The nation’s leading cybersecurity agency has released a final version of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes
put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems' ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency"has no evidence that these vulnerabilities have been exploited in any elections.
A version of the advisory sent to election officials last week said, “When barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot." To reduce that risk, the advisory suggested that jurisdictions configure the machines, where possible, to"produce traditional, full-face ballots, rather than summary ballots with QR codes.
Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes. A CISA spokesman said the change was not based on complaints from any party and said that when the agency is alerted to potential vulnerabilities, it's common to update an advisory as it works with researchers, vendors and other partners to provide information on mitigation measures.