There is a dubious quote that has been allegedly attributed to Joseph Stalin, saying “It doesn’t matter how many people vote, only who counts them.” Voting integrity is a solemn guarantee in many countries. The US 2020 Presidential alleged election irregularities, using the Dominion voting machines, has caused serious doubts challenging voting integrity. A US federal cybersecurity agency is currently reviewing a report that alleges security vulnerabilities in voting machines used by Georgia and other states and says the document should not be made public until the agency has had time to assess and mitigate potential risks. The report has been under seal since July 2021 in US federal court in Atlanta, part of a long-running lawsuit challenging Georgia’s voting machines. Its author said in sworn declaration filed publicly with the court that he examined the Dominion Voting Systems machines for 12 weeks and identified “multiple severe security flaws” that would allow bad actors to install malicious software.
Plaintiffs in the case, who are election security advocates and individual voters, have for months called for the release of a redacted version of the report and urged that it be shared with state and federal election security officials. Lawyers for the State of Georgia had repeatedly objected to those requests, but its Secretary of State last month put out a news release calling for its release. A US District Judge agreed on 02 February 2022 that the report could be shared with the US Cybersecurity and Infrastructure Agency, or CISA. CISA said in a court filing last week it would work with the plaintiff and Dominion to analyze potential vulnerabilities, develop any necessary mitigation measures and work with jurisdictions that use the machines to test and apply any protections. CISA said it would complete its “coordinated vulnerability disclosure” process as quickly as possible but urged the judge not to release the report before it is completed, saying “premature disclosure of [this] report, even in redacted form, could, in the event any vulnerabilities ultimately are identified, assist malicious actors and thereby undermine election security.”
The report was initially designated “attorneys’ eyes only,” meaning even the actual parties to the lawsuit could not see it, only their lawyers and expert witnesses could review. The plaintiff is a voting technology specialist and director of the University of Michigan’s Center for Computer Security and Society and urged the court to make his findings public in a limited and responsible way so that problems could be addressed. He has reportedly seen no evidence that the machines’ vulnerabilities were used to tamper with the 2020 election, but he said, “there remain serious risks that policymakers and the public need to be aware of.” The judge has resisted making the report public, saying she too is concerned it could be exploited by attackers.
A news release was issued on 27 January 2022 while the lawyers in the case were on a conference call. Noting that all parties in the case had come to agree that the report should be made public, an attorney for the plaintiffs asked the judge to release a version redacted by experts to exclude details showing how hacks could be carried out. During a 02 February 2022 phone call, the federal judge agreed that the report could be released to CISA but did not immediately decide whether it could otherwise be made public. She instructed the parties to talk with the federal agency to get information about its review, saying she wanted to know whether CISA would provide any guidance as to what should and shouldn’t be disclosed.
Lawyers for the plaintiffs suggested that the court create a redacted version of the report public 30 days after CISA received the unredacted version. A lawyer for the state did not object to CISA getting the report, but said the public release should not be delayed, arguing that keeping it sealed undermines confidence in the election system. The GA Secretary of State said during a recent Atlanta Press Club event that the plaintiff had unlimited access to the touchscreen ballot-marking machines and was given the security codes, so he was not operating in “the real world.” The plaintiff wrote in a declaration for the court that attackers could install malicious software “either with temporary physical access (such as that of voters in the polling place) or remotely from election management systems.”
The lawsuit alleges that Georgia’s voting machines are not secure and should be replaced with hand-marked paper ballots. The expert witness for the plaintiffs is a staunch supporter of hand-marked paper ballots. Others have also sought access to the report. The federal judge last month rejected a request for access from the secretary of state in Louisiana, which uses the Dominion system for early voting. She has not yet ruled on media requests for access from Fox News and One America News, both of which are facing defamation suits filed by Dominion.
CISA said in its court filing that it “understands and shares the parties’ urgency with completing this work and will prioritize its completion as expeditiously as possible.” It proposed that it would notify the court within 30 days about its progress, its timeline and its thoughts on the “scope and information to be included in a future public disclosure.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
source: https://www.securityweek.com/feds-oppose-immediate-release-voting-machine-report
Comments