ATLANTA – The country’s top cybersecurity agency released a final version of a recommendation on Friday previously sent State officials on vulnerabilities in voting machines in Georgia and other states, which vote integrity activists say weaken a security recommendation about using barcodes to count votes.
The Counselor The vulnerability, issued by the US Agency for Cybersecurity and Infrastructure Security (CISA), has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines that generate a paper ballot or record votes electronically. The agency said that while the vulnerabilities should be mitigated quickly, the agency “has no evidence these vulnerabilities were exploited in any elections.”
Dominion’s systems have been unfairly attacked since the 2020 election by people who made the mistaken belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to false and outrageous allegations by high-profile Trump allies.
The advisory CISA, released Friday, is based on a report by University of Michigan computer scientist J. Alex Halderman, an expert in a long-standing litigation this has nothing to do with false accusations from the 2020 election.
The machines are used by at least some voters in 16 states, according to a voting machine tracker managed by Watchdog Verified Voting. In most of these places, they are only used for people who cannot fill out a paper ballot by hand. But in some places, including Georgia, almost all in-person reconciliations are done on the affected machines.
Dominion has defended the machines as “accurate and secure.”
Like those used in Georgia, the machines print a paper ballot that contains a barcode — known as a QR code — and a human-readable summary of the voter’s choices. The votes are counted by a scanner that reads the barcode. Security experts have warned that the QR codes could be tampered with to reflect different votes than the voter intended.
A version of the advisory sent to election officials last week said: “When barcodes are used to tabulate votes, they can be subject to attacks that exploit the vulnerabilities listed, making the barcode inconsistent with the human-readable portion.” of the ballot.” To reduce this risk, the advisor suggested that where possible, jurisdictions configure machines to produce “traditional, full-fill ballots, rather than summary ballots with QR codes.”
A full-face ballot looks like a handwritten paper ballot, listing all the choices for each race and a bubble next to the voter’s choice being machine-filled. In contrast, a summary vote only lists the voter’s choices for each race.
The recommendation to use full-face ballots instead of QR-code speed dials is not included in the final version of the advisory published on Friday. After determining that the vulnerabilities could be exploited to alter the barcode so that it did not match a voter’s selection, it instead includes a note in parentheses stating, “If states and jurisdictions so desire, the ImageCast X the configuration option to produce ballots that do not print barcodes for tabulation.”
Halderman expressed disappointment with the change, saying it “dramatically” weakens the security that would be offered by combining mitigation measures in counseling in Georgia and other jurisdictions that rely on QR codes for vote counting.
Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the lawsuit that led to Halderman’s investigation into the machines, said it appears CISA bowed to political pressure to water down the recommendation.
“It is of great concern that self-serving election officials can force their way through CISA to water down the agency’s mandatory basic security measure of removing barcode votes from ballots — an unnecessary, serious vulnerability that puts millions of voters at risk,” she said.
A CISA spokesman said the change was not based on complaints from any party and said it is common practice to update a recommendation when the agency is made aware of potential vulnerabilities as it works with researchers, vendors and other partners to help provide information on mitigation measures.
The Dominion machines can print a full-surface ballot without a QR code because the company has upgraded its software for Colorado, said Matt Crane, executive director of the state association of county officials. He said that although Secretary of State Jena Griswold announced in 2019 that Colorado would ditch QR codes for security reasons, the transition has only just begun.
Crane said he believes less than 2.5% of Colorado voters used the Dominion’s ballot-marking machines in the 2020 general election. Most prefer handwritten ballots.
The recommendation is based on a report by Halderman examining voting machines used in Georgia as witnesses by plaintiffs in a court case challenging the machines. Originally filed in 2017, the lawsuit targeted the outdated voting machines Georgia was using at the time. The state bought the Dominion system in 2019, but plaintiffs claim the new system is also insecure.
Halderman has long argued that using electronic machines to record voter polls is dangerous because computers are inherently vulnerable for hacking and therefore require multiple safeguards that are not consistently followed. He and many other election security experts have insisted they be used handwritten ballots is the most secure voting method and the only option that allows for meaningful post-election audits.
Rigorous post-election checks could detect fraud because they would be done by hand, ensuring that the human-readable portion of the ballot matched the results captured by scanners. But if the results were tampered with in an uncontrolled competition, it could go undetected.
Associated Press writer Frank Bajak contributed to the coverage.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.
https://www.local10.com/news/politics/2022/06/03/activists-say-cyber-agency-weakens-voting-tech-advisory/ Activists say the cyber agency is weakening technical advice on voting