From election hero to zero: Georgia official’s dismissal of security audit could mean trouble in 2024

For the second time in four years, Georgia’s secretary of state stands at the center of a fight over the legitimacy of a U.S. presidential election. Only now, Brad Raffensperger — the Republican who once stood up to Donald Trump’s election fraud lies — is the one security experts see as the problem.

In a letter sent to state lawmakers last week, Raffensperger argues that a newly unsealed audit finding that there are dangerous vulnerabilities in Georgia’s widely used voting machine software is overblown and no fixes are needed.

“It’s more likely that I could win the lottery without buying a ticket” than that hackers flip enough votes to swing the election, he says in the letter.

But Raffensperger’s dismissive reaction to the unsparing audit conducted by security expert Alex Halderman has turned him into an object of intense criticism from cybersecurity specialists, who say he is painting legitimate research with the brush of far-right conspiracy theories — and imperiling the 2024 elections in the process.

“Raffensperger has lumped us with the election deniers,” said David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and an expert on election technology. “But we cannot, out of fear of that confusion, stop talking about these vulnerabilities. They are real, they are there, and they must be addressed.”

Before its release last week, the analysis of Dominion Voting Systems’ ImageCastX ballot-marking devices was kept under seal for roughly two years as part of a long-running legal dispute between Raffensperger and local voting rights activists arguing the machines need to be replaced by hand-marked paper ballots.

Georgia is one of just two states in the country to use these ballot-marking devices as the primary form of voting across every precinct, and the plaintiffs — a Georgia-based non-profit group called the Coalition for Good Governance — have alleged its dependence on them is unacceptably risky because of the way the ImageCastX records voter’s choices: via machine-printed barcodes voters can’t corroborate with their own eyes.

The state has maintained throughout the court challenge that it has adequate controls to prevent fraud, but Raffensperger’s letter to legislators ramps up the rhetoric and shows that the fight for the legitimacy of the 2024 vote in Georgia is already well under way.

“The paranoiacs and conspiracists of the world have their beliefs reinforced when they read reports of theoretical ‘vulnerabilities’ that fail to mention the real-world security measures already in place,” said Mike Hassinger, spokesperson for the secretary of state’s office. “If the PhDs don’t like being put in the same category as the Pillow salesman, tough noogies. They should stop saying similar things.”

The secretary of state says in the letter that Georgia has effective controls in place — just as it did in 2020, when multiple audits, investigations and a state-wide recount disproved baseless allegations of widespread fraud. And Hassinger argued that it would be riskier to rush out the available fixes by 2024 because they are substantial and have not yet been tested in a major election.

But a chorus of cybersecurity analysts and election-security experts argue that there’s enough lead time right now to make changes and that fixing a documented issue with the machines is the best way to prevent vote-tampering or disinformation in 2024.

Raffensperger’s decision not to fix these systems represents “the height of irresponsibility,” Halderman said in an interview. “Even if there's no actual attack, you better believe that there are people who are going to use the existence of these problems to call into question the results of elections.”

Following the 2020 elections, then-president Donald Trump alleged Dominion Voting Systems had conspired with a bizarre cast of characters to steal the election from him. Fox News, which fueled those baseless allegations in its news coverage, eventually paid Dominion nearly $800 million to resolve a defamation suit the company had filed against it.

A recording of a phone call revealed Trump also pressured Brad Raffensperger to “find” enough votes to overturn Joe Biden’s victory in Georgia. Raffensperger’s refusal made him an icon of election integrity at the time. But he’s finding himself in a different position now.

While the coalition has been arguing since it first filed its case in 2017 that Georgia’s voting machines aren’t secure enough, Halderman’s audit — approved by a federal court in Georgia in 2021 — confirmed a number of easy-to-hack security holes.

In a matter of weeks, he concluded that even moderately skilled hackers could install malware on an ImageCastX or a connected printer to flip votes at individual polling stations or even across the state.

Overall, Halderman’s audit uncovered nine vulnerabilities in Dominion’s software, the U.S. government’s Cybersecurity and Infrastructure Security Agency, or CISA, has confirmed. The agency first reviewed the report under seal and then warned publicly about the nine flaws in June of last year.

But CISA never commented on how easy it would be to actually undermine an election. And that element of Halderman’s work remains a matter of dispute.

Each of his attacks requires some degree of physical access to election systems to execute. Bad actors would also need a copy of the company’s proprietary software, which the court gave Halderman, to understand how to exploit it.

Asked about the attacks identified in the Halderman report, a Dominion spokesperson said that “our customers’ certified systems remain secure thanks in part to the many robust operational and procedural safeguards that exist to protect elections.”

And by “diligently applying” a range of physical and operational controls that are already common for elections administrators, CISA said in its advisory, states could limit those risks.

Those are key reasons why Raffensperger believes Halderman’s warnings are overblown.

“The Halderman report was the result of a computer scientist having complete access to the Dominion equipment and software for three months in a laboratory environment,” he writes in the letter. “We have to run elections in the real-world, not just create conspiracies or hypothetical possibilities.”

A competing review of Dominion’s software conducted by the nonprofit MITRE corporation, Raffensperger writes, supports his point: It concluded that Halderman’s attacks were “operationally infeasible” due to the physical controls in place in the state and the low likelihood of flipping enough votes to make an impact.

But the unsigned study — which was commissioned by Dominion — is predicated on a shaky assumption buried in one of the footnotes: the enforcement of “strict and effective controlled access to Dominion’s system.”

Harri Hursti, a hacker who scours election systems to help companies find holes in them, once bought an ImageCastX off of eBay. And amid their efforts to undermine the results of the 2020 elections, pro-Trump allies have gotten their hands on Dominion’s systems in multiple instances.

Republican lawmakers in Maricopa County, Ariz, granted a far-right auditing firm, Cyber Ninjas, access to Dominion machines. And in Mesa County, Colo. and Coffee County, Ga. activists helped outsiders seeking to sow doubt about the 2020 results access to the company’s software.

The MITRE review “is fantasy,” said Philip Stark, a professor at UC Berkeley who conducts research on election integrity. Last week, Stark organized a group of more than 20 election security experts to send a letter demanding that MITRE retract the study.

Hassinger, the Raffensperger spokesperson, argued that the incident in Coffee County represented an exceptional case of criminal wrongdoing. He also said that the secretary of state cannot make hand-marked paper ballots more available than they already are without support from state legislators, but that the state does plan to check for signs of software tampering ahead of the 2024 election.

Raffensperger’s letter also does not address one of Halderman’s biggest concerns: That by altering both the barcode and the text that lists a voter’s choice, hackers could undermine confidence in efforts to verify election results.

And even if voters catch any mistakes — and repeated studies have shown that many voters do not carefully review their ballots — such attempts would cause widespread confusion on election day.

“The fundamental problem here is that Georgia decided (against expert advice) to use QR codes for ballots,” said Rob Graham, an election security expert who has studied false claims of election interference in 2020. “That means there’s no way for voters to verify their votes haven’t been altered by the ballot-marking devices.”

Poking holes in systems — or talking about them — can of course fuel the very same conspiracies election security experts say they’re trying to stop.

“THE ELECTION WAS RIGGED,” Donald Trump wrote Tuesday on his social media site Truth Social, in a post where he linked to a news article on the Halderman report.

But the experts who spoke with POLITICO argued that it is essential to arm states and election workers with the information they need to act. And, they say, the rising appeal of electronic voting systems means other states and localities are at risk of following in Georgia’s footsteps — and deploying a technology with risks they don’t fully understand.

“Any part of any voting system that's ever been subjected to truly independent review has been found to have significant security issues,” said John Sebes, chief technology officer of the TrustTheVote Project and a co-director of the OSET Institute.

“We’ve got to be able to have a conversation about that without being wrapped up around the flag of MAGA conspiracy theorists,” he added.

Kyle Cheney has contributed to this report.