Washington
CNN
—
Georgia election officials have been aware of existing vulnerabilities in the state’s voting software for more than two years but continue to insist the system is safe and won’t be updated until after 2024, according to a report that was unsealed this week as part of a controversial court case in Georgia.
The report’s findings focus on weaknesses in software for certain Dominion Voting machines. Those weaknesses were previously verified by federal cybersecurity officials, who urged election officials across the country to update their systems.
A lawyer for Georgia’s top election official, Republican Secretary of State Brad Raffensperger, recently told a federal court that officials would forgo installing Dominion’s security patches until after the 2024 presidential election. Georgia election officials insist it is highly unlikely that the vulnerabilities will be exploited in real attacks.
“Upgrading the system will be a massive undertaking, and our election officials are evaluating the scope of, and time required for the project,” Mike Hassinger, a spokesperson for the Georgia secretary of state’s office, told CNN when asked about the delay.
While state and federal officials have suggested it is unlikely that these vulnerabilities could be exploited, the newly released report points out that Georgia is far more dependent on this particular Dominion software than any other state, potentially undermining confidence in its ability to conduct a secure election.
Georgia officials have dismissed the potential for these weaknesses to be exploited.
“It’s extremely unlikely that any bad actor would be able to exploit our voting systems in the real world. The system is secure,” Gabriel Sterling, a top election official in the Georgia secretary of state’s office, said in a press release from earlier this month, adding that safeguards are already in place to “mitigate these hypothetical scenarios from happening.”
Dominion Voting Systems last year updated its software in response to the attack scenarios described by the report’s author, a University of Michigan computer scientist named J. Alex Halderman.
But Georgia has not implemented the recommended security patch and state officials said they are waiting to do so until after 2024.
Delaying the security patches until 2025 is “worse than doing nothing,” warned Halderman, “since it puts world-be adversaries on notice that the state will conduct the presidential election with this particular version of software with known vulnerabilities, giving them nearly 18 months to prepare and deploy attacks.”
The Georgia secretary of state’s office maintains that the attack scenarios described in Halderman’s report are unrealistic, given the wide-ranging access he was granted to the voting equipment, and addressed by security controls at voting locations on Election Day.
The report released Wednesday was produced two years ago at the behest of a coalition of election integrity advocates who have been embroiled in a yearslong lawsuit against the Georgia secretary of state’s office over concerns related to its reliance on Dominion electronic voting systems.
The report was placed under seal by a judge “given the serious election security concerns” raised by its potential release, according to court records.
Earlier this month, however, the judge ruled that the report could be unsealed, ruling that proposed redactions by the plaintiff “appropriately manage the risk to election security while advancing security through transparency,” court documents show.
The report was filed to the docket on Wednesday, making it publicly available for the first time.
A separate report commissioned by Dominion and conducted by Mitre Corp., a not-for-profit research lab, found that five of Halderman’s attack scenarios were “non-scalable,” meaning they would “impact a statistically insignificant number of votes on a single device at a time.”
The sixth attack scenario was offset by access controls at voting locations, the report found.
That additional report, previously under seal, will also be made available to the public.
A Dominion spokesperson referred CNN to the Mitre report, particularly its finding that Halderman’s attacks are “operationally infeasible.”
This story has been updated with additional details.