By Greg Gordon, Christine Condon and Stanley Dunlap
McClatchy Washington Bureau
WASHINGTON — Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached.
But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show.
The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country.
“I am sure that you are aware that these are opportunities for malicious users to gather account credentials,” William Moore, a cybersecurity official on a Kennesaw State University team tasked with running Georgia’s election system, wrote to a colleague in October.
Officials at Kennesaw State’s Center for Election Systems were struggling to respond to the report of a cyber watchdog who nosed around the system to test its defenses two months earlier and wound up gaining access to a colossal, 15-gigabyte store of confidential material, including voter data and passwords to the system.
The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections.
“I think these emails reveal that they recognized this system was catastrophically insecure,” said Robert McGuire, a Seattle lawyer representing citizen activists in a lawsuit that seeks to force Georgia to scrap its paperless electronic voting machines this fall and shift to paper ballots.
Secretary of State Brian Kemp, whose office oversees the state’s elections, says he was unaware of the system vulnerabilities at the time. Kemp, the Republican nominee for governor in this fall’s election, still maintains Georgia’s system is secure.
However, Kemp has created a commission with members of both parties to examine how to replace the state’s voting system in time for the 2020 election.
McGuire said cyber experts refer to the breach of the center’s Drupal servers as “Drupalmageddon,” a condition that “would let a malicious person take over as administrator of that server, like you had the root password.
“It means they could be sitting at the keyboard with access to everything ... They could write stuff, change stuff, take stuff off,” he said.
The emails show that, even in March 2017, months after the election, the center’s technical team was still scrambling for solutions when a second Georgia cybersecurity expert visited Kennesaw State’s electronic mothership for the state’s 159 county election systems. He, too, reported gaining access to confidential records on millions of voters.
Continuing revelations about the system’s security challenges have forced Kemp to confront a storm of questions, both about his stewardship of Georgia’s election system while serving as secretary of state since 2010 and about the Kennesaw State center’s destruction of records in the face of a citizen lawsuit.
Georgia, along with four other statewide systems, uses aged electronic voting machines that lack a paper trail for use in recounts or audits to verify the accuracy of the reported vote. As a result, experts say, the system may be an inviting target for operatives to install software that manipulates votes without detection.
During a White House briefing on Thursday, Homeland Security Secretary Kirstjen Nielsen said U.S. adversaries — presumably including the Kremlin — have exhibited “a willingness and a capability” to go beyond Russia’s sophisticated social media blitzes and email hacks of 2016 and this time penetrate America’s election infrastructure, including voter rolls and voting machines.
A federal indictment issued July 13 by Justice Department special counsel Robert Mueller alleges that Anatoliy Kovalev, one of a dozen Russian intelligence officers charged with hacking Democrats’ emails and attempting to penetrate state voter registration systems, scoped out Georgia county election websites in October 2016 “to identify vulnerabilities.”
Homeland Security officials notified Kemp’s office that websites for Fulton and Cobb counties, covering Atlanta and its outskirts, were among those visited, said Kemp spokeswoman Candice Broce, confirming a report by the Atlanta Journal-Constitution.
Kemp has sought to distance himself from Kennesaw State’s center, whose contract he cut short in October 2017 when it was disclosed center officials had wiped its election system server and a backup clean. He responded to the disclosure that the servers were wiped with a Facebook post, saying Kennesaw State officials never notified his office of the server’s vulnerabilities or of plans to destroy documents. He assailed the center for “undeniable ineptitude.”
“This pattern of reckless behavior is exactly why we are ending our relationship with KSU” and moving the job “in-house,” mirroring the arrangement in most other states, Kemp said.
At the time the server data was erased, center officials were defendants in a federal lawsuit over the system’s security gaps for which relevant records should have been preserved. In addition, they were subject to a federal law banning the destruction of voting records for 22 months after elections.
“The timing of the server being destroyed is suggestive that they intended for us not to know what’s on there,” McGuire said. “Circumstantially, why would you destroy something right when you’ve been served with a lawsuit?”
Marilyn Marks, a North Carolina-based voting security activist who has led the challenge to Georgia’s election integrity, said if Kemp “was unaware of the massive security failures, breaches and compromises of the election system ... he was either grossly negligent or willfully blind.”
Richard DeMillo, a former chief technology officer for Hewlett Packard and past dean of Georgia Institute of Technology’s computer science school, said Kemp’s office “is prone to misrepresenting the security posture of Georgia’s election system, to saying things that have been demonstrated to be false and to offering misleading explanations to why Georgia voters should trust the security of their systems.”
For some 15 years, Kennesaw State ran Georgia’s elections from a low-slung brick building that DeMillo likened to operating “out of someone’s basement.” There were no bars on the windows, and the front door had no special security, he said.
A Politico magazine story published in June 2017 suddenly focused national attention on Kennesaw State’s Center. The story described how Logan Lamb, a young online security researcher for Bastille Networks, visited the center’s website in August 2016 and found he could easily download 6.7 million voter registration records.
Lamb emailed the election center’s executive director, Merle King, and reported that the voting system’s software and other documents were “completely open.”
“There’s a strong probability that your site is already compromised,” he wrote.
The next day, the emails show, the center’s No. 2 official, Michael Barnes, wrote of blacklisting Lamb from accessing the website before changing his mind and ordering scans on the system. Within hours, Steven Dean, the center’s technical coordinator, joined in expressing concerns about the system’s security.
Kennesaw State officials did not immediately respond to requests for comment.
In September, as the problem of reconfiguring the server became more complex, Dean wrote to his colleagues at Kennesaw State: “We’ve discovered we’re a little out of our depth.”
DeMillo said that once Lamb alerted the center of the breach, officials should have notified Kennesaw State’s far more skilled chief information officer, whose staff “should have descended on the system” and “would have known what to do.”
Kennesaw State officials did not immediately respond to requests for comment.
The emails show that center officials instead conducted security scans of their servers to try to detect the vulnerabilities. Their findings included search engines such as Google had stored links to some of the center’s documents.
When Lamb’s friend, Christopher Grayson, confirmed the same vulnerabilities in March 2017, he reached out to a Kennesaw State University lecturer on information security, Andy Green.
Green phoned the center and warned in an email that the security shortcoming could allow outsiders to access important files without authentication, including Social Security and driver’s license numbers.
Shortly thereafter, Stephen Gay, the university’s chief information security officer, confirmed that millions of records on Georgia voters were open to the public.
“Understanding the risk associated with this vulnerability, we have closed all firewall exceptions for elections.kennesaw.edu,” a way of shutting off access, Gay wrote.
This time, the FBI was alerted. Bureau agents took possession of the servers and investigated for more than two weeks.
Their investigation yielded no data that “escalates to the point of breach,” according to an incident report from Kennesaw State’s information security office. The emails indicate the FBI possessed a forensic image of the server.
On March 31, 2017, university officials said in a statement that “no personal information was compromised.”
Broce said the system has been regularly tested and, “there is no evidence that any component has been compromised, but we continually monitor for that and have contingency plans in place in the event something does occur.”
“We do not take election security for granted,” she said.