Surely, the “greatest democracy in the world” should not leave any room for doubt about the integrity of its elections. Yet presidential elections in the U.S. are now reflexively met with conspiracy theories, and the past two have been mired with allegations of rigging. And three weeks after the new president was inaugurated, and as far as the public knows, swing states have still not conducted the post-election audits recommended by the Cybersecurity & Infrastructure Security Agency (CISA).
The issue is not that the 2024 election results show signs of being rigged, or illegitimate in any way. The issue is that some cybersecurity experts believe interference in the electronic voting system would be possible without detection—unless a simple audit is completed. It’s not an unreasonable ask: Such audits were conducted after the contested 2020 election and, after 2024, both North Carolina and Wisconsin launched them, though the results are not public.
We asked Canva AI to come up with an image for "computer experts do heist." This group of experts has no part in a duty to warn letter sent to Kamala Harris and later debunked by Snopes. That first letter fueled conspiracy theories surrounding the 2024 election results. This November 13th letter, by contrast, explicitly states there is no evidence of fraud; the issue is that “massive software breaches are known and documented,” the experts argue. That is why the group insists “recounts are necessary and appropriate.” Unless the electronic vote is cross checked with paper ballots, it would be easy for an attack to go undetected, Duncan Buell Ph.D. told Drop Site News. “If they were to insert a hack, they would also insert the code that would delete the hack on the way out the door and we would never, ever see it.” he said. Buell, an author on the letter and Chair Emeritus in Computer Science and Engineering at the University of South Carolina, continued: “I'm thinking of, you know, nation state actors, the Koreans, possibly even a couple of Russian companies that do this kind of thing.” The letter builds off the recommendation by CISA to conduct post-election audits of physical ballots. On June 3, 2022, CISA released an advisory detailing Dominion’s security vulnerabilities and what election officials can do to “reduce the risk of exploitation of these vulnerabilities.” The advisory concludes with the following recommendation: Specifically, for each election, election officials should… Conduct rigorous post-election tabulation audits of the human-readable portions of physical ballots and paper records, to include reviewing ballot chain of custody and conducting voter/ballot reconciliation procedures. These activities are especially crucial to detect attacks where the listed vulnerabilities are exploited such that a barcode is manipulated to be tabulated inconsistently with the human-readable portion of the paper ballot. Cait Conley, a senior advisor at CISA, told Drop Site that "CISA releases dozens of advisories each year regarding software vulnerabilities in all kinds of products. We have no evidence that these vulnerabilities have been exploited and no evidence that they have affected election results in any election, including 2022 or 2024. We develop security guidance for election systems and these recommendations and practices include physical security measures, proper chain of custody, rigorous post-election audits, and pre-and-post-election validation procedures. These measures help identify vulnerabilities in voter registration and election processes that mitigate the associated risks in both the physical and cyber space." The relationship between CISA and election administrators varies across states. In Georgia, Chief Operating Officer at the Secretary of State office, Gabriel Sterling, spoke to this in his Curling v. Raffensperger testimony. Q: Do you or do you not — as the most senior official here in the Secretary’s office, do you or do you not rely on CISA to any degree to help you determine appropriate cybersecurity protocols as one of the key factors you identified in election security? Sterling: Do we rely on them? Rely implies that whatever they say you do. We do not rely on them that way. They inform our decision-making by their own suggestions and basic information of cybersecurity for systems across the country, which vary greatly. Following the 2020 election, Trump and his lawyers began a rogue probe into whether there had been voter fraud in Georgia and Michigan. To be clear, cyber security experts, including some of the authors on the November 13th letter, see the 2020 election as the most secure election we have had. The 2020 “Big Lie” conspiracies actually led to widespread post-election audits, which confirmed the accuracy of the election outcome. But, on January 7, 2021—two months after Trump’s loss and the day after the storming of the Capitol on January 6—Trump operatives gained access to Dominion Voting Systems software in a move that has since been scrutinized by Georgia prosecutor Fani Willis. Sidney Powell, one of Trump’s attorneys who was indicted alongside the former and current president, hired a team of data experts to copy voting system software in Georgia. Court records of emails between Powell and the firm, Sullivan Strickler, show they were hired to collect what they could from “Election/Voting machines and systems.” Video surveillance captured the team at the Coffee County Elections Office. Sullivan Strickler reported their work was successful, and everyone was helpful. Court documents show Sullivan Strickler then shared copies of EMS servers, Tabulation Systems, a “Dominion supplied laptop,” ballot images, and more. (More details are further down in the piece for people who want the extremely detailed backstory here.) “The threat posed by the theft of voting system software is a serious one, yet it has been conspicuously under-acknowledged by both parties,” Marilyn Marks explained to Drop Site. The lack of action has “left voters in the dark about the shocking vulnerabilities in the system, left wide-open for exploitation.” Marks spearheaded the Curling v. Kemp lawsuits against Georgia’s election officials to remove unreliable touch screen voting systems, and is the Executive Director of Coalition for Good Governance, a non-partisan non-profit dedicated to evidence-based elections and government transparency. “We know the entire system was taken. I won't use the word stolen. That's a little litigious, but taken from Coffee County by supporters of the losing candidate in 2020. And everything was put up on the web and they don’t even really know who downloaded it,” Buell said. “My concern with both the ES&S and Dominion leaks is that the bad actors that we have to assume have access to this code are probably pretty good.” The team of experts, which also includes David Jefferson Ph.D., Lawrence Livermore National Laboratory, Election Integrity Foundation; Susan Greenhalgh, Senior Advisor for Election Security at Free Speech For People; Chris Klaus, Chief Executive Officer of Fusen World; William John Malik, Malik Consulting, LLC; Peter G. Neumann Ph.D., Chief Scientist, SRI International Computer Science Lab; and Professor John E. Savage, Ph.D, An Wang Professor Emeritus of Computer Science, Brown University, calls on Kamala Harris to initiate a hand recount of physical ballots in Michigan, Nevada, Wisconsin, and Pennsylvania. Marks told Drop Site the goal of the recount is “to ensure the outcome accurately reflects the will of the people.” The copied software from Georgia is not only still being used -- it is the same software voting systems rely on across the country. Dominion systems are used in Arizona, Michigan, Georgia, Wisconsin, Pennsylvania, and Nevada. While there is no evidence the ES&S software was copied or manipulated, there is evidence voting tabulators manufactured by ES&S were accessed by unauthorized personnel. It is unknown what, if any, security updates have been made to voting systems since the breaches. Drop Site reached out to both ES&S and Dominion for comment. ES&S did not answer whether the software in Michigan is identical across other states relying on ES&S voting systems. Dominion did not respond. In fact, the majority of ballots cast in the U.S. are counted by Dominion and ES&S machines. These figures were outlined in the letter by Free Speech for People to Harris, and are the result of Verified Voting’s regular election data analysis. On September 30, 2024, cybersecurity expert Clay Parikh went through a step-by-step demonstration on how to obtain and decrypt Dominion voting systems’ passwords during court testimony in the DeKalb GOP v Raffensperger case. Parikh revealed that Dominion has a hard-coded administrator password that is the same on every Dominion system he has looked at, and has not been changed since at least 2010. When asked what could be done with an admin password, Parikh replied “You could basically do anything you wanted to.” Marilyn Marks points out that “Democrats have been reluctant to draw attention to the issue, fearing it might suppress voter turnout.” On the other side of the aisle, “Republicans have avoided addressing the troubling reality that senior allies of Trump authorized access to and distribution of this software in 2021 as part of a coordinated effort leading up to the 2024 election.” Drop Site reached out to Secretaries of State offices for comment on whether the steps to mitigate identified security vulnerabilities outlined by CISA in 2022 were addressed prior to voting in the 2024 election, and whether or not the recommended audit of physical ballots recommended by CISA is underway. They have yet to hear back from officials in Michigan, Pennsylvania, Arizona, Georgia, and Nevada. Even in Wisconsin, where state law requires the completion of a post-election audit of all voting systems, the results have not been published. The city of Kenosha put out a press release that simply reports their audit was complete as of November 25, 2024, and no discrepancies have been found. It finishes with a link labeled “Information about audits generally can be found here” which renders a 404 error. The North Carolina State Board of elections responded with the following link, saying, “our canvass documents, including the post-election audit reports, are available here.” However, the page is not publicly accessible. Clicking on the link brings up a window prompting a login. When asked about how the potential ES&S software was accessed during the breach, and if any related security vulnerabilities had been addressed prior to early voting in 2024, NCSBE told Drop Site: “We are looking into this and will get back to you.” That’s the story if you have time. But we have more details—including the tick-tock of how the Trump team acquired copies of Dominion software—below.
