亚特兰大——共和党质疑2020年总统竞选结果的努力导致了投票系统的破坏选举安全专家说,这给未来的选举带来了更大的风险。
用于管理选举的多米宁投票系统软件的副本——从设计选票到配置投票机和统计结果——在本月由“我的枕头”首席执行官迈克·林德尔在南达科他州组织的一次活动中分发,他是前总统唐纳德·特朗普的盟友,对去年的选举提出了未经证实的说法。
特朗普政府前高级选举安全官员马特·马斯特森(Matt Masterson)表示:“这是一个游戏规则的改变者,因为我们现在谈论的环境已经成为现实。“我们告诉选举官员,基本上,你应该假设这些信息已经存在。现在我们知道是这样,但我们不知道他们会用它做什么。”
软件副本来自科罗拉多州梅萨县和密歇根州安特里姆县的投票设备,特朗普的盟友曾在那里起诉质疑去年秋天的结果,但没有成功。
Dominion软件在大约30个州使用,包括加利福尼亚州、佐治亚州和密歇根州。
选举安全先锋哈里·赫斯特参加了南达科他州的活动,他说,他和其他与会的研究人员获得了运行在Dominion软件上的三个独立的选举管理系统副本。数据显示他们来自安特里姆和梅萨县。虽然目前还不清楚这些拷贝是如何在活动中发布的,但它们已经发布在网上,可供公众下载。
Hursti说,该版本为黑客提供了一个“实践环境”来探索他们可能利用的漏洞,并提供了一个避免防御的路线图。黑客需要的只是对系统的物理访问,因为他们不应该连接到互联网。
“门现在大开着,”赫斯特说。“唯一的问题是,你是怎么溜进门的?”
一名Dominion代表以调查为由拒绝置评。
美国选举技术仅由三家供应商主导,占据90%的市场份额,这意味着选举官员不能轻易放弃他们现有的技术。软件拷贝的发布本质上为那些试图干涉选举运行的人提供了一个蓝图。选举技术专家凯文·斯克格隆说,他们可能破坏选举系统,改变选票设计,甚至试图改变选举结果。
他说:“这种披露既增加了事情发生的可能性,也增加了事情发生后的影响。
共和党人检查投票设备的努力始于11月总统选举后不久,当时特朗普质疑选举结果,并将自己的损失归咎于广泛的欺诈,尽管没有证据表明这一点。
民主党和共和党任命的法官、两党选举官员和特朗普自己的司法部长都驳回了这些指控。一个由联邦和州选举官员组成的联盟称2020年的选举是美国历史上“最安全的”选举,全国各地的选举后审计没有发现重大异常。
在安特里姆县,一名法官允许对投票设备进行法医检查,此前选举结果的短暂混乱导致了一起指控欺诈的诉讼。5月份被驳回。Hursti表示,软件发布的日期与法医检查的日期一致。
向安特里姆县书记官和当地检察官办公室寻求信息的电话没有立即回复;打给法官办公室的电话被转交给县书记员。密歇根州国务卿办公室拒绝置评。
在科罗拉多州,联邦、州和地方当局正在调查梅萨县选举工作人员是否向未经授权的个人提供了对其系统的访问。县选举事务员蒂娜·彼得斯和林德尔一起出现在南达科他州的舞台上,她告诉人群,她的办公室被该州的民主党人盯上了。
科罗拉多州国务卿耶娜·格里斯沃德(Jena Griswold)表示,她向联邦选举安全官员通报了这一违规行为,并被告知这并不被视为“目前选举风险形势的显著加剧”。过去的一周,梅萨县的委员们投票决定更换格里斯沃德订购的不能再使用的投票设备。
领导美国网络安全和基础设施安全局选举安全工作的杰夫·黑尔(Geoff Hale)表示,他的机构一直在假设恶意行为者知道系统漏洞的基础上运作。黑尔说,选举官员转而专注于降低风险的方法,例如使用纸质记录的选票,这些选票可以被选民核实,并进行严格的选举后审计。
他说公开道明的软件并不会改变该机构的指导。
安全研究员杰克·凯布尔说,他认为美国的对手已经可以访问该软件。他说,他更担心的是,这次释放会加剧越来越多不相信美国选举安全的人的不信任。
凯布尔最近加入了一家网络安全公司,该公司由前CISA董事克里斯托弗·克雷布斯和前脸书安全主管亚历克斯·斯塔莫斯经营。凯布尔说:“人们试图表明系统不安全,实际上是在让系统变得更加不安全,这令人担忧。”。
对获得投票机和软件的担忧今年首次在亚利桑那州浮出水面,共和党控制的州参议院聘请了一家之前没有选举经验的公司“网络忍者”来审计马里科帕县的选举。该公司首席执行官也在推特上支持围绕去年大选的阴谋论。
在该县的自治领投票系统移交给该公司后,亚利桑那州最高选举官员表示,这些系统不能再使用了。共和党控制的马里科帕县监事会在7月投票决定取代他们。
Dominion已经提起诉讼,对其系统提出各种毫无根据的指控。今年5月,鉴于该公司的偏见,该公司称让网络忍者访问其代码是“鲁莽的”,并表示这将对选举安全造成“不可挽回的损害”。
选举技术和安全专家瑞安·马西亚斯今年早些时候在亚利桑那州观察该审查,对缺乏网络安全协议感到震惊。没有关于谁被允许进入的信息,这些人是否通过了背景调查或被要求签署保密协议。
网络忍者没有回复一封关于审查及其安全协议的问题的电子邮件。
鉴于进行审查的各种团体动机可疑,以及投票系统在阴谋论中发挥的核心作用,马西亚斯听到安特里姆县选举管理系统的副本在网上浮出水面并不感到惊讶。
马西亚斯说:“这是我预料会发生的事情,我预计它会在亚利桑那州再次发生。“这些演员没有责任,也没有交战规则。”
Experts warn of dangers from breach of voter system software
ATLANTA -- Republican efforts questioning the outcome of the 2020 presidential race have led to voting system breaches thatelectionsecurity experts say pose a heightened risk to future elections.
Copies of the Dominion Voting Systems software used to manage elections — from designing ballots to configuring voting machines and tallying results — were distributed at an event this month in South Dakota organized by MyPillow CEO Mike Lindell, an ally of former President Donald Trump who has made unsubstantiated claims about last year's election.
“It’s a game-changer in that the environment we have talked about existing now is a reality,” said Matt Masterson, a former top election security official in the Trump administration. “We told election officials, essentially, that you should assume this information is already out there. Now we know it is, and we don’t know what they are going to do with it.”
The software copies came from voting equipment in Mesa County, Colorado, and Antrim County, Michigan, where Trump allies had sue unsuccessfully challenging the results from last fall.
The Dominion software is used in some 30 states, including counties in California, Georgia and Michigan.
Election security pioneer Harri Hursti was at the South Dakota event and said he and other researchers in attendance were provided three separate copies of election management systems that run on the Dominion software. The data indicated they were from Antrim and Mesa counties. While it's not clear how the copies came to be released at the event, they were posted online and made available for public download.
The release gives hackers a “practice environment” to probe for vulnerabilities they could exploit and a road map to avoid defenses, Hursti said. All the hackers would need is physical access to the systems because they are not supposed to be connected to the internet.
“The door is now wide open,” Hursti said. “The only question is, how do you sneak in the door?”
A Dominion representative declined comment, citing an investigation.
U.S. election technology is dominated by just three vendors comprising 90% of the market, meaning election officials cannot easily swap out their existing technology. Release of the software copies essentially provides a blueprint for those trying to interfere with how elections are run. They could sabotage the system, alter the ballot design or even try to change results, said election technology expert Kevin Skoglund.
“This disclosure increases both the likelihood that something happens and the impact of what would happen if it does,” he said.
The effort by Republicans to examine voting equipment began soon after the November presidential election as Trump challenged the results and blamed his loss on widespread fraud, even though there has been no evidence of it.
Judges appointed by both Democrats and Republicans, election officials of both parties and Trump’s own attorney general have dismissed the claims. A coalition of federal and state election officials called the 2020 election the “most secure” in U.S. history, and post-election audits across the country found no significant anomalies.
In Antrim County, a judge had allowed a forensic exam of voting equipment after a brief mix-up of election results led to a suit alleging fraud. It was dismissed in May. Hursti said the date on the software release matches the date of the forensic exam.
Calls seeking information from Antrim County's clerk and the local prosecutor's office were not immediately returned; a call to the judge's office was referred to the county clerk. The Michigan secretary of state's office declined comment.
In Colorado, federal, state and local authorities are investigating whether Mesa County elections staff might have provided unauthorized individuals access to their systems. The county elections clerk, Tina Peters, appeared onstage with Lindell in South Dakota and told the crowd her office was being targeted by Democrats in the state.
Colorado Secretary of State Jena Griswold said she alerted federal election security officials of the breach and was told it was not viewed as a “significant heightening of the election risk landscape at this point.” This past week, Mesa County commissioners voted to replace voting equipment that Griswold had ordered could no longer be used.
Geoff Hale, who leads the election security effort at the U.S. Cybersecurity and Infrastructure Security Agency, said his agency has always operated on the assumption that system vulnerabilities are known by malicious actors. Election officials are focused instead on ways they can reduce risk, such as using ballots with a paper record that can be verified by the voter and rigorous post-election audits, Hale said.
He said having Dominion's software exposed publicly doesn't change the agency's guidance.
Security researcher Jack Cable said he assumes U.S. adversaries already had access to the software. He said he is more concerned the release would fan distrust among the growing number of people not inclined to believe in the security of U.S elections.
“It is a concern that people, in the pursuit of trying to show the system is insecure, are actually making it more insecure,” said Cable, who recently joined a cybersecurity firm run by former CISA Director Christopher Krebs and former Facebook security chief Alex Stamos.
Concerns over access to voting machines and software first surfaced this year in Arizona, where the Republican-controlled state Senate hired Cyber Ninjas, a firm with no previous election experience, to audit the Maricopa County election. The firm's chief executive also had tweeted support of conspiracy theories surrounding last year's election.
After the county's Dominion voting systems were turned over to the firm, Arizona’s top election official said they could not be used again. The GOP-controlled Maricopa County Board of Supervisors voted in July to replace them.
Dominion has filed suits contesting various unfounded claims about its systems. In May, it called giving Cyber Ninjas access to its code “reckless,” given the firm’s bias, and said it would cause “irreparable damage” to election security.
Election technology and security expert Ryan Macias, in Arizona earlier this year to observe that review, was alarmed by a lack of cybersecurity protocols. There was no information about who was given access, whether those people had passed background checks or were asked to sign nondisclosure agreements.
Cyber Ninjas did not respond to an email with questions about the review and their security protocols.
Macias was not surprised to hear that copies of Antrim County’s election management system had surfaced online given the questionable motives of the various groups conducting the reviews and the central role that voting systems have played in conspiracy theories.
“This is what I anticipated would happen, and I anticipate it will happen yet again coming out of Arizona,” Macias said. “These actors have no liability and no rules of engagement.”