Voting machines fill the floor for early voting at State Farm Arena, Oct. 12, 2020, in Atlanta. Critics of the voting equipment used in Georgia say the state's plan to wait until after 2024 presidential election to install a software update meant to address flaws that an expert says leave the machines open to attack is irresponsible.

Voting machines fill the floor for early voting at State Farm Arena, Oct. 12, 2020, in Atlanta. Critics of the voting equipment used in Georgia say the state's plan to wait until after 2024 presidential election to install a software update meant to address flaws that an expert says leave the machines open to attack is irresponsible.

Credit: AP Photo/Brynn Anderson, File

Critics of Georgia's plan to wait until after next year's presidential election to install a software update to address security flaws on the state's voting equipment called that irresponsible, saying the machines would be left open to attack.

The vulnerabilities in the Dominion Voting Systems equipment were identified by an expert witness in a lawsuit challenging the constitutionality of Georgia's election system. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, last year published an advisory based on those findings that urges election officials to take steps to mitigate the risks "as soon as possible."

Georgia election officials say they're doing just that. But the time and labor required to install the latest Dominion software makes it unrealistic to do it before the 2024 election cycle, they say. They insist the state's elections are secure.

University of Michigan computer scientist J. Alex Halderman spent 12 weeks examining the ImageCast X voting machines used statewide in Georgia and by at least some voters in more than a dozen other states. His report was filed with the court and kept under seal for nearly two years. A redacted version was made public Wednesday.

"No grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia's elections already possess," the report says. Even if no attack happens, Halderman wrote, the existence of vulnerabilities "is all but certain to be exploited by partisan actors to suppress voter participation and cast doubt on the legitimacy of election results."

Gabriel Sterling, chief operating officer for the Georgia secretary of state's office, dismissed Halderman's claims as "theoretical in many ways."

"We have to operate in the real world, and that's what we're doing," he said. "We continue to act as responsibly as possible. We're protecting our systems, protecting the voters."

Nearly all in-person voters in Georgia use the voting machines, making it a more attractive target for an attack than many other places where the machines are used only for people who can't physically complete a ballot by hand, Halderman wrote. Georgia also has become a pivotal swing state in recent elections.

Dominion has filed numerous lawsuits over false claims about its machines by supporters of former President Donald Trump who allege that the 2020 election was stolen. The company maintains that its equipment is secure.

"While we are constantly working to offer the latest security features and innovations to our customers, the CISA advisory clearly states that exploitation of any of the issues raised can be mitigated by following standard procedural and operational security processes for administering elections," the company said in an emailed statement.

Halderman called the revelation that Georgia wouldn't install the software upgrade until 2025 "stunning." That gives potential attackers time to plan and execute attacks in 2024 elections, he said.

Georgia's touchscreen voting machines print a paper ballot with a QR code and a human-readable list reflecting the voter's selections, and votes are tallied by a scanner that reads the QR code. Halderman wrote that in examining a Dominion ImageCast X voting machine and associated equipment, he "played the role of an attacker and attempted to discover ways to compromise the system and change votes."

A longtime critic of electronic voting machines, Halderman advocates using hand-marked paper ballots read by scanners along with robust post-election audits. His findings mean Georgia voters cannot be confident their votes are secured and correctly counted or that future elections using the current system will be safe from attack and produce the correct result, the report says.

Malware could be installed on individual voting machines by people with temporary physical access, such election workers or voters, the report says. Halderman also said that by modifying certain files that election workers copy to voting machines before each election an attacker could spread malware to every voting machine in a county, or the whole state, without physical access to individual machines. The attacks would likely not be detected by Georgia's current practices and protocols, the report says.

Last year, Dominion commissioned a report by the Mitre Corporation's National Election Security Lab to assess the risks Halderman identified. In that report, which was also made public Wednesday, Mitre deemed the potential attacks "operationally infeasible."

Mitre said it based its analysis on the difficulty and the technical skill and time required for the proposed attacks. Most would affect "a statistically insignificant number of votes on a single device at a time," and the attack that could spread malware to many machines requires unrealistic access to Dominion software and machines, the Mitre report says.

Georgia Secretary of State Brad Raffensperger touted the Mitre report as proof that the state's voting system is secure.

"Secretary Raffensperger's claim that Mitre found no meaningful risk to voters is highly misleading," said David Cross, a lawyer who represents some of the voters in the lawsuit challenging Georgia's election system and who engaged Halderman to examine the machines.

"Mitre didn't even examine the voting equipment or software and was told to assume that bad actors can't access Georgia's voting system."

Cross said that assumption was invalidated when a computer forensics team hired by Trump allies traveled to Coffee County in south Georgia in January 2021, was allowed to access voting equipment and copied software and data. Evidence shows that material was uploaded to a server and accessed by an unknown number of people.

The lawsuit that spawned Halderman's report was initially filed in 2017 by individual voters and the Coalition for Good Governance, which advocates for election security. They originally challenged the outdated paperless voting machines Georgia used at the time but shifted to target the new system purchased in 2019, saying it is also vulnerable to attack.

U.S. District Judge Amy Totenberg, who's overseeing the lawsuit, had resisted making Halderman's report public, saying she was concerned it could be exploited by bad actors. But in an order last week instructing that it be made public, she noted that the parties and CISA had all agreed that proposed redactions provided appropriate safeguards against election security concerns.