Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached.
But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show.
The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country.
“I am sure that you are aware that these are opportunities for malicious users to gather account credentials,” William Moore, a cybersecurity official on a Kennesaw State University team tasked with running Georgia’s election system, wrote to a colleague in October.
Officials at Kennesaw’s Center for Election Systems were struggling to respond to the report of a cyber watchdog who nosed around the system to test its defenses two months earlier and wound up gaining access to a colossal, 15-gigabyte store of confidential material, including voter data and passwords to the system.
The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections.
“I think these emails reveal that they recognized this system was catastrophically insecure,” said Robert McGuire, a Seattle lawyer representing citizen activists in a lawsuit that seeks to force Georgia to scrap its paperless electronic voting machines this fall and shift to paper ballots.
Secretary of State Brian Kemp, whose office oversees the state’s elections, says he was unaware of the system vulnerabilities at the time. Kemp, the Republican nominee for governor in this fall’s election, still maintains Georgia’s system is secure.
However, Kemp has created a commission with members of both parties to examine how to replace the state’s voting system in time for the 2020 election.
McGuire said cyber experts refer to the breach of the center’s Drupal servers as “Drupalmageddon,” a condition that “would let a malicious person take over as administrator of that server, like you had the root password.
“It means they could be sitting at the keyboard with access to everything ... They could write stuff, change stuff, take stuff off,” he said.
The emails show that, even in March 2017, months after the election, the center’s technical team was still scrambling for solutions when a second Georgia cybersecurity expert visited Kennesaw’s electronic mothership for the state’s 159 county election systems. He, too, reported gaining access to confidential records on millions of voters.
Continuing revelations about the system’s security challenges have forced Kemp to confront a storm of questions, both about his stewardship of Georgia’s election system while serving as secretary of state since 2010 and about the Kennesaw Center’s destruction of records in the face of a citizen lawsuit.
Georgia, along with four other statewide systems, uses aged electronic voting machines that lack a paper trail for use in recounts or audits to verify the accuracy of the reported vote.
As a result, experts say, the system may be an inviting target for operatives from Russia and elsewhere to install software that manipulates votes without detection.
During a White House briefing on Thursday, Homeland Security Secretary Kirstjen Nielsen said U.S. adversaries — presumably including the Kremlin — have exhibited “a willingness and a capability” to go beyond Russia’s sophisticated social media blitzes and email hacks of 2016 and this time penetrate America’s election infrastructure, including voter rolls and voting machines.
A federal indictment issued July 13 by Justice Department Special Counsel Robert Mueller underscores the threat to Georgia. It alleges that Anatoliy Kovalev, one of a dozen Russian intelligence officers charged with hacking Democrats’ emails and attempting to penetrate state voter registration systems, scoped out Georgia county election websites in October 2016 “to identify vulnerabilities.”
Homeland Security officials notified Kemp’s office that websites for Fulton and Cobb counties, covering Atlanta and its outskirts, were among those visited, said Kemp spokeswoman Candice Broce, confirming a report by the Atlanta Journal-Constitution.
“There is no evidence that he (Kovalev) did anything except visit these websites,” perhaps to identify employees who might be tricked into providing passwords to their systems, Broce said.
Kemp has sought to distance himself from Kennesaw State’s Center, whose contract he announced he would terminate in October 2017, after it was disclosed that center officials had wiped its election system server and a backup clean.
He responded to the disclosure that the servers were wiped with a Facebook post, saying Kennesaw officials never notified his office of the server’s vulnerabilities or of plans to destroy documents. He assailed the center for “undeniable ineptitude.”
“This pattern of reckless behavior is exactly why we are ending our relationship with KSU” and moving the job “in-house,” mirroring the arrangement in most other states, Kemp said.
At the time the server data was erased, center officials were defendants in a federal lawsuit over the system’s security gaps for which relevant records should have been preserved. In addition, they were subject to a federal law banning the destruction of voting records for 22 months after elections.
“The timing of the server being destroyed is suggestive that they intended for us not to know what’s on there,” said lawyer McGuire, who said he is a Republican. “Circumstantially, why would you destroy something right when you’ve been served with a lawsuit?”
Marilyn Marks, a North Carolina-based voting security activist who has led the challenge to Georgia’s election integrity, said that if Kemp “was unaware of the massive security failures, breaches and compromises of the election system … he was either grossly negligent or willfully blind.”
Another Kemp critic is Richard DeMillo, a former chief technology officer for Hewlett Packard and past dean of Georgia Institute of Technology’s computer science school.
He said Kemp’s office “is prone to misrepresenting the security posture of Georgia’s election system, to saying things that have been demonstrated to be false and to offering misleading explanations to why Georgia voters should trust the security of their systems.”
For some 15 years, Kennesaw State ran Georgia’s elections from a low-slung brick building that DeMillo likened to operating “out of someone’s basement.” There were no bars on the windows, and the front door had no special security, he said.
A Politico Magazine story published in June 2017 suddenly focused national attention on Kennesaw’s Center.
The story described how Logan Lamb, a young online security researcher for Bastille Networks, visited the Election Center’s website in August 2016 and found he could easily download 6.7 million voter registration records.
Lamb emailed the election center’s executive director, Merle King, and reported the voting system’s software and other documents were “completely open.”
“There’s a strong probability that your site is already compromised,” he wrote. “I’d like to collaborate with you on securing our state’s election system’s infrastructure against wireless attacks.”