Republican election audits have led to voting system breaches, experts say

Republican efforts to question Donald Trump’s defeat in 2020 have led to voting system breaches experts say pose a risk to future elections.

Copies of Dominion Voting Systems softwares used for designing ballots, configuring voting machines and tallying results were distributed at an event this month in South Dakota organized by the MyPillow chief executive, Mike Lindell, a Trump ally who has made unsubstantiated claims about last year’s election.

Matt Masterson, a former top election security official in the Trump administration, said: “We told election officials, essentially, that you should assume this information is already out there. Now we know it is, and we don’t know what [hackers] are going to do with it.”

The software copies came from voting equipment in Mesa county, Colorado, and Antrim county, Michigan, where Trump allies challenged results last fall. Dominion software is used in some 30 states, including California, Georgia and Michigan.

Harri Hursti, an election security pioneer, was at the South Dakota event and said he and other researchers were given three separate copies of election management systems that run on the Dominion software. Data indicated they were from Antrim and Mesa counties. While it’s not clear how the copies came to be released, they were also posted online and made available for public download.

The release gives hackers a “practice environment” to probe for vulnerabilities and a road map to avoid defenses, Hursti said. All hackers would need is physical access to the systems because they are not supposed to be connected to the internet.

“The door is now wide open,” Hursti said. “The only question is, how do you sneak in the door?”

US election technology is dominated by three vendors, meaning election officials cannot easily swap out existing technology. A Dominion representative declined comment, citing an investigation.

Hackers could sabotage the system, alter ballot design or even try to change results, said Kevin Skoglund, an election technology expert.

“This disclosure increases both the likelihood that something happens and the impact of what would happen if it does,” he said.

The effort by Republicans to examine voting equipment began soon after the November election as Trump blamed his loss on widespread fraud. Judges appointed by both Democrats and Republicans, election officials of both parties and Trump’s own attorney general dismissed the claims. A coalition of federal and state officials called the 2020 election the “most secure” in US history, and post-election audits across the country found no significant anomalies.

In Antrim county, a judge allowed a forensic exam of voting equipment after a brief mix-up of results led to a suit alleging fraud. It was dismissed in May. Hursti said the date on the software release matches the date of the forensic exam.

Calls seeking information from Antrim county’s clerk and the local prosecutor were not immediately returned; a call to the judge’s office was referred to the county clerk. The Michigan secretary of state’s office declined comment.

In Colorado, authorities are investigating whether Mesa county elections staff provided unauthorized access to systems. The county elections clerk, Tina Peters, appeared with Lindell in South Dakota and told the crowd she was being targeted by Democrats.

Colorado’s secretary of state, Jena Griswold, said she alerted federal officials of the breach and was told it was not viewed as a “significant heightening of the election risk landscape at this point”. This week, Mesa county commissioners voted to replace voting equipment Griswold ordered no longer be used.

Geoff Hale, who leads election security at the US Cybersecurity and Infrastructure Security Agency (Cisa), said his agency has always operated on the assumption system vulnerabilities are known by malicious actors. Officials are focused instead on ways to reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous post-election audits, Hale said.

Having Dominion’s software exposed publicly did not change the agency’s guidance, Hale said.

Jack Cable, a security researcher, said he assumed US adversaries already had access to the software. He said he was more concerned the release would fan distrust among the growing number of people not inclined to believe in the security of US elections.

“It is a concern that people, in the pursuit of trying to show the system is insecure, are actually making it more insecure,” said Cable, who recently joined a cybersecurity firm run by the former Cisa director Christopher Krebs and former Facebook security chief Alex Stamos.

Concerns over access to voting machines and software first surfaced in Arizona, where the Republican-controlled state senate hired Cyber Ninjas, a firm with no elections experience, to audit Maricopa county results. The firm’s chief executive tweeted support of conspiracy theories surrounding last year’s election.

After the county’s Dominion voting systems were turned over, Arizona’s top election official determined they could not be used again and ordered new ones.

Dominion has filed suits contesting unfounded claims about its systems. In May, it called giving Cyber Ninjas access to its code “reckless” and said it would cause “irreparable damage” to election security.

Ryan Macias, an election technology and security expert who was in Arizona earlier this year to observe that review, was alarmed by a lack of cybersecurity protocols. There was no information about who was given access, whether those people had passed background checks or were asked to sign non-disclosure agreements. Cyber Ninjas did not respond to an email.

Macias was not surprised to hear copies of Antrim county’s system had surfaced online, given the questionable motives of the various groups conducting the reviews and the central role that voting systems have played in conspiracy theories.

“This is what I anticipated would happen, and I anticipate it will happen yet again coming out of Arizona,” Macias said. “These actors have no liability and no rules of engagement.”