Georgia Secretary of State (and GOP gubernatorial candidate) Brian Kemp and other election officials have ignored or downplayed the vulnerabilities of the state’s aging voting machines, while pushing back hard against legal action intended to address them — according to WhoWhatWhy’s analysis of testimony, declarations, and interviews associated with an ongoing lawsuit.
In the latest of a series of motions, plaintiffs in the case sought some modest steps to assure fair and accurate elections, such as audits of absentee write-in ballots. But Kemp and the other defendants persuaded US District Judge Amy Totenberg that their appeal, based partially on a claim of immunity from being sued, wasn’t “wholly frivolous.” Last week she punted the case to the 11th Circuit.
The case centers on the efforts of two “white hat” hackers who easily accessed information on 6.7 million voters and on how to run statewide elections: Logan Lamb, in August, 2016; and Christopher Grayson, in February, 2017. Each of the computer researchers was able to see all this information on a server maintained by the Center for Elections Systems (CES), then housed at Kennesaw State University (KSU). (The center is now at the secretary of state’s office.)
On September 17, five days after the only hearing on the merits of the case held to date, Judge Amy Totenberg issued a ruling against the preliminary injunction then sought by plaintiffs, which would have forced the state to use paper ballots in the midterm elections. The judge wrote that there simply wasn’t enough time to make the switch. But she clearly understood the plaintiffs’ concerns about a deliberate failure to respond to the election system’s weaknesses on the part of Kemp and his associates. In a much-quoted phrase, she wrote: “Defendants and State election officials … buried their heads in the sand.”
A less-quoted phrase followed: “This is particularly so in their dealing with the ramifications of the major data breach and vulnerability at the Center for Elections Systems, which contracted with the Secretary of State’s Office.”
So how did the state “bury its head in the sand” in dealing with the data breach and the events that followed? WhoWhatWhy looked at the state’s own testimony under oath, as well as interviews with computer experts and under-reported details about the state and the center’s approach to investigating the vulnerabilities exposed and studied by Lamb, Grayson, and others.
Lamb’s Work — Nothing to See Here
When Logan Lamb, then a 20-something former Oak Ridge National Laboratory researcher, first entered the state’s election system online on August 24, 2016, he not only found information on millions of voters. He also was able to download the databases of the servers from at least 15 counties used to create ballot definitions; program memory cards; and tally, store and report votes, according to his declaration included in the lawsuit. Lamb also found passwords for Election Day supervisors.
In an August 28 email to Merle King, executive director of the CES, he warned, “assume any document that requires authorization has already been downloaded without authorization.”
For six months, for some reason that has still never been explained, neither the CES nor Kemp’s office did anything to remedy the vulnerabilities Lamb identified; his colleague, Grayson, was able to see the same documents and files online in late February, 2017.
Then, Grayson, a Georgia Tech graduate and security engineer for Snapchat, contacted someone he knew at KSU; the CES finally started moving. Shortly after, the FBI visited Lamb’s Atlanta home. The agency’s investigator quickly established that the computer researchers had not done anything illegal, or tampered with anyone’s ID, according to a KSU announcement. But, Lamb told WhoWhatWhy, the questions he was asked focused only on “what tools I used, and what I did with the data.” The agency made no effort to ask Lamb about the vulnerabilities he found, or about possible previous exposures of the state’s election system.
“They could’ve done a forensic investigation, but they didn’t ask me anything along those lines,” he said.
In the months that followed, neither did the CES, or the state. In the September 12 hearing, David D. Cross, attorney for the plaintiffs, noted that the state had not produced detailed evidence in response to their preliminary injunction that would demonstrate the election system had not been compromised in years past. And if it had been, whether this could affect elections in the present — or even that such an investigation had been undertaken.
Late in the eight-hour hearing, Bruce P. Brown, also attorney for the plaintiffs, asked Michael Barnes, director of the CES and a career staffer in the secretary of state’s office and the CES, “whether at KSU or at the Secretary of State’s office, did the Secretary of State undertake any forensic examination of the computer systems that were at KSU? Any of them?”
His answer: “I know that those servers were inspected by the FBI. But the Secretary of State, no, sir.”
So the person with the most knowledge of what was exposed on the state’s election system, Logan Lamb, was not questioned by the FBI about any signs of past cyber exposure or attacks , or whether, in his opinion, there was reason to be concerned about such a thing, and Kemp’s office also didn’t bother to look into the subject.
Judge Totenberg also pressed the state on whether it had investigated the implications of Lamb’s discovery, later verified by Grayson. “Well,” she asked Barnes, “have you done anything to determine … the scope of the issue that Mr. Lamb brought to your attention so you are able to know whether … it might have had a larger impact?”
Barnes replied by naming what he thought Lamb did not have access to: software for creating ballots, for example. But he did not name any investigation, or what an investigation’s findings might have been.
Brown, attorney for the plaintiffs, followed the judge’s inquiry by asking if Barnes had read testimony by Richard Demillo — professor of computing at Georgia Tech and former chief technology officer at Hewlett-Packard — detailing how “an intrusion by Mr. Lamb or someone who did what he did could contaminate the system.”
Barnes replied: “I have reviewed them. Have I analyzed them and read through them for all content? I have not.”
The attorney continued: “has the Secretary employed a cyber security expert to review those allegations to determine whether or not you need to do something more?”
“I know that the CIO for the Secretary of State’s office has been highly engaged in analyzing how our systems are set up now within the Secretary of State’s office,” Barnes replied. “Any additional analyzation [sic] of that, I cannot speak to.”
Again, this is the director of the Center for Elections Systems, speaking, under oath, about whether the state has paid any attention to what a nationally recognized cybersecurity expert has written about vulnerabilities identified in the state of Georgia’s election system.
Barnes’s reply refers to a CIO, or Chief Information Officer. He names Merritt Beaver as the CIO, whose LinkedIn page identifies 22 skills, none of which are cybersecurity. Beaver is “an innovative technology executive … [and] a driven leader who is able to develop business strategy, implement change, [and] formulate and execute business plans to maximize corporate resources,” according to the same page.
At this point in the hearing, the judge again interrupted, pointing out that everything the state had said or written amounted to them asserting, “they [the secretary of state’s office] do things differently now.”
“But I don’t really know in the end then — you are not able to say what the department did to fully get to the bottom … of why that would have been accessible to Mr. Lamb.”
“I cannot speak to that,” Barnes answered.
“And why his colleague said it continued to be available six months later.”
“I can’t speak to that,” Barnes repeated.
“And the department doesn’t have any information and you — as the division of head of elections, you don’t have any information on that?” the judge continued.
“Not on that, no, ma’am.”
Drupal — Good Luck, You’ll Need It
One of the many vulnerabilities Lamb identified in the state’s election system was a content management system on the KSU server called Drupal. This system is “vulnerable to an exploit called ‘drupageddon,’” Lamb wrote in his declaration. “Using drupageddon, an attacker can compromise a vulnerable server with ease. A public advisory for drupageddon was released in 2014, alerting users” to possible attacks.
“In practice,” he continued, “this means an attacker could have created, modified, or deleted files on the web server, likely without detection.”
Drupal, wrote Lamb, “assigned this vulnerability the highest security risk score possible.” The company issued a tool to help identify servers that had been compromised, but cautioned that attackers could evade detection even with the tool. “Good luck to you,” the company stated. “You will need it.”
But, how long had the state used Drupal to manage content in its system? Garland Favorito had the same question in mind during a break at the September 12 hearing. A retired IT professional who has spent years holding public meetings about problems with the state’s election system, Favorito has prepared an analysis of the state’s response to Lamb’s and Grayson’s discoveries.
He found Barnes in the hallway outside the courtroom and asked him when Drupal was installed. “Since 2002,” the elections official said — or when Georgia started using touchscreen machines statewide.
That means “the CES web server was vulnerable for a long time,” Lamb wrote WhoWhatWhy in an email.
About six weeks after Lamb’s colleague, Grayson, notified KSU of what he had found, on April 18, the university produced a report that began by patting itself on the back for identifying the system’s vulnerability “within an hour of initial contact.” But the “contact” being described is Grayson’s, not Lamb’s, which happened half a year earlier. Neither this report, nor the state’s subsequent report, makes any mention of Lamb’s discoveries. As Favorito wrote in his own analysis, “there were no forensic action items to assess the impact of breaches that may have occurred as a result of vulnerabilities that had existed.”
In any case, a forensic investigation of the state’s servers became much more difficult several months later; in July and August, 2017, the CES scrubbed at least two servers clean.
These last incidents have been widely publicized. But it’s worth noting several points about the secretary of state’s only detailed, written response to the whole affair, a two-page report released on October 30, 2017. Kemp announced the investigation on Facebook on October 26. Kemp had nothing nice to say about the CES at KSU in the post, calling them guilty of “inexcusable conduct,” “gross negligence,” and “undeniable ineptitude” for having erased the servers.
Less than three business days later, his office’s report concluded, “KSU IT acted in accordance with standard IT procedures.” The report added, “without any oversight, permission, or direction from the Secretary of State’s office,” presumably to absolve the state of any responsibility for the incident.
Again, the report made no mention of Lamb’s findings. It was prepared by Ryan Germany — also not a cybersecurity expert, and identified on the secretary of state’s website as the department’s general counsel.
The secretary of state’s office did not respond to queries about events and facts described in this article.
When Michael Barnes was asked in court if the compromised server or other “issues that were called to your attention by Mr. Lamb in 2016 would make November 6th, 2018’s election less safe,” he replied, “I cannot think of something off the top of my head that would endanger the election in this coming November.”
But Marilyn Marks, executive director of the Coalition for Good Governance, one of the plaintiffs in the suit and a tireless election activist, doesn’t agree. After Judge Totenberg’s decision last week, she told WhoWhatWhy, “the whole idea of the case stopping and making no impact on the election means that whoever gets sworn into office, the public is never going to know who won the election.”
“When people wake up Wednesday morning,” she said, “there’s no reason for them to have confidence in the result.”