The federal government has found no evidence that flaws in Dominion voting machines have ever been exploited, including in the 2020 election, according to the executive director of the Cybersecurity and Infrastructure Security Agency.
CISA, an arm of the Department of Homeland Security, has notified election officials in more than a dozen states that use the machines of several vulnerabilities and mitigation measures that would aid in detection or prevention of an attempt to exploit those vulnerabilities.
The move marks the first time CISA has run voting machine flaws through its vulnerability disclosure program, which since 2019 has examined and disclosed hundreds of vulnerabilities in commercial and industrial systems that have been identified by researchers around the world. (The program is aimed at helping companies and consumers better secure devices from breaches.)
The security of Dominion voting machines has become a flashpoint in the fraught politics of the 2020 election with supporters of former President Donald Trump claiming that the results were tainted by machines that were manipulated, while election officials — including Georgia’s Republican secretary of state and governor — insisted that there was no evidence of breaches or altered results.
There are nine flaws affecting versions of the machine called the Dominion Voting Systems Democracy Suite ImageCast X, according to a copy of an advisory prepared by CISA and obtained by The Washington Post. The ImageCast X allows voters to mark their candidate choices on a touch-screen and then produce a paper record, as was the case in Georgia. It can also be used as a paperless electronic voting machine. The flaws, many of which are highly technical and which mostly stem from machine design as opposed to coding errors, generally require an attacker to have physical access to the devices or other equipment used to manage the election, CISA said.
“We have no evidence that these vulnerabilities have been exploited and no evidence that they have affected any election results,” said Brandon Wales, CISA’s executive director in a statement to The Post. “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely. This makes it very unlikely that these vulnerabilities could affect an election.”
CISA conducted its review in response to a report by two researchers prepared as part of long-running litigation over the security of Georgia’s voting system. The lead researcher, University of Michigan computer scientist J. Alex Halderman, served as an expert for plaintiffs who filed the case in 2017. The plaintiffs — a group of voters and voting security activists — argued that the paperless touch-screen machines Georgia was then using, which were made by a different company, were so lacking in security that they violated voters’ civil rights.
Georgia agreed to acquire a new system and in 2019 bought Dominion ImageCast X “ballot-marking devices,” which were first used in 2020. The plaintiffs now argue that this replacement system is still too vulnerable to manipulation, and that Georgia should adopt a system of hand-marked paper ballots that can be scanned and tabulated by machine.
CISA’s five-page advisory is based in part on Halderman’s 100-page report, which remains under seal in a federal court in Atlanta. The advisory is expected to be released next week after officials in all 50 states are notified.
CISA’s disclosure, however, is unlikely to settle the matter. The lawsuit over machine security is about to enter its sixth year, and unfounded claims of fraud continue to animate Republican voters and elected officials.
The advisory comes as a report released Friday by The Mitre Corporation, a federally funded research and development center, reached similar conclusions to those of CISA, according to the office of the Georgia Secretary of State, Brad Raffensperger. The report, which was commissioned by Dominion, was not released publicly.
“Both the CISA and Mitre reports show what reasonable people already know — if bad actors are given full and unfettered access to any system, they can manipulate that system,” said Gabriel Sterling, a top aide to Raffensperger, in a statement. “That is why procedural, operational, and legal election integrity measures are crucial.”
Sterling said that like CISA, Mitre found that existing procedural safeguards observed by election offices “make it extremely unlikely for any bad actor to actually exploit the … vulnerabilities” Halderman found.
But Halderman, who has said publicly that he has no evidence that the machines’ flaws were exploited, told The Post that the vulnerabilities were serious and could be used by an attacker. The most significant, he said, is a coding flaw that allows an attacker who gains access to a jurisdiction’s central election computers to spread malware to the ImageCast X machines.
“Voting systems rely on multiple layers of defense including physical and electronic safeguards,” he said. “These vulnerabilities show that unfortunately the electronic safeguards are not as secure as they need to be.”
The disclosures follow Tuesday’s primary elections in Georgia, which saw record turnout for a midterm primary. No evidence of tampering was found.
In the 2020 presidential election, officials carried out a hand recount of the entire state, reading the candidate names off the ballots and not just rescanning them.
Election security experts have raised concerns about insider threats from election officials who subscribe to conspiracy theories about voting machines. Tina Peters, the clerk in Mesa County, Colo., was indicted in March on charges stemming from her efforts to copy Dominion hard drives. Peters said she has done nothing wrong. Georgia officials are investigating an allegation that machines in Coffee County were accessed by people seeking evidence of fraud.
Election experts say that measures implemented over the years make it extremely unlikely that a malicious insider could carry off a hack that alters votes to throw an election. “In many jurisdictions, two people are present when handling voting and tabulating equipment,” Maria Benson, a spokeswoman for the National Association of Secretaries of State, told The Post. Election officials also have implemented extensive security measures, she said, “including controlling physical access to election-related systems, ensuring they have adequate backups, and testing the accuracy of systems and processes before and after each election.”
Dominion was aware of the flaws and told CISA that its systems can be updated to address them, the agency said.
The Washington Post’s Emma Brown contributed to this report.