Republican efforts questioning the outcome of the 2020 presidential race have led to voting system breaches that election security experts say pose a heightened risk to future elections.
Copies of the Dominion Voting Systems software used to manage elections — from designing ballots to configuring voting machines and tallying results — were distributed at an event this month in South Dakota organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year’s election.
[ Read: Report Highlights Cyber Risks to US Election Systems ]
“It’s a game-changer in that the environment we have talked about existing now is a reality,” said Matt Masterson, a former top election security official in the Trump administration. “We told election officials, essentially, that you should assume this information is already out there. Now we know it is, and we don’t know what they are going to do with it.”
The software copies came from voting equipment in Mesa County, Colorado, and Antrim County, Michigan, where Trump allies had sue unsuccessfully challenging the results from last fall.
The Dominion software is used in some 30 states, including counties in California, Georgia and Michigan.
Election security pioneer Harri Hursti was at the South Dakota event and said he and other researchers in attendance were provided three separate copies of election management systems that run on the Dominion software. The data indicated they were from Antrim and Mesa counties. While it’s not clear how the copies came to be released at the event, they were posted online and made available for public download.
The release gives hackers a “practice environment” to probe for vulnerabilities they could exploit and a road map to avoid defenses, Hursti said. All the hackers would need is physical access to the systems because they are not supposed to be connected to the internet.
“The door is now wide open,” Hursti said. “The only question is, how do you sneak in the door?”
A Dominion representative declined comment, citing an investigation.
U.S. election technology is dominated by just three vendors comprising 90% of the market, meaning election officials cannot easily swap out their existing technology. Release of the software copies essentially provides a blueprint for those trying to interfere with how elections are run. They could sabotage the system, alter the ballot design or even try to change results, said election technology expert Kevin Skoglund.
“This disclosure increases both the likelihood that something happens and the impact of what would happen if it does,” he said.
The effort by Republicans to examine voting equipment began soon after the November presidential election as Trump challenged the results and blamed his loss on widespread fraud, even though there has been no evidence of it.
Judges appointed by both Democrats and Republicans, election officials of both parties and Trump’s own attorney general have dismissed the claims. A coalition of federal and state election officials called the 2020 election the “most secure” in U.S. history, and post-election audits across the country found no significant anomalies.
In Antrim County, a judge had allowed a forensic exam of voting equipment after a brief mix-up of election results led to a suit alleging fraud. It was dismissed in May. Hursti said the date on the software release matches the date of the forensic exam.
Calls seeking information from Antrim County’s clerk and the local prosecutor’s office were not immediately returned; a call to the judge’s office was referred to the county clerk. The Michigan secretary of state’s office declined comment.
In Colorado, federal, state and local authorities are investigating whether Mesa County elections staff might have provided unauthorized individuals access to their systems. The county elections clerk, Tina Peters, appeared onstage with Lindell in South Dakota and told the crowd her office was being targeted by Democrats in the state.
Colorado Secretary of State Jena Griswold said she alerted federal election security officials of the breach and was told it was not viewed as a “significant heightening of the election risk landscape at this point.” This past week, Mesa County commissioners voted to replace voting equipment that Griswold had ordered could no longer be used.
Geoff Hale, who leads the election security effort at the U.S. Cybersecurity and Infrastructure Security Agency, said his agency has always operated on the assumption that system vulnerabilities are known by malicious actors. Election officials are focused instead on ways they can reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous post-election audits, Hale said.
He said having Dominion’s software exposed publicly doesn’t change the agency’s guidance.
Security researcher Jack Cable said he assumes U.S. adversaries already had access to the software. He said he is more concerned the release would fan distrust among the growing number of people not inclined to believe in the security of U.S elections.
“It is a concern that people, in the pursuit of trying to show the system is insecure, are actually making it more insecure,” said Cable, who recently joined a cybersecurity firm run by former CISA Director Christopher Krebs and former Facebook security chief Alex Stamos.
Concerns over access to voting machines and software first surfaced this year in Arizona, where the Republican-controlled state Senate hired Cyber Ninjas, a firm with no previous election experience, to audit the Maricopa County election. The firm’s chief executive also had tweeted support of conspiracy theories surrounding last year’s election.
After the county’s Dominion voting systems were turned over to the firm, Arizona’s top election official said they could not be used again. The GOP-controlled Maricopa County Board of Supervisors voted in July to replace them.
Dominion has filed suits contesting various unfounded claims about its systems. In May, it called giving Cyber Ninjas access to its code “reckless,” given the firm’s bias, and said it would cause “irreparable damage” to election security.
Election technology and security expert Ryan Macias, in Arizona earlier this year to observe that review, was alarmed by a lack of cybersecurity protocols. There was no information about who was given access, whether those people had passed background checks or were asked to sign nondisclosure agreements.
Cyber Ninjas did not respond to an email with questions about the review and their security protocols.
Macias was not surprised to hear that copies of Antrim County’s election management system had surfaced online given the questionable motives of the various groups conducting the reviews and the central role that voting systems have played in conspiracy theories.
“This is what I anticipated would happen, and I anticipate it will happen yet again coming out of Arizona,” Macias said. “These actors have no liability and no rules of engagement.”
