by Kate Chandler
Last week, critical issues surrounding Georgia’s voting system came to the surface in the Curling v. Raffensperger trial in Atlanta. Dr. J. Alex Halderman, a computer science professor at the University of Michigan, revealed how easily Dominion voting systems could be compromised.
As first reported by Law360, Dr. Halderman demonstrated how a USB drive or a pen could be used to install malware, alter ballots, and enable unauthorized access to Dominion’s Ballot Marking Device (BMD) systems, which are used for in-person voting across the state of Georgia.
In his presentation, Halderman used a pen to trigger a Dominion machine’s reboot into “safe mode,” gaining access to its Android desktop.
He further demonstrated that in this mode, a user could modify files, alter settings, install malware, and access a “terminal emulator” on the voting machine. By using this emulator and a specific text command, he further showed how he could achieve “super-user” access, which potentially allow such a user complete control over the machine, including the ability to read, monitor, and modify any data, such as ballots.
Last week’s proceedings also included testimony from top officials in the Georgia Secretary of State’s office, which is responsible for the decision-making and deployment of these voting machines. One key witness was Gabriel Sterling, the chief operating officer for Georgia’s secretary of state. His testimony was marked by elaborate and convoluted responses, evading clear questions regarding the security of Dominion’s voting machines.
When asked about frequent references from officials in the secretary of state’s office, including Brad Raffensperger, to the plaintiffs and their experts as “election deniers,” Sterling responded, “They are cut from the same cloth, in our opinion, yes.”
Sterling, who seemed to equate Halderman with purported “election deniers,” also admitted to previously dismissing Halderman’s 2021 report on vulnerabilities in Dominion’s voting equipment as “a load of crap.” Throughout his testimony, however, Sterling consistently maintained that he had not seen or read Dr. Halderman’s report until later in 2022.
Where is Brad Raffensperger?
A lively back-and-forth ensued between opposing counsel after it was established that both Sterling and Raffensperger based their decision about whether to read Halderman’s report on legal advice. Attorney for state defendants, Mr. Joshua Belinfante, objected on the grounds of attorney-client privilege. In response, plaintiff’s attorney Mr. David Cross contended that Sterling had already waived this privilege during his deposition, a view upheld by the court. Challenging this view, Belinfante asserted that Sterling couldn’t waive privilege on Raffensperger’s behalf. Cross quickly retorted, “Well, then bring the Secretary in. We’re happy to question him.” Belinfante responded, “Sorry, the Eleventh Circuit told you no for the third time.” Cross corrected him, stating, “Actually, the Eleventh Circuit said he is free to come in. He is choosing not to.”
Shifting focus back to Mr. Sterling, Cross brought up a January 2022 press release from Raffensperger about Dr. Halderman’s report. In it, Raffensperger says:
“I’m calling on J. Alex Halderman, the author of a report on alleged vulnerabilities in the Dominion equipment, to ask the judge to publicly release his findings on Georgia’s election system and his pre-2020 election testimony.”
Sterling was then asked whether Raffensperger was aware that it was in fact Raffensperger’s own objections that were preventing the court from releasing the report. In other words, Raffensperger was simultaneously issuing a public call for transparency and impeding the process. It was further pointed out that Halderman and the plaintiffs had been asking the court for about six months to release the report, but these efforts were stalled due to Raffensperger’s objections.
Georgia’s Roll-out of Dominion Voting Equipment
In 2018, the Secure, Accessible, and Fair Elections (SAFE) Commission was established under then-Secretary of State, now Governor of Georgia, Brian Kemp. This commission was tasked with making decisions about Georgia’s next voting system. Raffensperger, who later became Secretary of State, was a member of this commission, as he notes in his book, Integrity Counts. He further highlighted that Dr. Wenke Lee, co-executive director of Georgia Tech’s Institute for Information Security and Privacy, was part of this commission.
However, Gabriel Sterling admitted during his testimony that Dr. Lee, the sole cybersecurity expert on the commission, had explicitly opposed the adoption of Ballot Marking Devices (BMDs) as the new voting system—a notable omission from Raffensperger’s book.
Raffensperger also details in his book that while the SAFE Commission members were engaged in the legislative process for the new voting system, Sterling led his team in drafting the Request for Proposal (RFP) for voting equipment vendors—a process that ultimately led to selecting the Dominion Democracy Suite system. Raffensperger underscores the importance of precision in drafting the RFP, stating, “they had to get every word in the RFP correct … nothing in the RFP could imply favoritism toward any particular vendor”—an unusual point of focus if no favoritism existed. Such meticulous focus on wording invites speculation and might suggest a conscious effort to obscure what he insists they were avoiding—preferential treatment for a specific contractor. So why this emphasis? And if there was an unspoken preference, what was its nature?
In relation to the Dominion Democracy Suite system’s implementation, Sterling, the COO for the Secretary of State’s office since January 2019, testified about a brief change in his role. In November 2019, he stepped down temporarily to become the contracted implementation manager for the new statewide Dominion voting system. He explained that this move to a contract-based role, prompted by budgetary constraints, was necessary because the bond funds for the system’s rollout couldn’t be used to make direct payments to a state employee. Sterling justified this decision to go work instead for Dominion, stating that the Secretary of State’s office was already committed to using those bond funds for the system’s project management.
Obstruction Of An Official Proceeding?
In his testimony, Sterling acknowledged that following a review of Dr. Halderman’s report on voting system security issues, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory confirming the vulnerabilities identified in the report.
Sterling was then questioned about any communication between the Secretary of State’s office and CISA during their assessment of Halderman’s findings. Sterling did not provide a direct answer about whether such communication occurred, instead suggesting that the CISA process does not permit direct input from the Secretary of State’s office. However, when specifically asked about his interactions with Geoff Hale, a DHS official during CISA’s review, and Kim Weiman, also with DHS at the time, Sterling initially replied, “I don’t know.”
When pressed further, Sterling admitted that he had urged Kim Weiman not to advise against the use of QR codes on BMDs—contradicting his earlier suggestion that he was not allowed to make such recommendations. He also conceded that he might have expressed frustration with the CISA review process, noting that these discussions typically occurred via phone calls, in-person talks, and some email exchanges.
Sterling’s request to Kim Weiman, urging her not to oppose the use of QR codes, is particularly notable in light of Dr. Halderman’s demonstration at a September 2020 hearing. There, Halderman revealed a hacking method designed to alter QR codes in the current voting system. During his recent testimony, Sterling was questioned about his awareness of Raffensperger’s office not taking measures to address the risks highlighted by Halderman. Sterling’s extensive and complex response, however, failed to offer any specific actions taken by Raffensperger to mitigate such risks for the November 2020 election.
Georgia’s Election Security Hampered by Reckless Negligence or Deliberate Disregard?
In his testimony, Sterling ultimately admitted that he agrees with the need to address vulnerabilities identified in Dr. Halderman’s report. He conceded that it is “potentially possible” for an average voter to hack a machine on Election Day and alter votes in a matter of minutes.
Throughout his testimony, Sterling faced repeated inquiries about whether Raffensperger’s office had established formal policies or guidelines to address potential security breaches in the Dominion voting equipment. His initial responses were lengthy but non-responsive, however he eventually shed light on the mitigation strategy in place. He pointed out that poll managers are largely expected to rely on their “best judgment,” though he seemed unsure about the existence of any additional measures.
Despite holding several key roles in the Secretary of State’s office, including chief operating officer, chief financial officer, and director of licensing, Sterling could not definitively confirm the existence of formal policies or guidelines for handling potential security breaches during an election.
This uncertainty casts further doubt on Raffensperger’s ability or willingness to ensure the security of Georgia’s election system—a stark contrast to his usual tendency to dismiss Georgia voters’ security concerns as the result of “election deniers.” His repeated failures to properly address these issues imply, at the very least, negligence, leaving open the question of whether there is a deliberate effort to disregard the integrity of Georgia’s election results.