Will Election Deniers Again Try to Access Voting Systems?

The Coffee County elections office.Photograph by Elijah Nouvelage / The Washington Post / Getty 

On January 7, 2021, the day after the attempted coup, a team of computer forensic experts entered the elections office in Coffee County, Georgia, welcomed by the local elections supervisor. The team, who worked for an Atlanta-based company called SullivanStrickler, had been hired by Sidney Powell, one of Donald Trump’s lawyers. They were accompanied by an Atlanta bail bondsman named Scott Hall, who is reportedly a brother-in-law of David Bossie, a Trump campaign adviser. The then chair of the Coffee County G.O.P., Cathy Latham, who has been subpoenaed in connection with her role as one of sixteen fake electors in the state who signed an “unofficial electoral certificate” after the 2020 election, joined them as well. During the course of the day, the forensic experts copied election-machine software and 2020 voting data.

In March, 2021, during a recorded phone conversation with Marilyn Marks, the executive director of the Coalition for Good Governance—a nonprofit that works on election transparency and security—a man identified in court papers as Hall said, “We went in there and imaged every hard drive of every piece of equipment.” He added, “We basically had the entire elections committee there, and they said, ‘We give you permission. Go for it.’ ” (According to Marks, “The elections board was not there—only one member was there, and we believe that only one member was aware of the breach.”) The files were then copied for others to examine on a password-protected site. Because all Georgia counties use the same Dominion Voting Systems equipment, anyone with access to the Coffee County software had access to the election-management system of all voting machines in the state. At least a dozen states use the same Dominion system.

The extent of the breach didn’t come to light until surveillance video was obtained this past summer in the course of discovery for a lawsuit—Curling v. Raffensperger—that the Coalition for Good Governance had initiated, in 2017. The suit was brought by the group on behalf of the named plaintiff, Donna Curling, a resident of Fulton County, Georgia, and a member of the coalition, to compel the state of Georgia to abandon touch-screen electronic voting machines and switch to hand-marked paper ballots. (This was long before right-wing partisans, convinced that the 2020 election had been rigged, also began railing against computerized election equipment. Marks said that she began recording the conversation with Hall when he told her that his associates had obtained confidential files related to her group’s case.)

When the coalition brought the suit, Georgia was still using touch-screen computers under contract with Election Systems & Software, the country’s largest manufacturer of voting machines, which provided no voter-verifiable or auditable record of a voter’s choices. In 2019, the U.S. District Court judge Amy Totenberg ruled that the state needed to replace those machines before the 2020 election. Georgia switched to Dominion’s Democracy Suite ImageCast X, a different kind of computerized voting machine, known as a ballot-marking device. Marks’s organization continued to pursue the case because, although the new voting equipment provides voters with a paper document showing their ballot choices, it encodes those choices in a QR code that voters cannot read, and it is that code that is used to record the voters’ choices. Some computer scientists have suggested that it would be possible for a malicious actor to use the QR code to flip votes without the voters’ knowledge.

Judge Totenberg allowed an expert for the plaintiffs, J. Alex Halderman, a professor of computer science at the University of Michigan, to examine the ImageCast X machines and the software that undergirds them. A court order was required, because the Dominion software, like almost all software that runs our election systems, is proprietary to the company, which means that it is off-limits to outside investigators. After twelve weeks of study, in July of 2021, Halderman and a colleague produced a ninety-six-page, twenty-five-thousand-word report, identifying a number of serious vulnerabilities in the software that could potentially be exploited by people aiming to subvert an election. Totenberg then sealed the report to all but the lawyers for both sides and their experts in the litigation, in part so as not to further the stolen-election narrative. Halderman, for his part, has repeatedly explained that, just because a system has flaws, it doesn’t mean that those flaws have been used to change votes; in fact, there is no evidence that the flaws have been exploited in Georgia or anywhere else.

The Cybersecurity and Infrastructure Security Agency (CISA), the arm of the Department of Homeland Security (D.H.S.) charged with overseeing election security, was given a copy of Halderman’s report to review, and found it sufficiently concerning that, this past June, it issued a security advisory to election personnel across the country, warning them of nine of the vulnerabilities it outlined. Perhaps to lessen public concern, the authors of the advisory pointed out that the vulnerabilities could not be exploited unless an attacker had “physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices.”

When a reporter for the Atlanta Journal-Constitution asked Brad Raffensperger, the Georgia secretary of state and the defendant in the case, about the report, six months after it had been submitted to the court, he was dismissive. (Raffensperger had been given permission to read the report in November, 2021.) “Claiming you can break into a system after being given unfettered access”—by which he meant the access that Totenberg had given Halderman—“is like claiming you can break into a house after being given the keys and alarm codes,” Raffensperger said. (What neither he, nor the CISA officials, nor Halderman then knew, was that this was exactly what had happened months before, in January, 2021, at the Coffee County elections office. There is also video showing that, starting two weeks after the initial breach, other operatives affiliated with Stop the Steal were given access to the office, including Doug Logan, the C.E.O. of Cyber Ninjas, the company behind the discredited, partisan “audit” of Maricopa County, Arizona.)

Halderman told me that those who criticized his findings, as Raffensperger did—on the ground that they didn’t pertain because he had been handed the software and given months to study it—aren’t taking into account how hackers operate. “The way real attacks work isn’t that someone walks up to a computer terminal for the first time, without ever having seen the system before, and is suddenly entering pages of code that are going to make everything hacked,” he said. “Adversaries get access to systems, often by phishing attacks, and study them, usually at some leisure, and invent or discover ways to manipulate them with malicious code. It’s only later, when it’s time to strike, that an attacker would need some kind of access, maybe to insert a USB stick or send an e-mail with that malicious code attached.”

Even before the surveillance tape of the breach was discovered, there was strong evidence that something untoward had happened at the Coffee County elections office not long after the 2020 election. That December, the elections supervisor, who was sympathetic to Trump’s claim that he had been robbed of victory, posted a video to YouTube purporting to detail a scheme that would allow someone with administrative privileges to change votes. The video, which was widely circulated, inadvertently gave viewers an unobstructed view of the password to the county’s election-management system, which was taped to the supervisor’s computer. She resigned, under pressure—ostensibly for fudging time sheets, in February, 2021. In April, the new elections director found a business card for Doug Logan in the office. The director later alerted higher-ups at the state elections office and at the secretary of state’s office, but, according to his testimony in the Curling case, no one followed up with him.

Leave a Reply

Your email address will not be published. Required fields are marked *