POLITICO: “Raffensperger’s dismissive reaction to the unsparing audit conducted by security expert Alex Halderman has turned him into an object of intense criticism from cybersecurity specialists, who say he is painting legitimate research with the brush of far-right conspiracy theories — and imperiling the 2024 elections in the process. …
“Raffensperger’s decision not to fix these systems represents “the height of irresponsibility,” Halderman said in an interview. “Even if there’s no actual attack, you better believe that there are people who are going to use the existence of these problems to call into question the results of elections.” …
“Overall, Halderman’s audit uncovered nine vulnerabilities in Dominion’s software, the U.S. government’s Cybersecurity and Infrastructure Security Agency, or CISA, has confirmed. The agency first reviewed the report under seal and then warned publicly about the nine flaws in June of last year.
“But CISA never commented on how easy it would be to actually undermine an election. And that element of Halderman’s work remains a matter of dispute.
“Each of his attacks requires some degree of physical access to election systems to execute. Bad actors would also need a copy of the company’s proprietary software, which the court gave Halderman, to understand how to exploit it.”
Here’s Raffensperger’s letter to the General Assembly on the issue; it includes this:
“The Halderman report was the result of a computer scientist having complete access to the Dominion equipment and software for three months in a laboratory environment. It identified risks that are theoretical and imaginary. Our security measures are real and mitigate all of them. The MITRE report is available on our website for anyone to read and points out that the vulnerabilities described by Halderman as operationally infeasible. Specifically, the MITRE report found “five of six attacks were…non-scalable, impacting a statistically insignificant number of votes on a single device at a time. One attack was technically scalable but also…infeasible due to access controls in place in operational election environments, access required to Dominion election software, and access required to Dominion election hardware.”
“Is it possible for a team of bad actors to break into Georgia’s 2700 voting precincts, install malware that changes election outcomes on 35,000 pieces of equipment, and sneak back out -all the while being undetected and leaving no trace? I’ll put it this way: It’s more likely that I could win the lottery without buying a ticket. If the threat to election security comes down to bad people doing bad things, that threat is addressed with locks and keys and surveillance cameras and physical security measures, and punishment for those who break our laws.”
More from the POLITICO piece:
“The MITRE review “is fantasy,” said Philip Stark, a professor at UC Berkeley who conducts research on election integrity. Last week, Stark organized a group of more than 20 election security experts to send a letter demanding that MITRE retract the study. …
“Raffensperger’s letter also does not address one of Halderman’s biggest concerns: That by altering both the barcode and the text that lists a voter’s choice, hackers could undermine confidence in efforts to verify election results.”
My question, as one who has not studied this debate or Georgia’s voting machines specifically: would a risk-limiting audit, or full statewide recount, address this issue? In other words, even if the initial count of votes is based on a QR code that voters can’t verify, would the subsequent count (in a risk-limiting audit or full statewide recount) be based on the names of the candidates on the printed ballot, which presumably voters could verify (even recognizing in reality that some, even many, voters would not have checked to make sure that the printed ballot produced by the ballot-marking device matches their intended choices)? I ask this question, having read the POLITICO piece and Raffensperger’s letter, simply in an effort to make my own assessment of the issue.