Connecting state and local government leaders

Brian Kemp Was Warned of a Cyber Vulnerability. He Weaponized It—Again

Georgia Secretary of State Brian Kemp at a campaign rally in Macon on Sunday.

Georgia Secretary of State Brian Kemp at a campaign rally in Macon on Sunday. John Bazemore / AP Photo

Featured eBooks

Issues in City and County Management
CIVIC TECH: Case Studies From Innovative Communities
Smart Cities: Beyond the Buzz
 

Connecting state and local government leaders

Georgia’s secretary of state and Republican gubernatorial candidate has a history of attacking those who point out the flaws in his state’s election cybersecurity.

This article has been updated with responses from the Georgia Secretary of State’s office.

Georgia Secretary of State and Republican gubernatorial nominee Brian Kemp’s office seems to have a cybersecurity problem. With less than 48 hours before voters go to the polls in Georgia, Kemp announced his office was investigating the Georgia Democratic Party for an alleged failed hack of the secretary of state’s voting website.

The leader of an organization that claims to have disclosed these cyber vulnerabilities to his office says the blaming of his political opponents is both “fabricated and preposterous.” It is part of a pattern of Kemp not securing voting systems, then politicizing and weaponizing his cybersecurity vulnerabilities against those who report them.

This weekend’s accusation of the Democratic Party hacking the state appears to stem from information passed to Kemp’s office, warning him of what was described to Route Fifty as a “massive vulnerability” in the Georgia My Voter Page, a portal that allows residents to check their voter registration status, mail-in application and ballot status, along with other voting information.

A voter who had accessed the website for voting purposes noticed flaws, said Marilyn Marks of the Coalition for Good Governance. Marks’ organization was one of those that was sent a memo outlining how the online voter registration database used to update electronic pollbooks for election day was accessible and vulnerable to manipulation, ultimately passing it along to the Secretary of State’s office.

The Secretary of State’s office has said they opened the probe into the the state Democratic Party after the legal team was contacted “about failed efforts to breach the online voter registration system and My Voter Page.”

Candice Broce, a spokesperson for the Secretary of State’s office, told the Washington Post that Democrats had an email that the office interpreted as an attempted hack. The paper described the email as containing "a script attached to [the email sent to the office] that, if launched, could have been used to extract personal voter registration data.”

“Our position is that these were failed attempts to hack the system," Broce told the paper. "All the evidence indicates that, and we’re still looking into it.”

The office believed the collective evidence provided to them was enough to ask for law enforcement to investigate, as they asserted planning a hack is enough to constitute a crime.

The organizations that received the information about the alleged problems are among those suing the secretary of state for the high rate of rejections of absentee mail ballots in Georgia, as well as the Democratic Party.

Marks told Route Fifty the organizations had six cybersecurity experts of “national preeminence” in the computer science world review the data. All of them came to the same conclusion that the vulnerability was real and significant.

“The experts who did look at it immediately recognized the problem with a quick look and realized delving in further could be problematic from a legal standpoint,” Marks said. “And these aren’t people that come at this from a political standpoint, they’re scientists.”

Marks said the experts said the flaw could leave the Georgia residents wide open to not just identity theft, but to having their names altered or eliminated from the electronic pollbooks that govern who is allowed to vote in the state.

By Saturday, both groups decided to pass information on the vulnerabilities along to the secretary of state.

"We cannot evaluate whether pollbook data has been altered or whether this extreme security risk may impact Tuesday’s election," Marks wrote in an email release. "We again urge Secretary Kemp and the State Election Board to do everything humanly possible to correct errors in pollbooks for use on Tuesday and make a paper backup copy for every polling location."

With Georgia lacking a paper trail for ballots or pollbooks—other voting vulnerabilities that Georgia has successfully defended itself against fixing in court—the flaw opens up the potential for mass disruption in voting.

Later on Saturday, Kemp’s office released the statement accusing the Democratic Party of hacking the website, bringing national attention to the issue. The Democratic Party has called the claims "100 percent false," and his opponent in the governor’s race, Democratic nominee Stacey Abrams, called it “an attempt to distract voters.”

Marks told Route Fifty the vulnerabilities on the website were not fixed as of late Sunday night, according to the security researchers her organization was in contact with. The Democratic Party of Georgia posted a news release that included the emails that were passed along to the Secretary of State's office as part of the explanation of the vulnerability on the Georgia My Voter web portal.

Matt Bernhard, an election security researcher at the University of Michigan, who reviewed and confirmed the vulnerabilities for the organizations on Sunday, posted on Medium that he had concerns that the flaws may be evident in 15 other state election voter registration systems managed by the same third-party vendor.

This is not the first time Kemp has had a cybersecurity incident, nor used it to political ends. Over the course of multiple incidents in the past four years, Kemp has increasingly used political tactics to cover up for cyber mismanagement within his office.

In 2015, the personal information of more than 6.2 million Georgia residents was accidentally released by Kemp’s office to a multiple third parties. That information included Social Security numbers and birth dates of voters. Kemp released a statement taking full responsibility for the breach, and fired the employee he said was responsible for the disclosure.

The fired employee, while admitting to making some mistakes, claimed to be a “scapegoat” in an interview with The Atlanta Journal-Constitution following the incident. The employee pointed the finger at bad practices within the office and at a third-party vendor, PCC Technology Inc. The incident led to a lawsuit against Kemp and his office. It also led to political attacks from state Democrats that pointed to previous reports of mismanagement in other databases under his office’s jurisdiction, stating, “Kemp has proved incapable of handling large amounts of data.”

“I have put in place additional safeguards effective immediately to ensure this situation does not happen again,” Kemp said at the time.

Despite this scare, Kemp was not interested in outside support to shore up his cyber defenses. Less than a year later, as evidence came out that Russia was leading a series of cyber-related manipulation efforts against the United States in the lead up to the 2016 election, officials responsible for voting quickly began to concern themselves with the state of their cybersecurity.

The U.S. Department of Homeland Security offered help to scan all state election systems to look for flaws in their cyber defenses. Kemp was one of only two state election leaders to decline support.

That wariness of DHS took on a tinge of conspiracy soon thereafter. Kemp accused the Obama administration’s DHS of attempting to hack Georgia’s voter database. The DHS inspector general, under President Trump’s administration, came back and said there was no malicious attack on the state.

“While I am disappointed that it took a new administration to investigate this highly important incident, I am pleased to learn this information and relieved that our federal government is not trying to interfere with elections in our state or others involved in this situation,” The Atlanta Journal-Constitution quoted Kemp as saying at the time.

While absolving DHS under Trump from potentially having hacked his election system, the state had found a new person to blame for his cybersecurity woes: Logan Lamb, a internet security expert in Georgia. As outlined in a 2017 Politico article, Lamb knew that Kennesaw State University’s Center for Election Systems tested and programmed voting machines for the state. He found “the mother lode” when looking at their website:

“... registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot.”

While these files were supposed to be protected behind a firewall, they were available to everyone. Similarly to the accusations in the current incident, the lack of a paper trail or paper pollbooks left the ballot open to manipulation.

Lamb attempted to warn Kennesaw State. When the vulnerabilities were not fixed and he and his colleague continued to sound the alarm, news reached the secretary of state’s office, the governor’s office and the media. Ultimately, the FBI was called in to investigate Lamb and the colleague for potential criminal acts. They found none.

It is a regular affair for responsible cybersecurity researchers to alert both public and private sector entities to flaws in their online systems. Many private and public entities offer "bug bounties" to encourage reporting of vulnerabilities in their systems—including the military. Georgia has not. In fact, outgoing Governor Nathan Deal had to veto a "computer crime" bill (SB 315) last session after a national outcry that it would have made the sort of research done by "ethical hackers" a crime.

PCC Technology, which bills itself as a “premier provider of solutions for Secretaries of State across the country,” still manages voter registration (including online registration) and election management for the state of Georgia.

Kemp’s opponents have raised ethics questions about his running for governor while managing the election process. Back in August, Georgia Democrats requested that Kemp resign from his role as secretary of state to avoid conflicts of interest. He refused.

Georgia’s election efficiency has not fared well under Kemp according to the Massachusetts Institute of Technology’s Election Performance Index. The index rates how states fare on a range of indicators that rank the efficiency of an election, from ballots cast and rejected to voting wait and tools available. Since Kemp became Georgia’s secretary of state in 2010, the state has fallen from fourth in 2008 to 34th in the nation.

Mitch Herckis is Senior Editor and Director of Strategic Initiatives for Government Executive’s Route Fifty.

NEXT STORY: California’s Plan for Transforming Into a ‘Digital Government’