IE 11 is not supported. For an optimal experience visit our site on another browser.

Expert report fuels election doubts as Georgia waits to update voting software

A newly unsealed expert report arguing that Georgia’s Dominion voting machines are vulnerable to hacking is fueling election doubts in Georgia.
A voter wears a sticker that reads "I'm a Georgia Voter" at a polling station in Atlanta.
A voter wears a sticker that reads "I'm a Georgia Voter" at a polling station in Atlanta. Kevin D. Liles / Bloomberg via Getty Images file

A newly unsealed expert report arguing that Georgia’s Dominion Voting Systems machines are vulnerable to vote switching and hacking is raising alarms in Georgia, even as the state downplays the risks and their plans to mitigate them.

This week, a federal judge in Atlanta unsealed two reports in a federal court case over the use of Dominion ballot-marking devices in Georgia elections. One report, authored by University of Michigan computer science professor Alex Halderman for the plaintiffs in a federal court case seeking to block the use of Dominion machines in Georgia's elections, argued that the machines are critically vulnerable to hacking. The other, paid for by Dominion, argued the identified vulnerabilities were practically unlikely, while Georgia officials say they are exaggerated and unrealistic.

But federal authorities have identified the same vulnerabilities, and more than 20 cybersecurity experts rushed to defend Halderman's report this week. Some of the issues could be mitigated by upgrading the Dominion software, but Georgia officials say the upgrade is unrealistic — an enormous undertaking they won’t start until after the 2024 elections.

There is no evidence that hackers have attempted to exploit any of the identified vulnerabilities, or that any such hack has occurred in previous elections. But Georgia was at the center of election conspiracy theories advanced by President Donald Trump and his allies, many of whom singled out Dominion Voting Machines and claimed the election had been hacked. Fox News recently agreed to shell out $787 million to Dominion for advancing claims that Dominion voting machines had been rigged in the 2020 election.

Halderman was was given access to the voting machines by the federal judge in the case, and he argues in his report that the state’s ballot-marking devices are vulnerable to election fraud, including vote switching.

The warnings are stark, suggesting that Georgia’s voting machines could be manipulated by bad actors in mere minutes. Halderman argued that attackers could alter the QR codes on printed ballots, and install malware on individual voting machines “with only brief physical access.” They could attack the broader voting system if they have the same access as certain county-level election officials, his report said.

“My technical findings leave Georgia voters with greatly diminished grounds to be confident that the votes they cast on [the current Dominion ballot-marking devices] are secured, that their votes will be counted correctly, or that any future elections using Georgia’s [ballot-marking devices] will be reasonably secure from attack and produce correct results,” he wrote.

A second report, also unsealed by the judge, was authored by national security nonprofit MITRE. That group argued the hacks identified by Halderman were “operationally infeasible” based on normal voting practices, scale considerations, and adherence to strict security measures.

It’s a view shared by Georgia officials, who included the MITRE report in a press release that criticized Halderman's report.

"The Halderman report was the result of a computer scientist having complete access to the Dominion equipment and software for three months in a laboratory environment. It identified risks that are theoretical and imaginary. Our security measures are real and mitigate all of them," Georgia Secretary of State Brad Raffensperger wrote in a letter to state lawmakers, which Raffensperger's office shared with NBC News.

He continued: "Is it possible for a team of bad actors to break into Georgia’s 2,700 voting precincts, install malware that changes election outcomes on 35,000 pieces of equipment, and sneak back out — all the while being undetected and leaving no trace? I’ll put it this way: It’s more likely that I could win the lottery without buying a ticket."

Mike Hassinger, a spokesman for Raffensperger's office, said Friday that responding to this report all day felt like he was "stuck in a Dumb and Dumber paradox," referencing a character's response to a one in a million likelihood: "So, you're telling me there's a chance?"

Election cybersecurity experts have long struggled with how to characterize the vulnerabilities they find in voting equipment. Such flaws are usually rarely possible to exploit in an actual election, especially at a scale that could change results, and they can be used by election denialists as fuel for outlandish claims.

But the Halderman report’s findings of a vulnerability that could potentially scale to a county-wide level, combined with Georgia’s refusal to update the machines before 2024, has some experts particularly worried.

Mark Lindeman, policy and strategy director at election technology group Verified Voting, said Halderman’s identified vulnerabilities are “legitimately scary” and Georgia’s response worrisome.

“You’ve decided to drive on bald tires and storm season, and he might have reasons for that, but you can’t say it’s safe,” he said.

'Dangerous' or 'safest, wisest course'?

Halderman argues that the MITRE analysis Georgia officials are using to defend their decision is flawed because security measures are not always followed. In a Twitter thread criticizing Georgia for not updating the software, Halderman pointed to Coffee County, Ga., where a Republican party official directed outsiders to copy part of the voting system on Jan. 7, 2021. Election experts have increasingly warned about the risks that insider threats pose to American elections.

“The known breaches in Georgia would be sufficient to uncover and exploit every vulnerability we found — and likely others we missed,” he wrote in a tweet.

A group of more than 20 researchers in cybersecurity and elections agreed with him, penning a letter to MITRE calling for the analysis to be retracted.

“MITRE’s entire analysis is predicated on an assumption known to be wrong,” they said in an open letter. “MITRE’s analysis isn’t simply wrong — it is dangerous, since it will surely lead states like Georgia to postpone installing Dominion’s software updates and implementing other important mitigations.”

Updating the software — a fix that will mitigate some of the risks, according to Halderman — is a massive, time-consuming undertaking that could take months and poses its own risks, said Gabriel Sterling, the chief operating officer in the Georgia Secretary of State’s office.

“The new software has not been used as far as I know in any election in the world,” Sterling said. “It’s been certified by the [U.S. Election Assistance Commission], which is great, but like any new software, real-world deployment always finds things that may not work the way people intended it to.”

The state also considered updating part of its systems, Sterling said, but Georgia lawyers determined the law requires a unified system.

"Legally, logistically, and just risk-management wise, this was the safest wisest course," he said of waiting until 2025 to update the voting machine software.

Sterling also warned that Halderman's report would be used to "feed that fire" of election denialism.

And already, it's being declared a bombshell by those who sought to overturn the results of the 2020 election, despite no evidence of any actual hacking in that contest.

Steve Bannon, a former Trump strategist, spoke about Halderman's report with several guests on his "War Room" show, including Garland Favorito, an activist who runs an election integrity group in Georgia.

"It has some amazing findings that basically says what we have been saying all along," Favorito told Bannon. "What Mike [Lindell] has been saying, what you and I have been saying, and so many people, that the system is very insecure — it can be hacked."