We’ve been covering this story in detail over the past week, as both the national media and California media haven’t covered it at all. But they should. Colorado media finally jumped in, a bit, this week after their Sec. of State on Monday announced that Mesa County Clerk Tina Peters — who appeared on stage several times at Lindell’s forum last week — was behind the theft and copying of two hard drives at the Mesa County Election Division containing Dominion Voting’s Election Management System (EMS) software.
Democratic CO Sec. of State Jenna Griswold’s office, in a news release Monday night, explained how Peters pulled off the heist with two accomplices in the middle of the night back in May, before the software was released into the wild during last week’s symposium. Since then, we have reported on this show about the concerns expressed by voting system and cybersecurity experts like Harri Hursti, who warns that the release of the critical software “lowers the barrier for attack planning and therefore increases the likelihood of future attacks.” That, just after another top expert in the field, University of Michigan’s J. Alex Halderman, filed a 50,000 word report in a long-running federal lawsuit in Georgia, which seeks to ban Dominion’s unverifiable touchscreen voting systems. The report, which he says [PDF] details disturbing, newly discovered vulnerabilities in those systems, which reportedly could allow votes to be changed without detection, has now been sealed by the federal judge due to its sensitivity — even from the plaintiffs and defendants in the case!
Dominion’s vulnerable touchscreens are used in several large jurisdictions in California, even as the recall is now ongoing, including San Diego County, San Francisco and Riverside County. Their EMS software — released to the Internet and downloaded by thousands just last week — is used to tabulate votes, both hand-marked paper ballots and touchscreen votes, in every county where Dominion’s systems are used. The software is used broadly in enough counties here that it could easily effect the computer-tallied results of the Recall election.
Another top expert who is worried about all of this joins us on today’s program to explain why, and what can now be done about this serious security breach. University of California-Berkeley Professor PHILIP STARK is an expert witness in the Georgia case, the inventor of the post-election Risk-Limiting Audit protocol, and currently serves on the Board of Advisors of the U.S. Election Assistance Commission.
He joined Hursti this week in telling me that they were both dubious about vague claims from the CO Sec. of State’s office that the U.S. Cyber Security and Infrastructure Security Agency (CISA) was not particularly concerned about the leak of the Dominion software.
“It is a serious risk,” Stark makes clear today. “The best metaphor I’ve been able to come up with is, if I were trying to break into a bank, how helpful would it be to have blueprints of the bank and the bank vault? How helpful would it be for me to have an actual exact copy of the bank, completely at my disposal, to try different ways of breaking in and so forth? Not even a scale model, but literally the exact same thing, just in a different place. That’s what having a copy of these disks amounts to.”
“To the extent that these systems were not that secure in the first place, this doesn’t make the systems more vulnerable. But it gives a would-be evil-doer lots of help and information to plan an attack, figure out what’s going to work, which then can be conducted later by someone with less technical skill,” Stark warns.
He explains that “these Election Management Systems are used, among other things, to configure the ballot marking devices” as well as “results from the precinct-based scanners” and the high-speed centralized scanners used to tabulate Vote-by-Mail ballots. “The release of the EMS code gives someone a blueprint for how to write malware to infect the ballot marking devices, etc., when they’re configured using these systems.”
We go on to discuss what can and should now be done by California in regards the ongoing Recall election (as well as other jurisdictions, with elections coming up in November, where Dominion systems are used in more than a dozen states) to ensure that results are accurately tabulated and reported, and can be known by the public, after the election, as such. His recommendations include the use of both hand-marked paper ballots and a far more robust post-election audit process than is currently mandated by CA state law.
Moreover, he cites a critical lesson that should be learned from Tina Peters, the Republican County Clerk in Mesa, CO who is alleged to have brought accomplices into the Elections Division in the middle of the night on May 23rd, and turned off the security cameras in order to steal the software and copy it for release into the wild. (She is now under criminal investigation and has been relieved of her duties by CO’s Secretary Griswold.) “This is a very clear reminder that insider threats are real,” observes Stark. “This is a wake-up call. It is very difficult to mitigate insider threats.”