An effort by supporters of former president Donald Trump to copy sensitive voting software in multiple states after the 2020 election deserves attention from the federal government, including a criminal investigation and assessment of the risk posed to election security, according to election-security advocates.
Evidence of the multistate effort was unearthed by plaintiffs in a long-running lawsuit over the security of Georgia’s voting system. They found that as Trump falsely blamed his 2020 defeat on hacked voting machines, sympathetic officials in rural Coffee County, Ga., allowed computer-forensics experts, paid by a nonprofit run by Trump-allied attorney Sidney Powell, to copy voting software in January 2021. That software was then uploaded to a website, from where it was downloaded by election deniers across the country.
“Because these events were revealed in a private lawsuit rather than through a law enforcement investigation, the significance and consequences may not have registered with the relevant federal agencies,” reads the letter. Several of its 15 signatories have served as experts for the plaintiffs in the case.
Records show that some of the people involved in copying software in Coffee were also involved in copying and circulating voting software in Michigan and Colorado.
Prosecutors in Georgia and other states are investigating efforts to access and copy voting software. But the letter argues that there are still many unanswered questions about the “coordinated, multi-state plan” organized and paid for by Trump allies.
A Justice Department spokeswoman declined to comment.
The advocates’ letter also asks the U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of Homeland Security, to assess risks to election security “posed by the unauthorized distribution of voting system software to individuals who have already spread misinformation and may attempt to disrupt elections.”
CISA did not respond to a request for comment. In October, the agency and the FBI said in a public service announcement that, “Given the extensive safeguards in place and distributed nature of election infrastructure, the FBI and CISA continue to assess that attempts to manipulate votes at scale would be difficult to conduct undetected.”
Dominion Voting Systems, which makes the software that was copied in Coffee County and some other jurisdictions, said in a statement to The Washington Post that since the 2020 election, there has been no credible evidence that its machines did anything other than count votes accurately.
The office of Georgia Secretary of State Brad Raffensperger (R) said Monday that Georgia’s elections are secure. “All of the actual evidence, from logic and accuracy testing to post-election risk-limiting audits to voter verifiable paper ballots shows that Georgia election results accurately reflect the will of the people of Georgia,” the office said in a statement. “It’s nothing but conspiracy theories and election denialism to say otherwise.”
The Georgia Bureau of Investigation announced in August that it had opened an investigation of the software copying in Coffee County. William Duffey, the chairman of the Georgia State Board of Elections, said at a public meeting in September that he had referred the matter to the FBI as well.
Citing bureau policy, a spokesperson for the FBI’s Atlanta field office last week declined to say whether it is investigating.
The Justice Department sent a grand jury subpoena to Raffensperger seeking communications with the Trump campaign and Trump-allied attorneys including Powell, The Post reported Monday. That does not mean that prosecutors are investigating attempts to access machines; they have been investigating a range of post-election activities by Trump and his allies.
Coffee County officials told The Post last week that the county had not recently received any federal subpoenas.
Voters in Georgia make their choices on touch-screen “ballot-marking devices,” which then print a ballot with a QR code that is scanned and tabulated, a system that Georgia officials say is secure and accurate. The plaintiffs in the long-running federal lawsuit argue that Georgia must instead adopt hand-marked paper ballots that are then scanned and tallied by machine, which they say would be more secure.
The plaintiffs, voters and the nonprofit watchdog Coalition for Good Governance initially filed the lawsuit in 2017, long before the rise of the Trump-fueled “stop the steal” movement in 2020. In October 2020, the federal judge overseeing the case expressed serious concerns about security vulnerabilities in Georgia’s voting system but declined to order the state to stop using it.
J. Alex Halderman, a University of Michigan computer science professor and expert for the plaintiffs, was granted access to the type of ballot-marking device and scanner used in Georgia. He identified an array of alleged security vulnerabilities that were detailed in a report filed to the court under seal in summer 2021.
The court permitted Halderman’s research to be shared with CISA, which then conducted a review that culminated in a warning it issued to local and state election officials in June. The warning identified nine technical issues that together, CISA said, could allow a hacker to gain elevated user privileges, install malicious code, disguise that code and spread it to other election devices.
CISA said that to exploit many of the flaws, a would-be hacker would have to gain physical access to machines. State and local election officials have long said that machines are protected by layers of security protocols that would make it difficult for a hacker to get that kind of access.
In Coffee County, a local election supervisor allegedly allowed forensics experts from the Atlanta-based firm SullivanStrickler to spend hours inside her office on Jan. 7, 2021, as they copied virtually every component of the county voting system, The Post has previously reported.
“Anyone with physical access would have numerous ways to install malicious software, including by simply running it from a USB stick,” Halderman wrote last month in a supplemental report obtained by The Post.
Halderman examined the software and data that SullivanStrickler copied from Coffee. That team’s access to election equipment was “far more extensive” than the access he had been afforded as the plaintiffs’ expert, he wrote.
Ten election security officials interviewed by The Post in recent weeks all agreed that the data taken from Coffee could help hackers plan an attack against voting systems. But they had a range of views on the likelihood that a hacker could successfully introduce malware to a machine during a time frame that would affect voting and on whether such a breach could go undetected.
While prominent experts affiliated with the plaintiffs say Halderman’s research shows voting systems could be manipulated, others — including state and federal officials — are skeptical. They note that since 2017, when voting systems were designated critical infrastructure, election officials have been encouraged to behave as if election software was already in the hands of would-be hackers — and to set up redundancies that protect against attacks.
Messages from the encrypted Signal messaging app reviewed by The Post show that SullivanStrickler discussed plans to access the county’s systems with a team in Washington that featured a woman named Katherine who wrote that she had just returned to D.C. with “the Mayor.”
“[W]e were just granted access -by written invitation! — to the Coffee County Systens. Yay!,” the woman told one of the firm’s experts on Jan. 1, 2021, according to a message the expert shared with colleagues on Signal. Because the message was forwarded in Signal, it does not show the phone number or email address used by “Katherine.”
Around that time, the Republican lawyer Katherine Friess was in the capital working to overturn the election with former New York City mayor Rudy Giuliani. Friess had previously accompanied employees from SullivanStrickler to northern Michigan for court-authorized copying of Dominion software.
Neither Friess nor a lawyer for Giuliani responded to requests for comment.
A lawyer for SullivanStrickler did not directly respond to questions about Friess and the message referring to an official invitation. “Rudy Giuliani had no interactions with SullivanStrickler,” the lawyer wrote in an email.