What is the Halderman Report? And Should You Take it Seriously?
Editor’s note: This article appears here in its original form, however we have received additional information since it was first published. After reading this one, please also see a post by Buzz over here.
A few years ago, Buzz and I met Dr. Alex Halderman, a cyber security expert from the University of Michigan with a focus on elections, at a demonstration at Georgia Tech. At the time I was pushing in the Legislature for Georgia to move toward a paper ballot system and Buzz was running for the GOP nomination for Secretary of State. Dr. Halderman showed us the most chilling thing I could have seen at the time, just how easy it would be to get one of our old Diebold touch screen machines to flip votes.
Back then the prevailing wisdom was that our touch screen machines were completely secure because they were air-gapped. I was mocked by some for wanting to take Georgia back to the days of the hanging chad. But in mere moments Dr. Halderman, using a compromised voter card that opened the operating system of that voting machine on the fly and reprogrammed it, confirmed my worst fears.
In a mock election that day, Buzz and I voted in favor of George Washington. Two others cast ballots for Benedict Arnold. When the machine tallied the votes, it reported that Washington had received just one vote to Arnold’s three. Wait, what? We saw with our own eyes that two of us selected Washington.
To me, I saw the impracticality of trying to steal a state wide election using this method. Hundreds of people would need to be in on it and taking these compromised voter cards into polling places en masse to have a wide spread impact and the likelihood of that is pretty slim. But voter fraud is kinda like feces in a sandwich; how much is enough to make you not want to eat it? How much voter fraud can you tolerate before you decide the election is not legitimate? And further, it was possible, even if difficult to pull off, in spite of the public reassurances that the system was secure. And not every election is settled by thousands of votes, just ask former State Representative Dan Gasaway.
Fast forward to 2019, when Representative Barry Fleming introduced HB 316, the bill that would allow for ballot marking devices (BMD) to generate uniform paper ballots and rely on a QR or barcode to tally the results. I had joined with Rep. Scott Holcomb, a Democrat from Atlanta, to introduce a bipartisan alternative the year before that relied on hand-marked paper ballots. There are some who worry out loud that Democrats have gamed the system over the years using hand marked paper ballots and that the ballot marking devices provide greater confidence because the intent of the voter isn’t in doubt. The marks are clear when you use a BMD and are not subject to people shading in areas and then erasing, circling choices instead of filling in a bubble, etc.
Even back then the cyber security experts were trying to warn us that BMD’s would be vulnerable. And after hours and hours of hearing from not Republicans, but many left leaning activists come to the podium and say that they would never trust the tally of these machines, I started to believe them.
At this point in the story, just know that there are lots of details and posturing and beating of chests, including by me. I will include them in my book if I ever write one, but it involves Risk Limiting Audits, a black rubber bracelet, some misunderstood statements, and meetings that ended minutes after they started.
Ultimately, I was the only Republican in either chamber of the Legislature to vote against the Dominion Voting Machine bill.
I don’t say that to disparage my former colleagues in any way. Because not all of them heard what I heard. Nor did they read what I read, or see what I saw. I made my case to those who listened and when they weighed the facts with circumstances they made the best decision they felt they could at the time. In so many instances in the legislature you are pulled in opposite directions and you are put in no win scenarios. It is like living a constant Kobayashi Maru. Give them grace.
Even though… then 2020 happened. More chapters to my book. I just might call it, “If only someone could have known.”
One of the voices I was listening to back then was Dr. Halderman. He is a widely regarded expert in his field, not some kook who makes false claims. And last week a federal judge unsealed a report he filed with the court back in July of 2021 that shows that BMD’s can in fact be hacked. That report has been the fuel of many conspiracy theorist explosions over the past several days, and it reads like a slightly-redacted how-to guide on how to steal an election.
The Secretary of State doesn’t think it is such a big deal at the moment. They point to a dueling report from MITRE, a non-profit, who found that of the 6 attacks listed in the Halderman Report would be found if a risk limiting audit was employed. The 7th and final attack would be spotted in the polling place by just about anyone paying attention. The TL:DR version, the attacks in the Halderman Report are, “Operationally Infeasible.”
Is it easy? Nope. Would the perpetrators be easily spotted? Likely. How many people would it take to pull off a vote flipping scheme? Hundreds if not thousands. Would the hacking be discovered if the use of risk limiting audits were performed on a wider scale? 100%. Which is just one reason why Georgia’s next election bill should be a more robust and stringent use of RLAs, but I digress.
But it is possible. And how much feces are you willing to find acceptable in your sandwich?
That said, the vulnerabilities listed in the Halderman Report have been addressed with a software update created by Dominion. Software used in elections must clear certification by the Elections Assistance Commission (EAC) prior to rolling out into the field for use by the voter. So criticisms of Secretary Raffensperger for not doing anything about it until now are without merit. But what he does from here on is fair game because the EAC certified Dominion’s software update a couple of months ago.
And it doesn’t appear that Secretary Raffensperger is prepared to move toward installing the update on our machines ahead of the 2024 election citing the required man power it would take to get the machine ready in time. And it appears that Dominion is backing them up in this assessment who issued a statement indicating that the current vulnerabilities can be secured with proper process. “While we are constantly working to offer the latest security features and innovations to our customers, the CISA [Cybersecurity and Infrastructure Security Agency]advisory clearly states that exploitation of any of the issues raised can be mitigated by following standard procedural and operational security processes for administering elections,”
All of them are playing with fire.
We already know that not all elections offices in Georgia treat process as absolute. And it doesn’t take the skill of reading tea leaves or the possession of a crystal ball to see that by knowing there are vulnerabilities, no matter how implausible it might seem to exploit, and not applying a known fix, that they are asking for trouble. Hell, they already have trouble, this is just asking for it to move in permanently.
If I am Dominion, I ain’t waiting back for another storm like 2020. That cannot possibly be good for business. They should be jumping through hoops and doing whatever it takes to get Georgia the man power needed to update these machines before the 2024 election. And Secretary Raffensperger should absolutely be beating them up until this is done on time.
Remember how I said I was the only Republican to vote against the Dominion Voting machine bill? I didn’t do that because I thought the machines would be hacked. I did that because a good number of people would always think that they could have been hacked, even if the process to do so was overly complicated and implausible. Allowing that belief to fester contributes to the erosion of voter confidence which is an increasingly fraying fabric of our Republic.
When people lose confidence in banks, there is a run on them which causes that bank to collapse and negatively impacts the confidence in all banks. Elections are no different, And voter confidence is a moving target that is going to require that we always adjust our tactics to protect it. We should be doing everything we can to secure elections from every possible threat, especially if we know about them ahead of time, and even if the possibility that they are successful is slim.
Are you trying to fan up the flames, Scot, that will cause a bunch of GOP voters to sit out the election AGAIN?
Because, the Dems won’t sit it out…and they will show up in droves while the GOP voters will listen to their Colonel and “boycott” the elections….and then bitch and pout for years afterwards talking about how “My vote isn’t secure, there’s no point in voting.”
My goodness…hey, you know, planes fall out of the sky sometimes, yet people still hop on planes to fly places. NOTHING is ever guaranteed in this world, especially perfect voting systems.
You asked, “Are you trying to fan up the flames, Scot, that will cause a bunch of GOP voters to sit out the election AGAIN?”
Me: Clearly not. But I also know that they will inevitably point to this as the reason they didn’t get the result they wanted. There are simple things we can do to tamp down on unfounded claims, and keeping software up to date seems like a pretty low bar to clear.
And pointing out how to avoid the plane falling out of the sky in the first place and then putting the blame on me is clear cut gaslighting, Restoring voter confidence is going to be one of my life long goals from now until I die. I don’t think the last election was stolen, and I think the stuff in the Halderman Report is implausible, but why leave that hanging around as a possible narrative for next time?
Feel free to check other sources, but:
“Gaslighting is a form of psychological abuse in which a person or group causes someone to question their own sanity, memories, or perception of reality. People who experience gaslighting may feel confused, anxious, or as though they cannot trust themselves.” https://www.medicalnewstoday.com/articles/gaslighting
Did I really cause you to “…question their own sanity, memories, or perception of reality?”
Checked other sources and it turns out that I was right. Blaming someone for an outcome they didn’t cause is one of several forms of gaslighting.
https://www.sacap.edu.za/blog/applied-psychology/types-of-gaslighting/
Scot, your first claim was that I gaslighted you based on the airplane analogy I employed: “And pointing out how to avoid the plane falling out of the sky in the first place and then putting the blame on me is clear cut gaslighting”
There isn’t an “outcome” yet, sooo…again, the term does not apply.
Well written and well said Scot. While I agree with you that Dominion should be doing everything in their power to try and make their voting machines secure, I doubt they will do much. After winning their lawsuit against Fox I would guess that they will hold that verdict up as a sign of their infallibility.
But I agree with you that people need to find trust in the process again, regardless of political affiliation. There’s been too much damage done in just the last two cycles, too many people crying foul. And sadly it looks to continue for some time. I wish you luck in your endeavors.
Thank you.
I am hopeful. I really am. Because there are steps that can be taken to build voter confidence, if only we will take them.