DHS cybersecurity agency claimed 2020 election was secure despite hack, Dominion vulnerabilities

In November 2020, then-Cybersecurity and Infrastructure Security Agency Director Chris Krebs called the recently concluded presidential election "the most secure in American history."

Since that sweeping claim, the FBI has found that two Iranian hackers hacked into a state computer election system — and CISA itself has recently acknowledged that Dominion voting machines are vulnerable to hacking.

"There was no indication or evidence that there was any sort of hacking or compromise of election systems on, before or after November 3," Krebs told "60 Minutes" not long after the election in his first interview following his dismissal by then-President Trump. 

On Friday, however, CISA released a report detailing nine vulnerabilities in Dominion's Democracy Suite ImageCast X voting system, most of which include the ability to "install malicious code" on the machines.

These particular machines are "an in-person voting system used to allow voters to mark their ballot," according to the report.

J. Alex Halderman of the University of Michigan and Drew Springall of Auburn University, the researchers who alerted CISA to the Dominion machines' reported vulnerabilities, originally examined Dominion's Democracy Suite ImageCast X voting system for the plaintiffs in a federal lawsuit first filed in 2017 against Georgia over the state's then-outdated voting machines.

After Georgia bought Dominion voting machines in 2019, the plaintiffs argued that the new voting machines were not secure and that voting should instead be conducted with paper ballots.

In July 2021, the two researchers provided their report to the court in Georgia. The report remains under seal. In February, the judge overseeing the case agreed to allow the report to be shared with CISA, according to the Associated Press.

Halderman told the AP that one of the most concerning vulnerabilities is that malicious code could be spread to machines throughout a jurisdiction from the election management system.

While conceding the identified weaknesses in its report, CISA went out of its way to discourage drawing inferences about the controversial 2020 election from from its explosive new findings. "While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections," the report stressed.

In a statement on Twitter, CISA Director Jen Easterly also highlighted the absence of evidence that the Dominion system's vulnerabilities have been exploited for nefarious purposes. "While these risks should be mitigated as soon as possible, we have no evidence they have been exploited in any elections," she wrote.

The two researchers, meanwhile, have spoken up to clarify that — notwithstanding CISA's no-exploitation caveat — neither their analysis nor CISA's were meant to determine whether the vulnerabilities had been exploited.

"I stress that I'm not aware of any evidence that the problems have been exploited in real elections — neither our analysis nor CISA's CVD process was the kind of investigation that could determine that — but states should take them seriously and act now to strengthen defenses," Halderman tweeted on Friday.

"Just to be clear, our work was *not* about the November 2020 election," Springall tweeted the same day. "We started in Sept 2020 (i.e., well before the election) when we were provided access by a federal court. We studied the security of the device, not the results of any past, current, or future contest."

In response to a request for comment, CISA provided links to Easterly's statement and a "Rumor Control" page on its website. "The existence of a vulnerability in election technology is not evidence that the vulnerability has been exploited or that the results of an election have been impacted," the agency notes in its debunking-style "Election Security Rumor Rumor Vs. Reality" format. "Technology has vulnerabilities. Identifying and mitigating vulnerabilities is an important security practice."

Dominion did not respond to a request for comment Wednesday from Just the News.

In a statement to CNN, Dominion said that the CISA report "reaffirms what thousands of hand counts and recounts have proven: Dominion machines are accurate and secure."

"The issues raised in the advisory are limited to ballot marking devices, not vote tabulators," the spokesperson added. "These issues require unfettered physical access to election equipment, which is already prohibited by mandatory election protocols. Every voting system, even hand counting, depends on these same process protections to ensure secure elections."

According to the report, Dominion told CISA that the "vulnerabilities have been addressed in subsequent software versions."

Halderman, however, told the AP that based on what he knows, "no one but Dominion has had the opportunity to test their asserted fixes."

Phill Kline, director of election integrity watchdog group the Amistad Project, told Just the News that CISA's emphasis on the lack of evidence of exploited vulnerabilities is "misleading" in its tacit implication that the agency had investigated whether the Dominion machines' vulnerabilities had been exploited.

Kline agreed that the existence of the vulnerabilities doesn't mean they were exploited. However, he added, "There's never really been an investigation that we are aware of" regarding whether or not the vulnerabilities were exploited.

J. Christian Adams, president of Public Interest Legal Foundation, slammed CISA on the "Just the News, Not Noise" TV show Tuesday. "It wasn't but two years ago that they were telling us that everything was hunky dory," said Adams, an election lawyer who served in the Voting Rights Section at the Department of Justice. "The people who work at CISA are swamp creatures to the nth degree."

In another blow to the narrative of the 2020 presidential election being "the most secure in American history," the Justice Department unsealed an indictment last November of two Iranian hackers related to the election.

The two Iranians allegedly hacked a state computer election system and stole voter registration data to carry out a cyber-intimidation campaign targeting Trump campaign officials, Republican members of Congress, and Democratic voters.

U.S. Attorney Damian Williams said that the defendants "were part of a coordinated conspiracy in which Iranian hackers sought to undermine faith and confidence in the U.S. presidential election."

The two Iranians, Seyyed Mohammad Hosein Musa Kazemi, 24, and Sajjad Kashian, 27, were charged with obtaining confidential voter information from at least one state election website, sending threatening emails to intimidate and interfere with voters, and disseminating a video regarding disinformation about purported election infrastructure vulnerabilities.