Posted on November 17, 2023 Election Protection Share: On Friday, November 10, U.S. District Judge Amy Totenberg denied the Georgia Secretary of States’ motion for summary judgment in Curling v. Raffensperger and set a trial for January 9, 2024. The lawsuit was filed in 2017 by individual voters and the Coalition for Good Governance against the Secretary of State and State Election Board alleging that the state’s electronic ballot marking devices cannot be counted on to reliably record voters, endangering the constitutional right to vote. It does not allege any election was incorrectly decided. Notably, large portions of the 135-page order were focused on cataloging repeated instances by the Georgia Secretary of State whereby he dismissed, ignored or disregarded serious election issues. The order recounted how, in 2019, an outside security expert discovered that Georgia’s election servers were exposed to the internet, allowing anyone access to sensitive data. The court order also described how the Secretary’s office improperly destroyed the servers and any evidence on them, noting that the court found the Secretary’s explanation “not credible.” The order also recounted the Georgia Secretary of State’s response to the Coffee County voting system breach which was uncovered by the plaintiffs in Curling and included in the Fulton County racketeering indictment. The order details investigations that were ongoing in Coffee County at the time of the breach, suggesting that the Secretary’s investigators might have discovered the breach in early 2021, a year and a half before the civil litigants. Free Speech For People’s senior advisor for election security, Susan Greenhalgh, serves as a consulting expert to the Coalition for Good Governance plaintiffs in the suit. Some noteworthy remarks from the court order are listed here: The Court reviews the State’s response to the Coffee County voting system software breach. In section IV (B)(4), the court reviews in detail the Coffee County voting system breach, suggesting skepticism that the Secretary’s office claims it did not become aware of the breach until February 2022, even though its investigators were actively investigating related incidents in Coffee County more than a year before. Page 61. The court lists the related incidents: “the Secretary of State’s investigations into Hampton’s December 2020 posting of a YouTube video about manipulation of Dominion software; the State’s investigation into Coffee County’s handling of the 2020 presidential election recount; and the Secretary of State’s communications with the new replacement Coffee County Elections Supervisor about EMS server passwords no longer working and the related discovery of a business card for Doug Logan’s Cyber Ninjas on the base of Misty Hampton’s computer.” The court remarks that, because of an ongoing investigation, one of the Secretary of State’s investigators visited the Coffee County election office the same day that Jeffrey Lenberg, (an unindicted co-conspirator to the Coffee County breach), was present when the investigator entered the office. Page 63. The court order notes that the Secretary of State’s office issued an investigation summary that “does not reference any events of the Coffee County breach that began on January 7, 2021 — or system irregularities that might have been suggested by the evidence collected during the investigations.” The court found it noteworthy that the election supervisor for Coffee County that took office after the breach, James Barnes, found that he was unable to access the election management server because the password had been changed without any record, and that Doug Logan of Cyber Ninja’s business card was found at the base of the former election supervisor’s computer. Barnes told the Secretary’s office that “part of my concern was that, you know, potentially somebody had done something to that server.” Page 63, 64. The court recounts that an official from the Secretary’s office told Barnes that the information would be passed on to the investigations unit. The Secretary’s office replaced the server but no other follow up occurred. Page 65. In February 2022, the State Defendants are provided a recording of a phone call with Scott Hall boasting about the breach, but the court recounts, “Despite this knowledge, the State Defendants continued to deny that there was any cause for concern. For example, in a Discovery Statement that was submitted to the Court on April 6, 2022, the State Defendants represented that, “State Defendants are investigating several issues related to Coffee County but at this time do not believe any of them demonstrate a breach of actual equipment.” (Joint Discovery Statement, Doc. 1360 at 5.) And several weeks later, the Secretary of State’s COO Gabriel Sterling went a step further, claiming at a public forum that the breach “didn’t happen.” (See Carter Center Panel Video, Doc. 1633-17) (“So we are still dealing with that here and we still have to prove negatives in all these cases. It’s similar across the board. But like, we had claims . . . even recently there were people saying: ‘We went to Coffee County. We imaged everything.’ There’s no evidence of any of that. It didn’t happen.”). Page 66 . The court goes on to point out contradictions in Secretary Raffensperger’s comments regarding the breach, citing statements he made to 11Alive claiming Sterling insisted the breach didn’t occur because the Secretary’s office had been misled, while simultaneously claiming the Secretary’s office had learned about the breach “early on,” and continued to investigate the matter. Page 66. The court importantly notes that though the Secretary ultimately replaced the election equipment in Coffee County, none of it has been examined for malware. Page 68. The court also suggests the State defendants’ dismissal of the security vulnerabilities found by Halderman and Springall – based on the argument that the experts had unfettered access to voting systems – are persuasively discredited by the Coffee County software breaches. Page 92-93. Georgia State Defendants’ Failure to adequately address election security issues The court notes that the State had failed to implement critical software patches to defend against a flaw that the State Defendants’ own expert described as “‘one of the most severe security flaws ever discovered in a voting system,’ up to that time.” Page 23. The court remarks that the then-election center director at the Secretary’s office has no cybersecurity training. Page 19. In a footnote, the court notes that during the 2019 hearing, evidence was presented that outside contractors for the Secretary of State’s election unit used their home computers to create ballot files to be loaded onto computerized voting machines, and that it was unclear what security protocols, if any, these contractors had been following. Page 22. Though the Secretary of State did engage an outside cybersecurity firm to assess its security posture and recommend mitigations, the court admonished the Secretary for severely limiting to the scope of the firm’s assessments to exclude the state and county voting systems writing, “the surface of SOS cybersecurity issues was barely scratched.” Page 26. Nonetheless, the outside firm did identify “an astonishingly grave array of deficits,” but found the Secretary of State failed to mitigate most of them, despite the majority being low or no cost. Page 26. The Court recited its conclusion from a 2018 order that “the State had ‘stood by for far too long’ in failing to address the ‘mounting tide of evidence of the inadequacy and security risks’” posed by the Diebold touchscreen voting machines (used before the Dominion BMDs). Page 26,27. The court commented that further reviews by the Secretary’s outside expert, Fortilice, found that insecure practices persisted. Yet there was no evidence Fortice’s recommendations were being implemented. Page 48. The court also found it noteworthy that the Secretary of State’s office instructed its security expert, Fortilice, to stop providing reports in writing, and to report findings over the phone. Page 48 footnote, 31. Georgia state defendants’ response to the election server vulnerabilities discovered in 2017 are noted by the court. Section IV (A)(2)(c) of the order describes in detail the “slow and ineffective” response by the Secretary of State to the 2017 discovery that key elements of Georgia’s voting system was exposed to the internet and “mismanaged.” The discovery, by an outside expert, revealed that outsiders could access critical data because of the use of “grossly outdated” software, and modules known to be susceptible to malware. Page 23. The court notes that even though there was a “gaping breach” uncovered, that the Secretary of State insisted “nothing amiss happened,” remarking, “The Court found that this position “contradict[ed] the evidence.”” Page 25. The court highlights the fact that the Secretary’s election center director was aware of the expert’s warnings and Secretary staff had confirmed these serious software threats, website holes, and data-security exposures months before, without taking any action. Page 23, 24. The court also expressed distrust of the Secretary’s excuses for destroying the impacted servers – a mere four days after the Curling lawsuit was filed- stating “The Court found that this was not credible.” Page 25. Court comments regarding the Dominion BMD system at issue in Curling v. Raffensperger. The court makes a point of stating that the QR codes produced by the Dominion BMDs are not encrypted, contradicting assertions made by the Secretary of State in court and in the public. Page 31. The court states that, “a number of critical software updates related to the operation of Dominion’s software and equipment have not been purchased or installed in Georgia as of the date of this Order.” Page 46. The court also notes that though DHS’s CISA confirmed vulnerabilities identified by plaintiffs’ experts, Professors Alex Halderman and Drew Springall, and CISA recommend mitigations there is no evidence the State Defendants adopted CISA’s recommendations. Page 47. The court acknowledges that in its 2020 order it concluded that “[t]he substantial risks and long-run threats posed by Georgia’s BMD system, at least as currently configured and implemented, are evident,” and “that Plaintiffs had “shown demonstrable evidence that the manner in which Defendants’ alleged mode of implementation of the BMD voting system, logic and accuracy testing procedures, and audit protocols deprives them or puts them at imminent risk of deprivation of their fundamental right to cast an effective vote (i.e., a vote that is accurately counted).” Page 87, 88. The court also reiterated that “that the risks presented by the BMD system as it was then configured “are neither hypothetical nor remote under the current circumstances. Instead, the Court found that “[t]he Plaintiffs’ national cybersecurity experts [had] convincingly present[ed] evidence that this is not a question of ‘might this actually ever happen?’ – but ‘when it will happen,’ especially if further protective measures are not taken.” Page 90. The court makes note that the State defendants cannot provide a single cybersecurity expert that endorses the Dominion BMD system as it’s used and configured in Georgia. Page 91. The court also notes that the state’s expert specializes in “disability access issues” [italics in origin] and that he explicitly stated that he does not disagree with the plaintiffs’ experts’ (Halderman and Springall’s) findings related to security of the BMDs, and that he would defer to Dr. Halderman on issues of cybersecurity. Page 91 footnotes 52 and 54. Read the order here