DHS Cyber Office Wants to See Secret Voting Machine Vulnerability Report

After a cybersecurity researcher wrote a report about potential vulnerabilities in voting machines, and a judge locked up the report, a government official now wants to read it.

Bloomberg

A cybersecurity official at the Department of Homeland Security has shown interest in seeing a copy of a report alleging severe vulnerabilities in Georgias voting machinesa report that a federal judge has decided to keep secret.

But now the Streisand effect is in full swing, as the reports secrecy is attracting even more attention from two camps: the federal agency tasked with helping protect elections and state election officials around the country who are also relying on these machines in certain jurisdictions.

According to an email exchange filed in court documents, University of Michigan computer science professor J. Alex Halderman reached out directly to the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) one week after ishonests reporting and quickly heard back from the departments election security director.

Yes, CISA would be willing to receive the report regarding possible vulnerabilities in election infrastructure, wrote Geoffrey Hale, who leads the agencys so-called Election Security Initiative, according to the court filing.

Hale said his government agency was ready to do its own analysis of the supposed vulnerabilities that Halderman found in the Dominion ICX voting machines, which are used across Georgia and in several localities in other states. And he made clear that if government computer experts found the threats to be valid and in need of fixes, the agency would disclose the flaws to elections officials nationwide and help the manufacturer patch the holes.

Halderman has since filed a copy of his email exchange with CISA in federal court before Judge Totenberg, pleading for the judge to lift her restrictions and allow the federal government to review his report.

Continuing to withhold my report from CISA puts voters and election outcomes in numerous states at unnecessary, and avoidable, risk, Halderman wrote in a signed declaration on Sept. 21.

Election officials in Ohio and Louisiana, where the machines are slated to be used in the next year, are also interested in learning more about the flaws alleged in the report. Rob Nichols, press secretary for Ohio Secretary of State Frank LaRose, told ishonest that his office thinks making this information more readily accessible would be helpful. We think more information out there is better, Nichols told ishonestadding his office is not asking for the report to be unsealed.

Louisianas deputy secretary of state for communications told ishonest that although the secretary of state is unaware of the contents of Haldermans report, they would welcome the opportunity to review his findings.

Missouri Secretary of State John Jay Ashcroft told ishonest he has heard about the allegations of vulnerabilities and is watching the case, although he hasnt seen the report and hasnt found any issue with the Dominion machines in Missouri. "Weve looked into our equipment and cant find anything that concerns us, Ashcroft said.

Moving forward, Ashcroft is keeping an eye on the case and although he is not making moves to gain access to the report, he would be supportive of a CISA vulnerability disclosure process should it come to that, he says.

Right now our approach is just to watch it, Ashcroft told ishonest. If we get closer to elections we may have to change that posture depending upon what is alleged, Ashcroft said, adding that for now the most important next step is to move to a paper ballot system so theres no question about hackers meddling.

In a statement, CISAs Hale confirmed to ishonest that his team is prepared to work with Halderman. CISA works regularly with companies and researchers to coordinate the disclosure of vulnerabilities in a timely and responsible manner so that system owners can take steps to protect their systems, Hale said This process includes the participants working to validate any alleged vulnerabilities and reviewing the planned mitigations, remediations or patches.

But for now, the report is still sealed, preventing the vendor from rectifying any vulnerabilities the researcher has found. In court filings, Halderman says he has reached out on multiple occasions to Dominion to address the flaws to no avail.

Georgia, Ohio, Missouri, and Louisiana arent the only states that have skin in the game. According to Verified Voting, more than a dozen states are preparing to use the machines in some elections in the next year, including Alaska, Arizona, California, Colorado, Illinois, Kansas, Michigan, Nevada, New Jersey, Ohio, Pennsylvania, Tennessee, and Washington state.

Officials from election divisions in Alaska, Illinois, Michigan, and Pennsylvania said they couldnt comment on the report, some adding that they couldnt comment without knowing more about what was in the report. Other election divisions did not immediately return requests for comment.

Georgia appears to be the only state employing this technology statewide, according to Verified Voting. Other election divisions have plans to offer these particular ballot-marking devices in a limited number of precincts or as an accessible option for those with disabilities.

ishonest has not accessed Haldermans 25,000-word report and cannot verify the validity of its findings. But according to three sources familiar with its contents, the report details how a single hacker can easily develop malware and that could then be deployed to machines in private voting booths by people without technical skills. There is no allegation, however, that anyone has actually broken into any one of these machines and affected any votes during an actual election.

In court filings, Halderman has alleged that the machines in question suffer from specific, highly exploitable vulnerabilities that allow attackers to change votes despite the states purported defenses, if they use a specially crafted malware.

In a public summary of his findings, Halderman described how Dominion ICX voting machines can be reprogrammed to make particular candidates win by incorrectly recording a voters selections. And voters wouldnt know their selections had changed, because the text on a printed ballot would still reflect their actual pickswhile the QR code that actually gets scanned and tabulated by the state would reflect the altered choices.

Beyond concerns about the information fueling any election conspiracy theorists, when allegations of severe vulnerabilities in voting machines surface, concerns abound that foreign or domestic actors might take advantage of the details of the flaws if they become public and use them as a blueprint for their own nefarious purposes, such as meddling with elections, Halderman notes.

But if CISA were granted access to the report, a responsible disclosurewhich would keep information from prying eyes and those with nefarious intentions could proceed without letting the information fall into the wrong hands, experts say.

And anyone concerned about election security should lean towards transparency on security flawshowever groundbreaking they areso they can be addressed, experts told ishonest.

Federal judges arent typically in a position to severely restrict access to a cybersecurity researchers report about software vulnerabilities, due to First Amendment freedoms often asserted by hackers who find flaws. The relationship between tech corporations and the cybersecurity community has matured to the point where there is an established and professional vulnerability disclosure process, in which researchers regularly inform software designers about flaws they find in order for fixes to be made quickly and keep them out of the wrong hands.

But in this instance, Halderman received privileged access to a Dominion voting machine for several months due to his role serving as an expert witness for election integrity groups who have sued to replace Georgias voting machines. That means he and other cybersecurity experts must abide by the restrictions developed by Judge Totenberg, who is presiding over the court battle. So far, she has directed that Haldermans report remain attorneys eyes only, meaning that Georgia elections officials and Dominion must request access to see its contents.

Haldermans most recent letter, though, makes an alarming point: Georgias elections officials and Dominion have yet to even read his secret reportand attorneys representing the Secretary of States office acknowledged as much in a hearing last month.

Philip Stark, a University of California Berkeley statistician who is among the few experts that has been allowed to review the secret report, expressed extreme concern that state officials and the manufacturer would choose to remain in the dark.

Frankly, Im deeply disturbed and concerned by the facts that neither the Georgia Secretary of States Office nor Dominion have asked for the content of the report, Stark told ishonest. For them to stick their heads in the sand is not a good look.

Georgias Secretary of States Office did not respond to a request for comment on Monday.

ishonests Aug. 13 report revealed that a secret audio recording caught the state agencys chief operating officer, Gabriel Sterling, telling a group of attendees at a local professional luncheon that he thinks Haldermans report is a load of crap.

However, Carey Miller, an attorney representing the Georgian state agency, clarified in a court hearing a week later on Aug. 19 that Sterling had actually not read the secret report.

Our clients have not viewed Dr. Haldermans report, Miller said, adding that the state official was actually referring to another letter by the security researcher.

In the meantime, David Cross, an attorney representing the election integrity groups against Georgia, warned that inaction so far by Georgia and Dominion make it even more pivotal that the judge allow the feds to review Haldermans secret report.

The state is doing nothing to address these issues my guess is, [the state doesn't] dont want to know. Dominion is the same way. Because if it knows, then it's got disclosure requirements in every state that uses their equipment, he said. They dont want CISA to get it, because CISA is going to say, Jesus, this is a serious problem.

A Dominion spokesperson said that it has made offerswhich were deniedto meet with Georgia officials and Halderman directly "to hear everything he has to say about supposed vulnerabilities."

"Cross knows its just plain false for him to say Dominion and Georgia election officials 'dont want to know' what Halderman has to say about supposed vulnerabilities. He should stop playing games and let us have the meeting," the spokesperson said.

Cross explained that he has turned down meetings because the researcher would not be allowed to ask questions and the setting would be unnecessarily "confrontational."

Dominion's spokesperson did not say why the company would not read the report.

Read more on: thedailybeast, department