Georgia's voter system vulnerable to attack

For months, information about millions of voters in Georgia was exposed online, but the state's top election official, who is also running for governor, denies Georgia's election system is vulnerable.

Posted: Aug 15, 2018 2:32 PM
Updated: Aug 15, 2018 3:01 PM

Georgia's shotgun-toting, Trump-style Republican candidate for governor Brian Kemp has sought to assure voters that his state's election system is secure and that any allegations to the contrary are "fake news."

But Kemp, who is also the secretary of state in charge of Georgia's elections, is now being accused in a federal lawsuit of failing to secure his state's voting system and allowing a massive breach that exposed voter records and other sensitive election information.

The allegations in the lawsuit come as the subject of election security has come into focus nationally, particularly as the November's midterm elections approach. The suit describes how a private researcher discovered the records of more than 6 million registered Georgia voters, password files and encryption keys could be accessed online by anyone looking. Days after the lawsuit was filed, technicians erased the hard drives of the server in question.

Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the suit, argues Kemp's office long neglected basic security standards and says it remains unclear if the state's election system was infected with malware or breached by foreign hackers, which she says could have consequences for the midterm elections. She said because the data was destroyed, an independent review cannot be conducted.

Her group's lawsuit seeks to force the state to implement paper ballot-based voting so that results can be audited.

"The data was open to anyone in the world who had an internet connection," said Marks. "Even when confronted with a security disaster, [Kemp's] response was to blame managers under his supervision for their incompetence and leave the security disaster without so much as a forensic review of the impacts of the security failures."

In response to CNN's questions about the lawsuit and the state's elections system, Kemp said Georgia's voting equipment "remains accurate and secure." He added, "The hysteria of some people seeking to force Georgia to switch to an all paper ballot system is based on misinformation, and making this change would spend money to create problems that we should avoid."

"The chaos of switching to a completely different voting system this close to an election would cause inconvenience, voter confusion, and potentially suppressed turn-out," Kemp said.

The exposure of Georgia's election system's vulnerability dates back to August 2016, when private cybersecurity researcher Logan Lamb discovered 15-gigabytes worth of voter registration data and other sensitive information could be readily downloaded from the website of Kennesaw State University.

Kemp's office had a contract with KSU's Center for Election Systems to help run Georgia's voting system. Lamb says the center's website was like a door without a lock.

A recent indictment from special counsel Robert Mueller notes that in the lead-up to the 2016 presidential election Russian intelligence operatives visited "websites of certain counties in Georgia ... to identify vulnerabilities." Kemp's office said the indictment revealed only visits, not penetration of any Georgia systems by Russians.

"The website security itself is inexcusable," Lamb told CNN. "Never mind the nation-state threats of countries like Russia, it could have easily been compromised by [anyone]."

Following his discovery, Lamb emailed the executive director of KSU's election center, Merle King, to alert him about the vulnerability. According to Lamb and court filings, King told him that the issues would be addressed but added that Lamb should keep quiet about his findings, otherwise he would be "crushed" by the politicians "downtown." King did not respond to CNN's request for comment.

Internal emails show KSU's technology staff acknowledged the elections system had "40+ critical vulnerabilities" in October 2016, but when Lamb and a colleague checked the website more than six months after his original discovery, he says, the vulnerabilities remained.

Lamb's colleague notified a KSU faculty member, who then alerted the university's technology services office, which finally firewalled the website in March 2017, according to the lawsuit and a KSU report filed in court.

An investigation was launched by the FBI and closed without comment.

A KSU statement in March 2017 stated that, based on a briefing by the FBI, there was no indication of illegal activity and no personal information was misused. The university said university employees "immediately isolated the server and contacted the Office of the Secretary of State" when its officials were notified in March.

Kemp called the breach "deeply concerning," and although he announced plans to end the arrangement with the center, his office renewed the KSU contract to manage the election system one last time in July 2017.

Kemp did not openly criticize KSU until a letter from the state attorney's office sent in October revealed KSU staffers had wiped the election system's hard drives, deleting potential evidence relevant to the lawsuit. The disclosure prompted outrage from the lawsuit's plaintiffs and was detailed in a report by the Associated Press.

A KSU spokesperson did not respond to CNN's questions about why the server's hard drives were wiped.

Kemp responded with a Facebook post in which he called the decision "reckless" and condemned "undeniable ineptitude at KSU's Center for Election Systems."

Charles Amlaner, a former vice president for research at KSU who signed some of the university's contracts, said Kemp's office did not include data security specifications in its election-system contracts with KSU for years . He said he found that unusual because most other government contracts involving sensitive data he has reviewed have contained multiple pages outlining security requirements.

"These contracts were pretty slim on detail. If you don't give us rules and regulations on data security, how do you expect us to abide by them?" he said.

In response, Kemp's office said the university had security protocols in place but didn't follow them.

"There were extensive security protocols in place at the university, and every part of the university -- including the Center for Elections Systems -- was expected to follow them," said Candice Broce, spokeswoman for the Georgia Secretary of State's office. "When the Center failed to comply, the state added additional security provisions before ultimately terminating this contract and moving all operations in-house. Secretary Kemp made the right call."

A review of two contracts by CNN found that only after the breach's exposure in 2017 was language inserted mandating that the center "implement data security policies that adhere to all current IT policies."

The contract with KSU's Center for Elections Systems ended, but Kemp's office offered a job to a director of the center.

Kemp has criticized news reports that raise questions about the integrity of state election systems. He wrote in a recent USA Today op-ed that states are doing enough to secure their own voting systems.

Kemp also blasted efforts by the Department of Homeland Security under the Obama administration to label states' voting systems "critical infrastructure" in 2016, which would enable the federal government to give states cybersecurity assistance. He has described the proposed designation as federal government overreach.

Although he has said the implementation of paper ballots for the upcoming November elections is unnecessary, Kemp leads a Georgia commission researching ways to improve the state's aging voter system and he supports the deployment of a new system by the 2020 election.

Georgia is one of only a few states that currently use voting machines statewide without paper trails. Paper records make manual recounts possible in the event of a contested election or alleged tampering.

Richard DeMillo, a Georgia Tech professor who studies election security and computer science, said he is concerned by the absolute assurance with which Kemp talks about Georgia's election system's security because there's no evidence the state has conducted a forensic review of all its servers. He said improvements to Georgia's voting system should have been implemented years ago.

"To say Georgia's system is totally secure you would have to believe there is a magic umbrella over the state protecting it," DeMillo said. "I don't understand where that reasoning comes from."

West Lafayette
Clear
64° wxIcon
Hi: 80° Lo: 53°
Feels Like: 64°
Kokomo
Clear
63° wxIcon
Hi: 78° Lo: 51°
Feels Like: 63°
Rensselaer
Clear
63° wxIcon
Hi: 79° Lo: 50°
Feels Like: 63°
Fowler
Clear
63° wxIcon
Hi: 78° Lo: 52°
Feels Like: 63°
Williamsport
Clear
58° wxIcon
Hi: 77° Lo: 51°
Feels Like: 58°
Crawfordsville
Clear
60° wxIcon
Hi: 78° Lo: 53°
Feels Like: 60°
Frankfort
Broken Clouds
60° wxIcon
Hi: 79° Lo: 51°
Feels Like: 60°
Delphi
Clear
61° wxIcon
Hi: 80° Lo: 51°
Feels Like: 61°
Monticello
Clear
61° wxIcon
Hi: 81° Lo: 51°
Feels Like: 61°
Logansport
Clear
59° wxIcon
Hi: 78° Lo: 50°
Feels Like: 59°
Very Warm, Then Rainfall Potential, Followed by Much Cooler Weather
WLFI Radar
WLFI Temps
WLFI Planner

Indiana Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 113337

Reported Deaths: 3530
CountyConfirmedDeaths
Marion20936761
Lake10334319
Elkhart6438109
St. Joseph6226103
Allen6060200
Hamilton4761109
Vanderburgh349430
Hendricks2681122
Monroe251236
Tippecanoe231213
Johnson2279123
Clark215756
Porter209046
Cass19339
Delaware189561
Vigo178524
Madison161075
LaPorte138239
Floyd132161
Howard129063
Warrick122336
Kosciusko120617
Bartholomew115357
Marshall99424
Dubois95918
Boone95646
Hancock91443
Grant89733
Noble89432
Henry78125
Wayne74714
Jackson7429
Morgan70638
Shelby66629
Daviess65428
Dearborn63928
LaGrange63211
Clinton59513
Harrison56424
Putnam53810
Lawrence50628
Montgomery50521
Knox5039
Gibson4894
White48214
DeKalb46311
Decatur45739
Miami4303
Greene41935
Fayette41813
Jasper3862
Steuben3747
Scott35910
Sullivan33112
Jennings31212
Posey3090
Franklin30325
Clay2985
Orange28624
Ripley2828
Carroll27113
Wabash2628
Washington2611
Whitley2556
Starke2537
Adams2523
Wells2503
Jefferson2443
Fulton2352
Huntington2223
Spencer2223
Tipton22022
Perry21513
Randolph2097
Jay1750
Newton17211
Owen1671
Martin1640
Rush1534
Pike1411
Vermillion1260
Fountain1202
Pulaski1151
Blackford1133
Brown1033
Crawford1030
Parke961
Benton880
Ohio777
Union770
Switzerland690
Warren391
Unassigned0225

COVID-19 Important links and resources

As the spread of COVID-19, or as it's more commonly known as the coronavirus continues, this page will serve as your one-stop for the resources you need to stay informed and to keep you and your family safe. CLICK HERE

Closings related to the prevention of the COVID-19 can be found on our Closings page.

Community Events