General Discussion

Here is the other letter sent to Harris about election cybersecurity threats sent by cybersecurity experts..

(I removed the citations and footnotes for clarity, but all verification of claims can be found in the original document here: https://freespeechforpeople.org/wp-content/uploads/2024/11/letter-to-vp-harris-111324.pdf)


The Honorable Kamala Harris
The White House
Office of the Vice President
1600 Pennsylvania Avenue, N.W.
Washington, DC 20500

Dear Vice President Harris,

We write to alert you to serious election security breaches that have
threatened the security and integrity of the 2024 elections, and to identify ways to
ensure that the will of the voters is reflected and that voters should have confidence
in the result. The most effective manner of doing so is through targeted recounts
requested by the candidate. In the light of the breaches we ask that you formally
request hand recounts in at least the states of Michigan, Nevada, Wisconsin, and
Pennsylvania. We have no evidence that the outcomes of the elections in those
states were actually compromised as a result of the security breaches, and we are
not suggesting that they were. But binding risk-limiting audits (RLAs) or hand
recounts should be routine for all elections, especially when the stakes are high and
the results are close. We believe that, under the current circumstances when
massive software breaches are known and documented, recounts are necessary and
appropriate to remove all potential doubt and to set an example for security best
practices in all elections.

In 2022, records, video camera footage, and deposition testimony produced
in a civil case in Georgia disclosed that its voting system, used statewide, had
been breached over multiple days by operatives hired by attorneys for Donald
Trump. The evidence showed that the operatives made copies of the software
that runs all of the equipment in Georgia, and certain other states, and shared it
with other Trump allies and operatives.

Subsequent court filings and public records requests revealed that the
breaches in Georgia were part of a larger effort to take copies of voting system
software from systems in Michigan, Pennsylvania, Colorado and Arizona, and
to share the software in the operatives’ network. According to testimony and
declarations by some of the technicians who have obtained copies of the
software, they have had access for more than three years to the software for the
central servers, tabulators, and highly restricted election databases of both Election Systems & Software (ES&S), and Dominion Voting Systems, the two largest
voting system vendors, constituting the most severe election security breach
publicly known.

Combined, their equipment counts nearly 70% of all votes nationwide.
Ninety-six percent of Arizona voters use Dominion and ES&S equipment; 100% of
Georgia voters vote on Dominion machines; 98% of Nevada votes on Dominion
voting machines and the remainder uses ES&S; 69% of Michigan voters’ ballots
are counted on Dominion or ES&S equipment; 89% of Pennsylvania voters ballots are counted on Dominion or ES&S equipment; ES&S counts 92% of North
Carolina ballots; and either ES&S or Dominion counts 97% of Wisconsin votes.

Possessing copies of the voting system software enables bad actors to install
it on electronic devices and to create their own working replicas of the voting
systems, probe them, and develop exploits. Skilled adversaries can decompile the
software to get a version of the source code, study it for vulnerabilities, and could
even develop malware designed to be installed with minimal physical access to the voting equipment by unskilled accomplices to manipulate the vote counts. Attacks could also be launched by compromising the vendors responsible for programming systems before elections, enabling large scale distribution of malware.

In December 2022 and again in 2023, many of us, concerned by the
security risks posed by these breaches, wrote to the Attorney General, FBI
Director, and Cybersecurity and Infrastructure Security Agency (CISA) Director outlining the security concerns and urging an investigation. Though there have
been limited, localized investigations,14 there is no evidence of a federal
investigation to determine what was done with the misappropriated voting
software.

Other relevant parties have pointed to the serious risks posed by the
misappropriation of the voting software. Before it was known that partisan
operatives had taken the software, Dominion Voting Systems objected vehemently to providing its software to the same partisan actors who ultimately got copies through voting system breaches, stating that to give its software to biased actors would cause “irreparable damage” to the “election security interests of the
country.”

Before the breaches in Georgia had been confirmed, the Georgia Secretary
of State’s chief information officer testified that having copies of the software
would provide a “road map” to the ways the system could be accessed. The
Georgia Attorney General opposed providing copies of the software to lawyers for the Trump campaign in a late 2020 election challenge, arguing that images of the voting system software would provide “the keys to the software kingdom.”

Notably, U.S. elections are potentially resilient because there are paper
ballots recording the voters’ intent in most states, meaning that even if the voting
system is at risk, the will of the voters can be determined reliably by recounting the
paper ballots by hand (although we are aware that not all paper ballots are verified
by the voter, and not all states take adequate care to protect the ballot chain of
custody.)

Audits will be conducted in some of the most scrutinized states, but in key
states they will not be conducted in a timely way that could reveal any concerns
with the vote count. In addition, in most states the audits are insufficiently rigorous
to ensure any potential errors in tabulation will be caught and corrected, and they
cannot be considered a safeguard against the security breaches that have occurred.
Specifically, Georgia’s audits are non-binding, and Michigan, Nevada and
Wisconsin laws do not provide that the audit be conducted before certification.
Therefore, it would be impossible to know for these critical states if the audits
uncovered errors or miscalculations before the state deadlines to seek recounts.

Among swing states, only Arizona’s audit laws ensure that, if enough
discrepancies are identified, the audit hand count will be expanded to correct a
potentially incorrect result. In other words, aside from Arizona, in contested states,
there is no legal mechanism for the audit to correct the outcome, no matter how
much error the audit uncovers. Given these facts, the only guarantee for rigorous,
effective audits of the vote in the swing states will be through candidate-requested
statewide hand recounts.
(emphasis mine)

The facts around the voting system breaches are not disputed; it is well-
documented that there were severe, multiple voting security breaches before the 2024 election. To ensure that voters can have confidence that the breaches in
security did not taint the results of the 2024 election, we recommend pursuing hand
recounts in, at minimum, Michigan, Nevada, Wisconsin and Pennsylvania as they
will provide insufficient safeguards against threats posed by the breaches of the
election software and will not provide important information in a timely way.

Thank you for your time and consideration of this important matter.

Sincerely,

Duncan Buell Ph.D.
Chair Emeritus — NCR Chair in Computer Science and Engineering
Dept. of Computer Science and Engineering
University of South Carolina*
David Jefferson Ph.D.
Lawrence Livermore National Laboratory* (retired)
Election Integrity Foundation*
Susan Greenhalgh
Senior Advisor for Election Security
Free Speech For People
Chris Klaus
Founder
Internet Security System*
William John Malik
Malik Consulting, LLC*
Peter G. Neumann Ph.D.
Chief Scientist,
SRI International Computer Science Lab*
John E. Savage
An Wang Professor Emeritus of Computer Science
Brown University*
*Affiliations are listed for identification purposes only and do not imply
institutional endorsement.