Despite ample warning of the feeble condition of the state’s election infrastructure, officials failed to address vulnerabilities before the 2016 election.
Election officials in Georgia knew well in advance of the 2016 election that their equipment lacked essential security measures. Emails recently obtained through a records request demonstrate that despite several months’ warning, the state was unable to address fundamental problems with its voting infrastructure.
Officials knew as early as August 2016 of key vulnerabilities with the electronic voting system in use statewide. The emails revealed that a cybersecurity official pointed out “critical vulnerabilities” just a month before the November election date.
Experts contend that the state’s election software is so vulnerable that any experienced hacker could easily manipulate the system; access administrative privileges; and change, add, or erase anything. Tests in the months following the 2016 election further revealed the ease with which Georgia’s infrastructure can be compromised.
Georgia contracts with Kennesaw State University to manage its election system. An official with the university warned state officials of “opportunities for malicious users.” The organization had been on the defensive since a cyber-watchdog group managed to access critical storage of confidential material including voter data and account credentials.
The state legislature is currently considering a bill, HB 680, that would replace its electronic voting machines with a paper ballot system. Concerns about the vulnerability of the touchscreen equipment in use for the past 16 years have driven many representatives to consider other options. The “direct record” electronic machines produce no paper record of votes cast, rendering election audits impossible.
The emails between election officials underscore just how insecure the system was — and still is. Georgians will vote on the same kind of DRE machines in the upcoming midterm elections: the switch to paper ballots wouldn’t take effect before the 2020 presidential election. Despite bipartisan support, HB 680 has yet to pass the House Governmental Affairs Committee.
Nationwide, managing election security remains firmly in the hands of states, a situation that Georgia Secretary of State Brian Kemp celebrates. In August 2016, he pushed back against an attempt by the federal government to categorize election equipment as “critical infrastructure,” citing concerns of an intrusion on state’s rights. Days later, an independent researcher told the Center for Election Systems at Kennesaw that the software in use in Georgia to cast ballots and manage voter registration could be easily manipulated.
The state did little to address the issues before the 2016 election — despite encouragement in mid-October from the technical coordinator at the Center for Election Systems that a software update could address many of the “critical vulnerabilities” built into the infrastructure.
According to the website McClatchy DC, Kemp still thinks Georgia’s elections are secure. He established a commission to evaluate strategies to replace voting machines before the 2020 election. Kemp is the Republican nominee for governor in Georgia this fall.
Nevertheless, in March 2017, a different cybersecurity professional managed to access voter registration records, including voters’ Social Security numbers. Shortly thereafter, the FBI began a short investigation that found no evidence of a breach by a malicious actor.
Months later, citizen advocates filed a lawsuit against the Kennesaw Center for Election Security and the Secretary of State’s office, hoping to drive forward a transition to paper ballots. The lawsuit contends negligence and misconduct on the part of both entities.
Central to the lawsuit were allegations that Kennesaw had deleted key records, which through an open records request, the plaintiffs found to be true. The Center had destroyed records after the lawsuit began. Curling v. Kemp is currently in litigation.
In July 2018, special counsel Robert Mueller’s investigation into Russian interference found that operatives had “visited the websites of certain counties in Georgia, Iowa, and Florida to identify vulnerabilities.” Kemp maintains that the state was never hacked or targeted by foreign actors.