The alleged theft of voting system software from an elections office in Coffee County, Ga., not only features heavily in the latest indictment of former President Donald Trump. It also highlights a growing risk to the security of the next presidential election.
Election security experts have long warned that the theft of sensitive voting system software could provide a road map for bad actors to identify holes in those systems and build malware to exploit them. And two years ago, a researcher named Alex Halderman found a raft of critical bugs in the same software stolen from the rural Georgia county.
Fulton County District Attorney Fani Willis was reported to have identified the breach at Coffee County as a key part of her probe. But the charges are the first to officially link Trump allies to the theft of voting system software that took place in Georgia and other states in the aftermath of the 2020 election.
The software — which powers certain ballot-marking devices from Dominion Voting Systems — is currently used to tabulate votes in each of the 159 counties in Georgia, and several other counties across the country.
The 41-count indictment brought by an Atlanta grand jury indicates it is now in the hands of pro-Trump activists.
The indictments allege that the former president’s lawyer, Sidney Powell, coordinated with local GOP officials to illegally access sensitive voting data, equipment and software stored on Dominion systems in Coffee County.
Asked about the risks posed by the breach of Dominion software, an official from the U.S. Cybersecurity and Infrastructure Security Agency said states can limit the risk to Election Day through a host of largely routine election security practices.
"While unauthorized access of sensitive systems and software does pose potential cybersecurity risks, procedures widely used across the election community — including logic and accuracy testing, software checks, air-gapped voting equipment, paper ballots, and post-election audits — help mitigate this risk," said Cait Conley, senior adviser to CISA Director Jen Easterly.
For its part, Dominion Voting Systems has unveiled a software upgrade to address the bugs identified by Halderman. But Georgia Secretary of State Brad Raffensperger has said the state will not be able to implement the update by the 2024 election. Instead, he intends to apply some of the other safeguards recommended by CISA.
Since most other states use the Dominion’s system — called ImageCast X — as a backup option for voters with disabilities, the risks are not as acute elsewhere.
But it is clear the software is now in the open. According to the indictment, the software filched from Coffee County was then “distributed to other members of the enterprise, including members in other states.”
Elsewhere, it alleges the conspiracy operated in Arizona, Michigan, Nevada, New Mexico, Pennsylvania, Wisconsin and the District of Columbia.
The indictment also alleges that four unindicted co-conspirators downloaded copies of the Dominion software from a server maintained by SullivanStrickler, an Atlanta-based forensics firm employed by Powell to examine the systems in Coffee County, Michigan and elsewhere.
Moreover, Powell’s campaign to copy voting software in other states has resulted in Trump-affiliated computer experts copying proprietary software from Election Systems & Software, The Washington Post has reported.
Along with Dominion, ES&S is one of three major voting machine vendors in the country.
A version of this story previously ran in Morning Cybersecurity, POLITICO's subscriber-only newsletter on cybersecurity policy and politics. Learn more about becoming a subscriber.