Georgia’s Voting System, the Internet, and the Meaning of “Is”
Georgia officials have learned the art of defining “is” and “machine” to obscure damning and alarming truths about the state’s unreliable voting system. Assuring voters with the dubious claim that the voting system “is not connected to the internet,” officials seek to calm rational fears of election manipulation. However, the facts are unsettling.
Secretary of State Brian Kemp and other Georgia officials routinely defend the state’s outdated, poorly secured, and un-auditable voting system by claiming that the “voting machine is not connected to the Internet.” On June 6, Merle King, Executive Director of Georgia’s Center for Election Systems, stated in his sworn affidavit that “Georgia’s voting machines are never connected to the Internet.” On June 7, in sworn testimony in the Curling v. Kemp lawsuit, King misled the court, stating that the “official results would never be on a machine connected to the Internet.” He was testifying to attempt to convince the court that the system is protected from malware or cyberattacks.
In the most hyper-literal sense, the touchscreen voting machine itself “is” not directly hooked to the Internet, nor “is” the tabulation computer that contains the official data and results. However, the important and alarming fact is that both the voting machines and the tabulation computer are dangerously exposed to wide-ranging Internet-borne malware by being indirectly connected to the Internet.
The results you see on election night are fed to the web application from an online county computer uploaded with a flash drive containing the results from the tabulation computer. The danger comes with each iteration of interim results uploads when the same flash drive is repeatedly shared between the tabulation computer and the Internet- connected computer. Malware from the Internet can rapidly infect the tabulation database and create false results. (Think of it as “sharing needles.”)
Voting machine memory cards are uploaded to the tabulation computer, permitting them to be infected, or to infect the tabulation computer. Additionally, the voting machine memory cards can be exposed to malware when they are utilized in the electronic transmission of unofficial election night results. The malware on the voting machine’s memory cards will be ready and waiting for the next election.
In summary, the memory cards and the tabulation computer have exposure to the Internet. Infected memory cards can infect the rest of the system.
In March, a “hacker/researcher” infiltrated Georgia’s election system through a website vulnerability and exported several million voter records. It is unknown how much of Georgia’s election system was exposed to the community of bad actors in the cyber-underworld. The system feeds the electronic pollbooks which are also connected to the Internet. In turn, the pollbooks activate voter access cards in the polling place.
Georgia officials attempt to discount fears of cyberattacks by pretending that malware can only be delivered in a direct live Internet connection to the voting machines. “The voting machine is not connected to the Internet,” they say. Depends on what your definition of “is” is. The claim is false except in the most hyper-literal way. Exposure to malicious cyber-attacks through the Internet is all too easy in Georgia’s current configuration of indirect Internet connections to the state’s voting system with its lax security practices. There are numerous electronic pathways open for bad actors to use as welcome mats into the control room of Georgia’s elections.
Until such time that the state protects the voters by requiring paper ballots, voters should use absentee paper ballots, which at least leave an auditable trail of the voters’ choices and can be recounted.