Brian Kemp Was Warned of a Cyber Vulnerability. He Weaponized It—Again

Georgia Secretary of State Brian Kemp at a campaign rally in Macon on Sunday.

Georgia Secretary of State Brian Kemp at a campaign rally in Macon on Sunday. John Bazemore / AP Photo

 

Connecting state and local government leaders

Georgia’s secretary of state and Republican gubernatorial candidate has a history of attacking those who point out the flaws in his state’s election cybersecurity.

This article has been updated with responses from the Georgia Secretary of State’s office.

Georgia Secretary of State and Republican gubernatorial nominee Brian Kemp’s office seems to have a cybersecurity problem. With less than 48 hours before voters go to the polls in Georgia, Kemp announced his office was investigating the Georgia Democratic Party for an alleged failed hack of the secretary of state’s voting website.

The leader of an organization that claims to have disclosed these cyber vulnerabilities to his office says the blaming of his political opponents is both “fabricated and preposterous.” It is part of a pattern of Kemp not securing voting systems, then politicizing and weaponizing his cybersecurity vulnerabilities against those who report them.

This weekend’s accusation of the Democratic Party hacking the state appears to stem from information passed to Kemp’s office, warning him of what was described to Route Fifty as a “massive vulnerability” in the Georgia My Voter Page, a portal that allows residents to check their voter registration status, mail-in application and ballot status, along with other voting information.

A voter who had accessed the website for voting purposes noticed flaws, said Marilyn Marks of the Coalition for Good Governance. Marks’ organization was one of those that was sent a memo outlining how the online voter registration database used to update electronic pollbooks for election day was accessible and vulnerable to manipulation, ultimately passing it along to the Secretary of State’s office.

The Secretary of State’s office has said they opened the probe into the the state Democratic Party after the legal team was contacted “about failed efforts to breach the online voter registration system and My Voter Page.”

Candice Broce, a spokesperson for the Secretary of State’s office, told the Washington Post that Democrats had an email that the office interpreted as an attempted hack. The paper described the email as containing "a script attached to [the email sent to the office] that, if launched, could have been used to extract personal voter registration data.”

“Our position is that these were failed attempts to hack the system," Broce told the paper. "All the evidence indicates that, and we’re still looking into it.”

The office believed the collective evidence provided to them was enough to ask for law enforcement to investigate, as they asserted planning a hack is enough to constitute a crime.

The organizations that received the information about the alleged problems are among those suing the secretary of state for the high rate of rejections of absentee mail ballots in Georgia, as well as the Democratic Party.

Marks told Route Fifty the organizations had six cybersecurity experts of “national preeminence” in the computer science world review the data. All of them came to the same conclusion that the vulnerability was real and significant.

“The experts who did look at it immediately recognized the problem with a quick look and realized delving in further could be problematic from a legal standpoint,” Marks said. “And these aren’t people that come at this from a political standpoint, they’re scientists.”

Marks said the experts said the flaw could leave the Georgia residents wide open to not just identity theft, but to having their names altered or eliminated from the electronic pollbooks that govern who is allowed to vote in the state.

By Saturday, both groups decided to pass information on the vulnerabilities along to the secretary of state.

"We cannot evaluate whether pollbook data has been altered or whether this extreme security risk may impact Tuesday’s election," Marks wrote in an email release. "We again urge Secretary Kemp and the State Election Board to do everything humanly possible to correct errors in pollbooks for use on Tuesday and make a paper backup copy for every polling location."

With Georgia lacking a paper trail for ballots or pollbooks—other voting vulnerabilities that Georgia has successfully defended itself against fixing in court—the flaw opens up the potential for mass disruption in voting.

Later on Saturday, Kemp’s office released the statement accusing the Democratic Party of hacking the website, bringing national attention to the issue. The Democratic Party has called the claims "100 percent false," and his opponent in the governor’s race, Democratic nominee Stacey Abrams, called it “an attempt to distract voters.”

Marks told Route Fifty the vulnerabilities on the website were not fixed as of late Sunday night, according to the security researchers her organization was in contact with. The Democratic Party of Georgia posted a news release that included the emails that were passed along to the Secretary of State's office as part of the explanation of the vulnerability on the Georgia My Voter web portal.

Matt Bernhard, an election security researcher at the University of Michigan, who reviewed and confirmed the vulnerabilities for the organizations on Sunday, posted on Medium that he had concerns that the flaws may be evident in 15 other state election voter registration systems managed by the same third-party vendor.

This is not the first time Kemp has had a cybersecurity incident, nor used it to political ends. Over the course of multiple incidents in the past four years, Kemp has increasingly used political tactics to cover up for cyber mismanagement within his office.

In 2015, the personal information of more than 6.2 million Georgia residents was accidentally released by Kemp’s office to a multiple third parties. That information included Social Security numbers and birth dates of voters. Kemp released a statement taking full responsibility for the breach, and fired the employee he said was responsible for the disclosure.

The fired employee, while admitting to making some mistakes, claimed to be a “scapegoat” in an interview with The Atlanta Journal-Constitution following the incident. The employee pointed the finger at bad practices within the office and at a third-party vendor, PCC Technology Inc. The incident led to a lawsuit against Kemp and his office. It also led to political attacks from state Democrats that pointed to previous reports of mismanagement in other databases under his office’s jurisdiction, stating, “Kemp has proved incapable of handling large amounts of data.”

“I have put in place additional safeguards effective immediately to ensure this situation does not happen again,” Kemp said at the time.

Despite this scare, Kemp was not interested in outside support to shore up his cyber defenses. Less than a year later, as evidence came out that Russia was leading a series of cyber-related manipulation efforts against the United States in the lead up to the 2016 election, officials responsible for voting quickly began to concern themselves with the state of their cybersecurity.

The U.S. Department of Homeland Security offered help to scan all state election systems to look for flaws in their cyber defenses. Kemp was one of only two state election leaders to decline support.

That wariness of DHS took on a tinge of conspiracy soon thereafter. Kemp accused the Obama administration’s DHS of attempting to hack Georgia’s voter database. The DHS inspector general, under President Trump’s administration, came back and said there was no malicious attack on the state.

“While I am disappointed that it took a new administration to investigate this highly important incident, I am pleased to learn this information and relieved that our federal government is not trying to interfere with elections in our state or others involved in this situation,” The Atlanta Journal-Constitution quoted Kemp as saying at the time.

While absolving DHS under Trump from potentially having hacked his election system, the state had found a new person to blame for his cybersecurity woes: Logan Lamb, a internet security expert in Georgia. As outlined in a 2017 Politico article, Lamb knew that Kennesaw State University’s Center for Election Systems tested and programmed voting machines for the state. He found “the mother lode” when looking at their website:

“... registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot.”

While these files were supposed to be protected behind a firewall, they were available to everyone. Similarly to the accusations in the current incident, the lack of a paper trail or paper pollbooks left the ballot open to manipulation.

Lamb attempted to warn Kennesaw State. When the vulnerabilities were not fixed and he and his colleague continued to sound the alarm, news reached the secretary of state’s office, the governor’s office and the media. Ultimately, the FBI was called in to investigate Lamb and the colleague for potential criminal acts. They found none.

It is a regular affair for responsible cybersecurity researchers to alert both public and private sector entities to flaws in their online systems. Many private and public entities offer "bug bounties" to encourage reporting of vulnerabilities in their systems—including the military. Georgia has not. In fact, outgoing Governor Nathan Deal had to veto a "computer crime" bill (SB 315) last session after a national outcry that it would have made the sort of research done by "ethical hackers" a crime.

PCC Technology, which bills itself as a “premier provider of solutions for Secretaries of State across the country,” still manages voter registration (including online registration) and election management for the state of Georgia.

Kemp’s opponents have raised ethics questions about his running for governor while managing the election process. Back in August, Georgia Democrats requested that Kemp resign from his role as secretary of state to avoid conflicts of interest. He refused.

Georgia’s election efficiency has not fared well under Kemp according to the Massachusetts Institute of Technology’s Election Performance Index. The index rates how states fare on a range of indicators that rank the efficiency of an election, from ballots cast and rejected to voting wait and tools available. Since Kemp became Georgia’s secretary of state in 2010, the state has fallen from fourth in 2008 to 34th in the nation.

Mitch Herckis is Senior Editor and Director of Strategic Initiatives for Government Executive’s Route Fifty.

FEATURED CASE STUDIES
Powered By The Atlas
Olathe, KC Takes its Community Engagement to the Next Level with a Civic Engagement Platform
Olathe, KS, USA
West Allis, WI consolidates IT, sees 30% efficiency increase
West Allis, WI, USA
Online permitting and approval process during COVID-19 exceeds in-person performance numbers
Markham, ON, Canada

NEXT STORY: California’s Plan for Transforming Into a ‘Digital Government’

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.