More than 20 IT security experts have written an open letter calling on the CEO of Miter Corporation to retract a recently published security report on Dominion Voting Systems’ voting machines. The report, commissioned by Dominion Voting Systems, is said to be full of errors and relates to a court case in Georgia. The case revolves around whether the voting machines violate the fourteenth amendment to the US Constitution. The plaintiffs argue that the machines violated individuals’ rights because they did not generate paper logs or allow for independent verification of votes, as well as having known IT security gaps.
The open letter has been shared on Twitter by Professor J. Alex Halderman, one of the signatories. The letter includes renowned computer science professors, IT security researchers, and experts such as Bruce Schneier. Halderman’s contribution to the process identified serious security gaps in the voting machines, which were confirmed by the US Cybersecurity and Infrastructure Security Agency (CISA). Dominion has released a firmware update to fix some of the bugs.
The signatories of the open letter argue that the Miter Corporation report is incorrect. Unlike Halderman and his co-author, Miter did not have access to Dominion’s voting machines or conduct any security tests. Instead, Miter attempted to assess the risk of potential attacks described by Halderman without essential information sources. The signatories claim that Miter’s analysis uses flawed justifications and understates the risk of abuse. Miter’s assumption that perfect implementation of procedural defense mechanisms would make the system immune to attacks is criticized as inappropriate for assessing real risk.
The Miter analysis is also criticized for being based on a false assumption. The authors assume strict and effective control over Dominion’s election hardware and software, which is considered unrealistic due to instances where the software has been stolen and machines have been inappropriately accessed. The bugs discovered in Georgia could provide malicious actors with enough information to develop and test exploits, potentially exploiting other vulnerabilities as well.
The signatories argue that Miter’s analysis is not only wrong but also dangerous. It could mislead states like Georgia into delaying the installation of software updates and other safeguards. The Georgia Secretary of State announced that Dominion security updates would not be installed until after the 2024 presidential election, likely based on Miter’s risk assessment. This delay could give malicious adversaries around 18 months to prepare exploits for future elections. Other states using Dominion equipment would also have to decide whether to correct the errors or consider their exploitation “operationally unfeasible” based on Miter’s advice.
The open letter demands that Miter withdraw the analysis immediately to prevent the exploitation of known vulnerabilities in future elections.