnerabilities and apply patches to any problems, whether they involve security or performance. Once testing shows that the voting system meets the state’s and the Federal Election Commission’s requirements, a vendor can submit an application to the secretary of state’s office for approval.

The Colorado secretary of state carries out software updates every two years, so the voting systems were updated on May 26, 2023. However, the office told the Washington Examiner that Colorado does not use the software package tested in Halderman’s report. The office said the expert who conducted the analysis had unlimited access to the machines and that the analysis itself used conditions that were unlikely to exist in the real world.

In Washington, Franklin County is the only one of 39 counties that uses Dominion’s voting software. Stuart Holmes, the director of elections, said in-person voting equipment was the “most vulnerable” because of who has access.

“It’s getting touched by people that are not election administrators, just people voting in person, and so there’s opportunities for bad actors to have access to that equipment,” Holmes said in an interview with the Washington Examiner. “And so that’s why it’s important for these reports and the [Elections Assistance Commission] and the good work they do to bring states together to be able to identify these, because even though Washington is a vote-by-mail state, we still have in-person voting centers in which these pieces of equipment are fielded in.”

Greater Georgia knocks Raffensperger’s out-of-office tendencies

Loeffler believes that the time Raffensperger has spent outside of his office over the last few years could have been spent directing teams to update the voting machines.

Data from an open records request from Greater Georgia provided to the Washington Examiner showed that Raffensperger had spent 42 days in his office, out of a possible 176 non-weekend/holiday calendar days, for an average of four hours a visit. Since 2021, Greater Georgia found that 70% of Raffensperger’s days were spent away from the office.

Loeffler believes that this information shows the time he spent outside of his office could have been spent directing teams to update the voting machines.

“We have a part-time secretary of state in a full-time role, which is not only unfair to voters, but it’s unfair to taxpayers, and Georgia’s taxpayers are now on the hook for $150 million contract for voting machines over 10 years that the secretary of state has refused responsibility to maintain,” Loeffler said.

Following pressure from election security experts, politicians, and advocates, Raffensperger approved the new version of Dominion’s software, which will be piloted in municipal elections in five counties this fall. The decision came after a closed-door election security meeting at the state Capitol between Raffensperger, Lt. Gov. Burt Jones (R-GA), and Republican state Senate leaders, the Atlanta Journal-Constitution reported.

Nevertheless, election officials aren’t planning a massive statewide rollout of the software, which encompasses tens of thousands of touchscreens and ballot scanners, until the software is thoroughly tested — and only after the 2024 presidential election.

However, Jason Torchinsky, a partner at the Holtzman Vogel law firm who specializes in campaign finance and election law, said the decision to not update all of the machines might not be as dramatic as some groups are making it out to be.

“I’m not aware of any legitimate election officer who thinks that there’s a voting machine security issue with software,” Torchinsky said in an interview with the Washington Examiner. “I mean, look, if you were able to connect your computer to a voting machine, might you be able to do something with it? Maybe, but you’d have to have a physical connection to the machine … which is unrealistic, on any kind of scale.”

He added that the slow rollout of the software updates sounds like typical secretary of state protocol to “roll things out in pieces, so I don’t have a statewide meltdown.”

“It’s not like updating your home PC and then you’re done, right? You’ve got to do updates, you’ve got to test everything, you got to make sure that the systems function, you know, and talk to each other and operate under load,” Torchinsky said. “I mean, it’s the people that think that running elections is just super easy and you flip a switch and it’s done — are not people who have ever run an election or been around the running of an election.”

Holmes said that when upgrading voting systems, a secretary of state’s office has to “plan backward,” particularly when it comes to training election workers to update, replace, and operate the equipment.

“And as you’re replacing all of your scanners, all of your printers the state of Georgia, if they are having to replace their in-person, accessible voting units, that’s very, very costly. And so it may be part of the equation. It’s just pure funding,” Holmes said. “But I think the other piece is the training side of it, as well.”

He also disagreed with Loeffler’s suggestion that an official’s time in office could have affected the software update rollout, saying that Raffensperger is “not the guy who personally implements the update.”

“That feels like a bit of a red herring kind of argument,” Torchinsky said.

Loeffler, however, said that the voting software updates should not be ignored for an argument of “low probability.”

“That’s often true of cybersecurity. Why do we do any of it? It is low probability, but the edge cases have extremely high economic and reputational and societal costs,” the former Georgia senator said. “And that’s what we’re protecting against, are the edge cases.”

“I don’t know anyone who manages cyber exposure by saying, ‘Well, it’s an outlier and we’re just going to ignore it,” she continued.

CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER

She added that updating the machines would ultimately instill confidence in elections for voters, particularly following the 2020 election when Republicans targeted Dominion Voting Systems as fraudulent following former President Donald Trump’s loss. One example is in Coffee County, where local election officials gave access to computer technicians working for Trump supporters. Four people involved in the Coffee County breach faced charges, one of whom has pleaded guilty.

“Taxpayers are asking him to do the job. We’re asking him to do the job,” Loeffler said of Raffensperger. “Make our elections secure and engender confidence so that people vote because at the end of the day, if people don’t vote, we will not have elections that reflect the will of the people.”