Georgia’s shotgun-toting, Trump-style Republican candidate for governor Brian Kemp has sought to assure voters that his state’s election system is secure and that any allegations to the contrary are “fake news.”
But Kemp, who is also the secretary of state in charge of Georgia’s elections, is now being accused in a federal lawsuit of failing to secure his state’s voting system and allowing a massive breach that exposed voter records and other sensitive election information.
The allegations in the lawsuit come as the subject of election security has come into focus nationally, particularly as the November’s midterm elections approach. The suit describes how a private researcher discovered the records of more than 6 million registered Georgia voters, password files and encryption keys could be accessed online by anyone looking. Days after the lawsuit was filed, technicians erased the hard drives of the server in question.
Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the suit, argues Kemp’s office long neglected basic security standards and says it remains unclear if the state’s election system was infected with malware or breached by foreign hackers, which she says could have consequences for the midterm elections. She said because the data was destroyed, an independent review cannot be conducted.
Her group’s lawsuit seeks to force the state to implement paper ballot-based voting so that results can be audited.
“The data was open to anyone in the world who had an internet connection,” said Marks. “Even when confronted with a security disaster, [Kemp’s] response was to blame managers under his supervision for their incompetence and leave the security disaster without so much as a forensic review of the impacts of the security failures.”
In response to CNN’s questions about the lawsuit and the state’s elections system, Kemp said Georgia’s voting equipment “remains accurate and secure.” He added, “The hysteria of some people seeking to force Georgia to switch to an all paper ballot system is based on misinformation, and making this change would spend money to create problems that we should avoid.”
“The chaos of switching to a completely different voting system this close to an election would cause inconvenience, voter confusion, and potentially suppressed turn-out,” Kemp said.
The exposure of Georgia’s election system’s vulnerability dates back to August 2016, when private cybersecurity researcher Logan Lamb discovered 15-gigabytes worth of voter registration data and other sensitive information could be readily downloaded from the website of Kennesaw State University.
Kemp’s office had a contract with KSU’s Center for Election Systems to help run Georgia’s voting system. Lamb says the center’s website was like a door without a lock.
A recent indictment from special counsel Robert Mueller notes that in the lead-up to the 2016 presidential election Russian intelligence operatives visited “websites of certain counties in Georgia … to identify vulnerabilities.” Kemp’s office said the indictment revealed only visits, not penetration of any Georgia systems by Russians.
“The website security itself is inexcusable,” Lamb told CNN. “Never mind the nation-state threats of countries like Russia, it could have easily been compromised by [anyone].”
Following his discovery, Lamb emailed the executive director of KSU’s election center, Merle King, to alert him about the vulnerability. According to Lamb and court filings, King told him that the issues would be addressed but added that Lamb should keep quiet about his findings, otherwise he would be “crushed” by the politicians “downtown.” King did not respond to CNN’s request for comment.
Internal emails show KSU’s technology staff acknowledged the elections system had “40+ critical vulnerabilities” in October 2016, but when Lamb and a colleague checked the website more than six months after his original discovery, he says, the vulnerabilities remained.
Lamb’s colleague notified a KSU faculty member, who then alerted the university’s technology services office, which finally firewalled the website in March 2017, according to the lawsuit and a KSU report filed in court.
An investigation was launched by the FBI and closed without comment.
A KSU statement in March 2017 stated that, based on a briefing by the FBI, there was no indication of illegal activity and no personal information was misused. The university said university employees “immediately isolated the server and contacted the Office of the Secretary of State” when its officials were notified in March.
Kemp called the breach “deeply concerning,” and although he announced plans to end the arrangement with the center, his office renewed the KSU contract to manage the election system one last time in July 2017.
Kemp did not openly criticize KSU until a letter from the state attorney’s office sent in October revealed KSU staffers had wiped the election system’s hard drives, deleting potential evidence relevant to the lawsuit. The disclosure prompted outrage from the lawsuit’s plaintiffs and was detailed in a report by the Associated Press.
A KSU spokesperson did not respond to CNN’s questions about why the server’s hard drives were wiped.
Kemp responded with a Facebook post in which he called the decision “reckless” and condemned “undeniable ineptitude at KSU’s Center for Election Systems.”
Charles Amlaner, a former vice president for research at KSU who signed some of the university’s contracts, said Kemp’s office did not include data security specifications in its election-system contracts with KSU for years . He said he found that unusual because most other government contracts involving sensitive data he has reviewed have contained multiple pages outlining security requirements.
“These contracts were pretty slim on detail. If you don’t give us rules and regulations on data security, how do you expect us to abide by them?” he said.
In response, Kemp’s office said the university had security protocols in place but didn’t follow them.
“There were extensive security protocols in place at the university, and every part of the university — including the Center for Elections Systems — was expected to follow them,” said Candice Broce, spokeswoman for the Georgia Secretary of State’s office. “When the Center failed to comply, the state added additional security provisions before ultimately terminating this contract and moving all operations in-house. Secretary Kemp made the right call.”
A review of two contracts by CNN found that only after the breach’s exposure in 2017 was language inserted mandating that the center “implement data security policies that adhere to all current IT policies.”
The contract with KSU’s Center for Elections Systems ended, but Kemp’s office offered a job to a director of the center.
Kemp has criticized news reports that raise questions about the integrity of state election systems. He wrote in a recent USA Today op-ed that states are doing enough to secure their own voting systems.
Kemp also blasted efforts by the Department of Homeland Security under the Obama administration to label states’ voting systems “critical infrastructure” in 2016, which would enable the federal government to give states cybersecurity assistance. He has described the proposed designation as federal government overreach.
Although he has said the implementation of paper ballots for the upcoming November elections is unnecessary, Kemp leads a Georgia commission researching ways to improve the state’s aging voter system and he supports the deployment of a new system by the 2020 election.
Georgia is one of only a few states that currently use voting machines statewide without paper trails. Paper records make manual recounts possible in the event of a contested election or alleged tampering.
Richard DeMillo, a Georgia Tech professor who studies election security and computer science, said he is concerned by the absolute assurance with which Kemp talks about Georgia’s election system’s security because there’s no evidence the state has conducted a forensic review of all its servers. He said improvements to Georgia’s voting system should have been implemented years ago.
“To say Georgia’s system is totally secure you would have to believe there is a magic umbrella over the state protecting it,” DeMillo said. “I don’t understand where that reasoning comes from.”