National Security

DHS Cyber Office Wants to See Secret Voting Machine Vulnerability Report

Streisand Effect

After a cybersecurity researcher wrote a report about potential vulnerabilities in voting machines, and a judge locked up the report, a government official now wants to read it.

210927-georgia-vote-machine-tease-01_s5ikbh
Bloomberg

A cybersecurity official at the Department of Homeland Security has shown interest in seeing a copy of a report alleging “severe” vulnerabilities in Georgia’s voting machines—a report that a federal judge has decided to keep secret.

As The Daily Beast reported last month, U.S. District Judge Amy Totenberg ordered the report—authored by a renowned computer security academic—to remain sealed. Although the report only discusses the potential for future election interference, her restrictions appear to be driven by a desire to avoid fueling unfounded right-wing conspiracy theories that Donald Trump beat Joe Biden in 2020.

But now the Streisand effect is in full swing, as the report’s secrecy is attracting even more attention from two camps: the federal agency tasked with helping protect elections and state election officials around the country who are also relying on these machines in certain jurisdictions.

ADVERTISEMENT

According to an email exchange filed in court documents, University of Michigan computer science professor J. Alex Halderman reached out directly to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) one week after The Daily Beast’s reporting and quickly heard back from the department’s election security director.

“Yes, CISA would be willing to receive the report regarding possible vulnerabilities in election infrastructure,” wrote Geoffrey Hale, who leads the agency’s so-called “Election Security Initiative,” according to the court filing.

Hale said his government agency was ready to do its own analysis of the supposed vulnerabilities that Halderman found in the Dominion ICX voting machines, which are used across Georgia and in several localities in other states. And he made clear that if government computer experts found the threats to be valid and in need of fixes, the agency would disclose the flaws to elections officials nationwide and help the manufacturer patch the holes.

Halderman has since filed a copy of his email exchange with CISA in federal court before Judge Totenberg, pleading for the judge to lift her restrictions and allow the federal government to review his report.

“Continuing to withhold my report from CISA puts voters and election outcomes in numerous states at unnecessary, and avoidable, risk,” Halderman wrote in a signed declaration on Sept. 21.

Election officials in Ohio and Louisiana, where the machines are slated to be used in the next year, are also interested in learning more about the flaws alleged in the report. Rob Nichols, press secretary for Ohio Secretary of State Frank LaRose, told The Daily Beast that his office thinks making this information more readily accessible would be helpful. “We think more information out there is better,” Nichols told The Daily Beast—adding his office is not asking for the report to be unsealed.

Louisiana’s deputy secretary of state for communications told The Daily Beast that although the secretary of state is unaware of the contents of Halderman’s report, they would “welcome the opportunity to review his findings.”

Missouri Secretary of State John “Jay” Ashcroft told The Daily Beast he has heard about the allegations of vulnerabilities and is watching the case, although he hasn’t seen the report and hasn’t found any issue with the Dominion machines in Missouri. "We’ve looked into our equipment and can’t find anything that concerns us,” Ashcroft said.

Moving forward, Ashcroft is keeping an eye on the case and although he is not making moves to gain access to the report, he would be supportive of a CISA vulnerability disclosure process should it come to that, he says.

“Right now our approach is just to watch it,” Ashcroft told The Daily Beast. “If we get closer to elections we may have to change that posture depending upon what is alleged,” Ashcroft said, adding that for now the most important next step is to move to a paper ballot system so there’s no question about hackers meddling.

In a statement, CISA’s Hale confirmed to The Daily Beast that his team is prepared to work with Halderman. “CISA works regularly with companies and researchers to coordinate the disclosure of vulnerabilities in a timely and responsible manner so that system owners can take steps to protect their systems,” Hale said “This process includes the participants working to validate any alleged vulnerabilities and reviewing the planned mitigations, remediations or patches.”

But for now, the report is still sealed, preventing the vendor from rectifying any vulnerabilities the researcher has found. In court filings, Halderman says he has reached out on multiple occasions to Dominion to address the flaws to no avail.

Georgia, Ohio, Missouri, and Louisiana aren’t the only states that have skin in the game. According to Verified Voting, more than a dozen states are preparing to use the machines in some elections in the next year, including Alaska, Arizona, California, Colorado, Illinois, Kansas, Michigan, Nevada, New Jersey, Ohio, Pennsylvania, Tennessee, and Washington state.

Frankly, I’m deeply disturbed and concerned by the facts that neither the Georgia Secretary of State’s Office nor Dominion have asked for the content of the report.
Philip Stark, statistician at University of California Berkeley

Officials from election divisions in Alaska, Illinois, Michigan, and Pennsylvania said they couldn’t comment on the report, some adding that they couldn’t comment without knowing more about what was in the report. Other election divisions did not immediately return requests for comment.

Georgia appears to be the only state employing this technology statewide, according to Verified Voting. Other election divisions have plans to offer these particular “ballot-marking devices” in a limited number of precincts or as an accessible option for those with disabilities.

The Daily Beast has not accessed Halderman’s 25,000-word report and cannot verify the validity of its findings. But according to three sources familiar with its contents, the report details how a single hacker can easily develop malware and that could then be deployed to machines in private voting booths by people without technical skills. There is no allegation, however, that anyone has actually broken into any one of these machines and affected any votes during an actual election.

In court filings, Halderman has alleged that the machines in question “suffer from specific, highly exploitable vulnerabilities that allow attackers to change votes despite the state’s purported defenses,” if they use a specially crafted malware.

In a public summary of his findings, Halderman described how Dominion ICX voting machines can be reprogrammed to make particular candidates win by incorrectly recording a voter’s selections. And voters wouldn’t know their selections had changed, because the text on a printed ballot would still reflect their actual picks—while the QR code that actually gets scanned and tabulated by the state would reflect the altered choices.

Beyond concerns about the information fueling any election conspiracy theorists, when allegations of severe vulnerabilities in voting machines surface, concerns abound that foreign or domestic actors might take advantage of the details of the flaws if they become public and use them as a blueprint for their own nefarious purposes, such as meddling with elections, Halderman notes.

But if CISA were granted access to the report, a responsible disclosure—which would keep information from prying eyes and those with nefarious intentions—could proceed without letting the information fall into the wrong hands, experts say.

And anyone concerned about election security should lean towards transparency on security flaws—however groundbreaking they are—so they can be addressed, experts told The Daily Beast.

Federal judges aren’t typically in a position to severely restrict access to a cybersecurity researcher’s report about software vulnerabilities, due to First Amendment freedoms often asserted by hackers who find flaws. The relationship between tech corporations and the cybersecurity community has matured to the point where there is an established and professional vulnerability disclosure process, in which researchers regularly inform software designers about flaws they find in order for fixes to be made quickly and keep them out of the wrong hands.

But in this instance, Halderman received privileged access to a Dominion voting machine for several months due to his role serving as an expert witness for election integrity groups who have sued to replace Georgia’s voting machines. That means he and other cybersecurity experts must abide by the restrictions developed by Judge Totenberg, who is presiding over the court battle. So far, she has directed that Halderman’s report remain “attorneys’ eyes only,” meaning that Georgia elections officials and Dominion must request access to see its contents.

Halderman’s most recent letter, though, makes an alarming point: Georgia’s elections officials and Dominion have yet to even read his secret report—and attorneys representing the Secretary of State’s office acknowledged as much in a hearing last month.

Philip Stark, a University of California Berkeley statistician who is among the few experts that has been allowed to review the secret report, expressed extreme concern that state officials and the manufacturer would choose to remain in the dark.

“Frankly, I’m deeply disturbed and concerned by the facts that neither the Georgia Secretary of State’s Office nor Dominion have asked for the content of the report,” Stark told The Daily Beast. “For them to stick their heads in the sand is not a good look.”

Georgia’s Secretary of State’s Office did not respond to a request for comment on Monday.

The Daily Beast’s Aug. 13 report revealed that a secret audio recording caught the state agency’s chief operating officer, Gabriel Sterling, telling a group of attendees at a local professional luncheon that he thinks “Halderman’s report is a load of crap.”

However, Carey Miller, an attorney representing the Georgian state agency, clarified in a court hearing a week later on Aug. 19 that Sterling had actually not read the secret report.

“Our clients have not viewed Dr. Halderman’s report,” Miller said, adding that the state official was actually referring to another letter by the security researcher.

In the meantime, David Cross, an attorney representing the election integrity groups against Georgia, warned that inaction so far by Georgia and Dominion make it even more pivotal that the judge allow the feds to review Halderman’s secret report.

“The state is doing nothing to address these issues… my guess is, [the state doesn't] don’t want to know. Dominion is the same way. Because if it knows, then it's got disclosure requirements in every state that uses their equipment,” he said. “They don’t want CISA to get it, because CISA is going to say, ‘Jesus, this is a serious problem.’”

A Dominion spokesperson said that it has made offers—which were denied—to meet with Georgia officials and Halderman directly "to hear everything he has to say about supposed vulnerabilities."

"Cross knows it’s just plain false for him to say Dominion and Georgia election officials 'don’t want to know' what Halderman has to say about supposed vulnerabilities. He should stop playing games and let us have the meeting," the spokesperson said.

Cross explained that he has turned down meetings because the researcher would not be allowed to ask questions and the setting would be unnecessarily "confrontational."

Dominion's spokesperson did not say why the company would not read the report.