Brian Kemp’s Hail Mary disguises three years of security lapses
Update: current developments
Georgia Secretary of State and Republican gubernatorial candidate Brian Kemp, locked in a virtual tie with Democratic candidate Stacey Abrams, appears to be a desperate man.
On Sunday, two days before the election, Kemp “used his official position” to announce that the Georgia state Democratic Party was being investigated for allegedly trying to hack the state’s voter registration system.
Let’s do a quick look over our shoulders to see how concerned Kemp has been about the sanctity of the state’s voter registration base, shall we?
Because we’ll see that what really happened this weekend was yet-another person found lapses in state election security.
In 2015, the Secretary of State’s Office inadvertently disclosed the Social Security numbers and other private information of more than 6 million registered voters. That data went to 12 organizations, including media outlets and political parties, who regularly subscribe to “voter lists” maintained by the state, although the office later said all 12 discs containing the data were either recovered or destroyed.
Read that again. Kemp’s office sent voter info, including Social Security numbers, to 12 outside organizations.
In August 2016, Logan Lamb, a security researcher, notified the Georgia Center for Election Systems at Kennesaw State University that its voting system computers were “completely open” and could be manipulated.
[Seattle lawyer Robert] McGuire said cyber experts refer to the breach of the center’s Drupal servers as “Drupalmageddon,” a condition that “would let a malicious person take over as administrator of that server, like you had the root password.
The Center has overseen the state’s election operations and voting machines since 2002. The Center also sources the electronic poll books used throughout the state.
In addition to the risk of hackers injecting malware, the vulnerability could have led to Georgians being removed (or added) to voter rolls.
Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.
Secretary of State Kemp did nothing. He says that Kennesaw did not alert his office of the breach.
However Kemp turned down an offer of help from the federal government. Georgia was one of only two states that rejected an offer from the Department of Homeland Security help states lock down their election systems.
“The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security,” Georgia Secretary of State Brian Kemp told Nextgov in an email. “Designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States.”
In addition to turning down help, Kemp accused the federal government of hacking.
In December 2016, he accused the Department of Homeland Security of hacking into Georgia’s voter registration records, as well as the Georgia secretary of state’s computer systems. An independent investigation by the department’s inspector general, which operates independently from the department’s chain of command, found that the activity Mr. Kemp believed was suspicious was, in fact, normal behavior between computer systems.
In March 2017, a second Georgia cybersecurity expert revealed problems.
Chris Grayson discovered that that an unencrypted version of the Drupal vulnerability had not been fixed. “Grayson could still access all the same files Lamb had downloaded months earlier.”
In 2017, the Federal Bureau of Investigation opened an investigation into at the Center for Election Systems. On March 17, the FBI returned a server to the Kennesaw Center.
In July, election security advocates sued both the Kennesaw Center and Kemp’s office “in an attempt to force a shift to paper ballots.” They cited the security lapses.
After the suit was filed, someone wiped the “Center’s election server and a backup server used in 2016.”
In November, the Georgia attorney general’s office withdrew from the defense of Kemp; Merle King, executive director of Center for Elections Systems; and members of the state elections board.
Elections advocates sued Kemp to try to force the state to abandon its electronic voting system which has no paper backup. US District Judge Amy Totenberg denied the motion but “warned state and county officials’“further delay is not tolerable’ in ‘confronting and tackling the challenges before the state’s election balloting system’.”
Although Kemp’s office said in mid-2017 that it would phase out its contract with the Elections Center and take over all elections processes, equipment and servers, a Google search does not show any news stories from 2018 saying that this has been completed.
In the email, Mr. Wright describes how “any file on the system” on a Georgia voter information page can be accessed through a place on the site meant for downloading sample ballots and poll cards. He also shows how an online voter registration site can be used to “download anyones[sic] data.”
The Elections Center has a history of intransigence
In 2006, then secretary of state Karen Handel ordered a security review of state elections systems. Richard DeMillo, who was dean of computing at Georgia Tech at the time and led the review, said that Kennesaw was “adamant that its procedures and networks would not be included in the review.”
But when DeMillo’s team submitted a draft of their report, he says she sent it back instructing them to add a caveat about the center’s absence from the review. It reads: “The Election Center at Kennesaw State University fills a key role in Georgia’s statewide election procedures, which makes it a potential target of a systematic attack. We did not have sufficient information to evaluate the security safeguards protecting against a centralized compromise at the state level.”
DeMillo told McClatchy that Kemp’s office “is prone to misrepresenting the security posture of Georgia’s election system, to saying things that have been demonstrated to be false and to offering misleading explanations to why Georgia voters should trust the security of their systems.”
Finally, Kennesaw is deeply connected to the state’s Republican Party. Former Republican US Senator Newt Gingrich was an associate professor of political science at Kennesaw. Former Republican Georgia attorney general Samuel Scott Olens was appointed president in November 2016; he stepped down a year later following inquiries into how he handled protests related to the national anthem.
Olens was reprimanded by the state Board of Regents “for failing to follow official guidance in dealing with five African-American cheerleaders who knelt during the national anthem” at a football game.