ATLANTA — Republican efforts questioning the outcome of the 2020 presidential race have led to voting system breaches that election security experts say pose a heightened risk to future elections.
Copies of the Dominion Voting Systems software used to manage elections — from designing ballots to configuring voting machines and tallying results — were distributed at an event this month in South Dakota organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year’s election.
“It’s a game-changer in that the environment we have talked about existing now is a reality,” said Matt Masterson, a former top election security official in the Trump administration. “We told election officials, essentially, that you should assume this information is already out there. Now we know it is, and we don’t know what they are going to do with it.”
The software copies came from voting equipment in Mesa County, Colo., and Antrim County, Mich., where Trump allies had sued unsuccessfully challenging the results from last fall. The Dominion software is used in some 30 states, including counties in California, Georgia and Michigan.
Election security pioneer Harri Hursti was at the South Dakota event and said he and other researchers in attendance were provided three separate copies of election-management systems that run on the Dominion software. The data indicated they were from Antrim and Mesa counties. While it’s not clear how the copies came to be released at the event, they were posted online and made available for public download.
The release gives hackers a “practice environment” to probe for vulnerabilities they could exploit and a road map to avoid defenses, Hursti said. All the hackers would need is physical access to the systems because they are not supposed to be connected to the internet.
“The door is now wide open,” Hursti said. “The only question is, how do you sneak in the door?”
A Dominion representative declined comment, citing an investigation.
U.S. election technology is dominated by just three vendors comprising 90 percent of the market, meaning election officials cannot easily swap out their existing technology. Release of the software copies essentially provides a blueprint for those trying to interfere with how elections are run. They could sabotage the system, alter the ballot design or even try to change results, said election technology expert Kevin Skoglund.
“This disclosure increases both the likelihood that something happens and the impact of what would happen if it does,” he said.
The effort by Republicans to examine voting equipment began soon after the November presidential election as Trump challenged the results and blamed his loss on widespread fraud, even though there has been no evidence of it.
Judges appointed by both Democrats and Republicans, election officials of both parties, and Trump’s own attorney general have dismissed the claims. A coalition of federal and state election officials called the 2020 election the “most secure” in U.S. history.
Self-fulfilling prophecy
Geoff Hale, who leads the election security effort at the U.S. Cybersecurity and Infrastructure Security Agency, said his agency has always operated on the assumption that system vulnerabilities are known by malicious actors. Election officials are focused instead on ways they can reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous post-election audits, Hale said.
He said having Dominion’s software exposed publicly doesn’t change the agency’s guidance.
Security researcher Jack Cable said he assumes U.S. adversaries already had access to the software. He said he is more concerned that the release would fan distrust among the growing number of people not inclined to believe in the security of U.S. elections.
“It is a concern that people, in the pursuit of trying to show the system is insecure, are actually making it more insecure,” he said.
