Plaintiffs Talk Cybersecurity While State Pushes Back Against Last-Minute Change
Will Georgia be vulnerable to cyber attacks in the midterm elections, and should it therefore switch to paper ballots? A federal judge will decide by Monday.
After a grueling nine hours of testimony, cross-examination by two teams of attorneys, and intermittent uproar from some 100 members of the public, US District Judge Amy Totenberg left unclear Wednesday night whether she will force Georgia election officials to scrap voting machines in favor of paper ballots for the upcoming midterm elections.
It was a small group of Georgia voters — together with the Coalition for Good Governance, a North Carolina nonprofit organization — that brought suit against the state. They cited the views of a growing number of computer experts in Georgia and nationwide — including a National Academy of Sciences (NAS) report released last week — that the touchscreen voting machines used in the state are vulnerable to cyberattacks, and that paper ballots allow for election audits in case of disputes.
Having a scarcity of supporting details (which apparently tried Judge Totenberg’s patience), the state argued that it has made Georgia’s voting system more secure since computer researcher Logan Lamb first gained access online in late August 2016 to personal data of some six million Georgia voters, as well as information on how the state was planning to run the presidential elections, including passwords on how to access polling site training information.
Election officials, including Richard L. Barron, director of registration and elections for Fulton County, the largest of Georgia’s 159 counties, testified that changing the voting system less than two months before the November 6 election would be too much of a burden and create chaos for voters.
“The old paper ballots are more secure than the computers in use — unless you have corrupt elections officials in Georgia.”
Despite the fast-approaching midterms — which include a race for governor that pits Georgia’s top elections official, Republican Secretary of State Brian Kemp, against Democrat Stacey Abrams — Judge Totenberg cited her own packed schedule in announcing that she would not decide on the case until Friday (or Monday at the latest).
The hearing in downtown Atlanta attracted so many people that the federal authorities had to open an additional courtroom, providing members of the public with audio of the proceedings and a screen to display images of any items introduced. Many of the onlookers reacted with laughter, “amens,” and even applause throughout the day.
A guard at the federal building’s entrance said he hadn’t seen a crowd so large for a case during his four years at work for the district court. He had just finished telling attendees lining up before the hearing’s 10 a.m. start that the court had run out of claim tickets for them to check in their cellphones, similar to a coat check system at a restaurant or theater. The remaining people in line had two choices — run to their cars in a busy downtown and leave their cellphones behind, or not attend the hearing.
Attorney David Cross, who represented the plaintiffs, Donna Curling, Donna Price, and Jeffrey Schoenberg, noted a stark difference between the two sides in the proceedings.
“There’s not a single cybersecurity expert on their side of the room,” he pointed out.
Instead, the state called on Cathy Cox, Georgia secretary of state from 1998 to 2006, the period during which the state first adopted touchscreen machines. Cox testified that changing to paper ballots before November 6 would be difficult, given the time remaining before Election Day. “I have faith in this whole system we devised,” she added.
U.S. District Judge Amy Totenberg will hear from academics, cybersecurity experts & public officials during an all-day hearing Wed. over whether the state should use paper ballots during the midterm elections https://t.co/XnT6pbJ02Z #galegal #gapol #ele… pic.twitter.com/EqnPVZBjWD
— Kaylor Gomez (@southmanjr1) September 12, 2018
The state also sought to cast doubt on the computer experts’ testimony about the vulnerability of so-called direct-recording electronic (DRE) voting machines by citing alleged differences between the machines used elsewhere and the particular machines and systems Georgia uses. John F. Salter, an attorney representing the state, underlined the point in a caustic reference to plaintiff attorneys as “my friends from up North.”
But Judge Totenberg not only called attention to federal intelligence reports of Russian digital intrusions into US election systems in 2016, but also to more recent private-sector cybersecurity breaches.
“For the state to say there’s no difference in the world we are living in now … is asking me to believe we are living in Alice in Wonderland,” she said at one point. “It would be more helpful if the state would not point me to cases that are older and not dealing with the issues we are faced with now,” she added.
“You don’t know anything about the state of Georgia! How many times have you been here? Do you even know where the big chicken is?”
Alex Halderman, professor of computer science and engineering at the University of Michigan and witness for the plaintiffs, echoed Judge Totenberg in his testimony: “When I began my research in 2006 … we were thinking about threats such as dishonest candidates. Everything changed in 2016. Threats by nation-states are now much more serious.”
Asked whether he considered DRE machines vulnerable to malware or other threats, former Georgia governor and attorney for the defendants Roy E. Barnes objected. He noted that Halderman had not studied the same DRE machines that Georgia uses, and commented that “the sun doesn’t rise the same way in Michigan as it does in Georgia,” drawing laughter from the public and the judge.
Barnes would go on to tell Halderman “You don’t know what’s been done” since Lamb first discovered how easy it was to break into the state’s voting system, followed by a similar effort in 2017 by fellow researcher Christopher Grayson. Again, Judge Totenberg broke in, labeling the state’s explanations of measures taken to secure the system as “oblique.”
Barnes continued waving his hands and pointing his index fingers at Halderman. “You don’t know anything about the state of Georgia!” he thundered. “How many times have you been here? Do you even know where the big chicken is?” — the latter a reference to a Marietta KFC store with a 56-foot-tall steel chicken that rises from its roof. But Halderman appeared unfazed, and soon after replied, “The old paper ballots are more secure than the computers in use — unless you have corrupt elections officials in Georgia.” The courtroom erupted in applause.
After a short lunch break, Richard DeMillo — computing professor at Georgia Tech, former cybersecurity director at the Department of Defense, and witness for the plaintiffs — said the voting machines the state uses are “built on top of 25-year-old computing systems.” Again, an attorney for the defendants asked, “Are you familiar with Georgia machines?” DeMillo replied, “I don’t think there’s such a thing as a Georgia machine. The idea of a Georgia machine from the point of view of cybersecurity doesn’t really make much sense.”
The state continued to claim that its election system had been made more secure in recent months. And again Judge Totenberg pressed against the claim: “I trust you’re going to present some actual affirmative evidence?”
Late in the afternoon, Michael Barnes, director at Georgia’s Center for Election Systems when Lamb was able to gain access to voting information, took the stand and described recent steps taken to increase security, such as adding password verification and building a new system for building ballots. Lamb, who sat in the front row through the day’s proceedings, traded glances with fellow computer researchers sitting on either side.
At one point, Barnes said, “I’m not a computer scientist, and I don’t claim to be.” Judge Totenberg asked if the state had “done anything to determine the scope of the threat” that Lamb and others had exposed. “Has the secretary of state employed a cybersecurity expert?” she added. Barnes named Merritt Beaver, who is listed on the secretary of state’s website as Chief Information Officer, or spokesman, and whose LinkedIn page lists such “specialties” as “product management, software development, and professional services” — but not cyber security.
Again, the judge interjected — “The problem is, the state keeps saying they do things differently now.”
By 7 p.m., Judge Totenberg decided to wrap up the proceedings. By way of summary, she offered: “Times change, and I will be quickly evaluating the situation in terms of cybersecurity and cyber crime. And we have a lot of concern that’s been expressed nationally by recognized bodies — and not just the NAS … These are big issues. It affects the credibility of the system. No one wants their vote to be insecure, diluted, or altered. At the same time,” she continued, “this is a Catch-22 … I’m concerned we’re here at the 11th hour … I don’t want people to be standing in line outside polls, or giving up … It’s a big job to put on an election.”
Afterward, on the downtown Atlanta sidewalk, Logan Lamb and fellow computer researcher Matthew Bernhard traded ideas on how hackers could use what state staffers had mentioned in the courtroom earlier to gain access to Georgia’s voting system today, if they wanted to. As testimony had landed on details such as flash drives, CDs, and telephone lines transmitting voting results, Lamb said he was thinking about ways he — or any computer expert — could still get into the system. “I kept asking myself, ‘Why are you telling us this?’”
Related front page panorama photo credit: Adapted by WhoWhatWhy from court (US Courts).