Georgia's Brian Kemp And The No Good, Very Bad Claim That Democrats Were Hacking Voter Registration System
from the can-we-not? dept
Okay, let's start with this. Can we all agree -- no matter what your party, ideological, or candidate preference -- that in any election where you are up for one of the offices, that you shouldn't be the one in charge of safeguarding the integrity of the election? This seems like a fairly basic point concerning democracy, that if you're a candidate for office, you should recuse yourself from anything involving election integrity. However, that's not the way things work around here, apparently. In at least three key elections this year, current secretaries of state, who are in charge of election integrity, are running for higher office while being in charge of counting their own votes. It just so happens that this year all three of those cases involve Republicans (and all three of those Republicans have a long and fairly detailed history of voter suppression tactics), but the issue applies equally to Democrats who might be in the same position. No one who is in charge of election integrity should ever be in the position of running for office at the same time.
But let's focus in on just one of the three individuals in that situation this year: Republican Brian Kemp, Georgia's Secretary of State, who is in a very heated campaign to be Governor of Georgia, campaigning against Democrat Stacey Abrams. As you may know, our stated policy on Techdirt is that we tend not to name the party affiliation of any politician, unless it truly matters to the story. That's because in this age of red team/blue team insanity, many people determine what they agree or disagree with depending on the color of the uniform. However, in this story, the party affiliations matter, not for which one is which (we could have posted an identical story with the party's changed), but because the dispute here clearly involves partisan politics.
As you may have heard, on Sunday, just two days before the election, Kemp (who's been getting hit with a bunch of bad headlines around his failed attempts at voter suppression in that state) announced that he had opened an investigation into an alleged "failed attempt to hack the state's voter registration system" by the Democratic Party of Georgia. Most of the headlines about this correctly noted that Kemp's office provided basically zero details to support this claim. Indeed, the entire announcement was two very short paragraphs long:
After a failed attempt to hack the state's voter registration system, the Secretary of State's office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.
"While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes," said Candice Broce, Press Secretary. "We can also confirm that no personal data was breached and our system remains secure."
Before we dig into what appears to have happened, it's time to take a little jump back in time. You see, back in 2016, Georgia Secretary of State Kemp also raised the alarm about what he claimed was an attempt by the US Department of Homeland Security to "breach" his office's firewall. Kemp sent an angry letter to then DHS boss Jeh Johnson, insisting that this was a sneaky attempt by DHS to do penetration testing and test the security of Georgia's election systems without permission.
Except... none of that was accurate. Six months later, the investigation revealed that Kemp misinterpreted someone from DHS checking an openly accessible database on the Secretary of State's site to check firearms licenses.
An earlier, internal DHS investigation into the reported incident showed that the "attempt to penetrate the Georgia Secretary of State's firewall" was actually residual traffic from a Federal Law Enforcement Training Center employee checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility.
That traffic, the first report determined, was caused by the employee cutting and pasting data from the database to Microsoft Excel, which sent light traffic to the Georgia server while parsing the data. That traffic would have been in no way abnormal.
The DHS inspector general, which operates independently from the DHS chain of command, conducted a second investigation. It validated the first report's results
That report further noted that "the DHS internet addresses that contacted the Georgia systems could not be used to attack those systems in the way Kemp described."
And, as you'll see, this article is already so long that we won't bother with more other than a link to another story about how Kemp has been credibly accused of destroying evidence in a still ongoing lawsuit about whether or not Georgia's voting system was hacked.
So, Kemp already has some credibility problems with "crying wolf" about supposed hacks of his computer systems before. And those should only increase given what appears to have lead to yesterday's claim of an "investigation." The small, but respected investigative journalism site WhoWhatWhy has a fairly detailed look at what happened and it looks really, really bad for Kemp. You see, on Saturday, the Democratic Party of Georgia had discovered massive vulnerabilities in the voter registration system overseen by Kemp, and had passed those details on to security experts... and then someone passed them along to WhoWhatWhy.
Just before noon on Saturday, a third party provided WhoWhatWhy with an email and document, sent from the Democratic Party of Georgia to election security experts, that highlights “massive” vulnerabilities within the state’s My Voter Page and its online voter registration system.
According to the document, it would not be difficult for almost anyone with minimal computer expertise to access millions of people’s private information and potentially make changes to their voter registration — including canceling it.
The publication spoke to a bunch of security experts, who all noted (correctly) that actually testing the vulnerabilities would be illegal, but...
...several logged onto the My Voter Page to look at the code used to build the site — something any Georgian voter could do with a little instruction — and confirmed the voter registration system’s vulnerabilities.
They all agreed with the assessment that the data of voters could easily be accessed and changed.
“For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,” Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. “They should not be trusted with personally identifiable information again. They have showed incompetence in proper privacy-protecting data custodian capabilities.”
From the reporting, it appears that the vulnerability is the kind of mistake that was common on the web two decades ago, that once you've logged in you can access anyone else's content just by changing the URL. Basically anyone with any degree of knowledge of online security learned to block such a vulnerability at least a decade or more ago. It is astounding that such a vulnerability might still exist online, let alone on something as vital and key to democracy as a state election system.
It appears that this is the basis of Kemp's new investigation. The Democratic Party had discovered just how poorly Kemp's own team had built its online voter registration system, and his response is to blame the messenger. Of course, we see this kind of thing all the time in writing about vulnerabilities reporting, and we've always pointed out how ridiculous it is. But here, it's been taken to a new level, because beyond the usual dynamic, here we have the Republican running for Governor overseeing the insecure voting registration system, and it's the opposing candidate's party who discovered the vulnerability. This is beyond "blame the messenger." It's "blame the messenger who not only showed my own incompetence, but is also running against me for my shot at the big time."
A later story on WhoWhatWhy details that it wasn't the Democratic Party who had discovered the vulnerability in the first place, but rather someone else, who then contacted a lawyer for someone already suing Kemp over weaknesses in Georgia's election system:
A man who claims to be a Georgia resident said he stumbled upon files in his My Voter Page on the secretary of state’s website. He realized the files were accessible. That man then reached out to one of Cross’s clients, who then put the source and Cross in touch on Friday.
The next morning, Cross called John Salter, a lawyer who represents Kemp and the secretary of state’s office. Cross also notified the FBI.
As noted above, WhoWhatWhy reached out to multiple security experts who all confirmed the vulnerability -- and apparently all five of them noted that actually testing the vulnerability would be illegal. But all five of them were able to just look at the code on the site and confirm the vulnerability was real and could be used to alter voter information in the rolls, which is an especially big deal considering that one of Kemp's voter suppression methods was to insist that if any tiny bit of your information did not match what was in the rollbook, you couldn't vote.
The report further notes that the security researchers approached by WhoWhatWhy reached out to both US intelligence officials and the Coalition for Good Government, who also reached out to Kemp's own lawyers to alert him to the problems in the system:
Bruce Brown, a lawyer for the group, then reached out to Kemp’s attorneys to alert them of the problem. At 7:03 PM Saturday night, he emailed John Salter and Roy Barnes, former governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registration files that had been discovered without any hacking at all, and that national intelligence officials had already been notified.
[....]
“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”
You really should read the entire WhoWhatWhy article (or, actually, both of the ones I've linked to here) because it goes into much more detail than I've described here, and all of it is mind-bogglingly stupid. Just to give you a taste, the report details not just one, but multiple vulnerabilities, including this:
In the code of the website — which anybody can access using their internet browser — there is a series of numbers that represent voters in a county. By changing a number in the web browser’s interface and then changing the county, it appears that anybody could download every single Georgia voter’s personally identifiable information and possibly modify voter data en masse.
In addition, voter history, absentee voting, and early voting data are all public record on the secretary of state’s website. If a bad actor wanted to target a certain voting group, all of the information needed is available for download.
“It’s so juvenile from an information security perspective that it’s crazy this is part of a live system,” Constable said.
Oh, and then there's this: while Kemp's office insist what they are misleadingly calling a hack from the Democratic Party "failed," according to the various security experts WhoWhatWhy spoke to, there didn't appear to be any logging, meaning there wouldn't necessarily be a way to see if anyone had actually changed the information. It goes on and on like this.
And, rather than admitting a fuck up of colossal proportions for a voting system, Kemp is claiming the Democratic Party of Georgia hacked the election system. Again, no matter who you support as a candidate, can we at least all agree that something is rotten in the state of Georgia when it comes to how they manage their election systems?
Filed Under: brian kemp, democratic party, election systems, georgia, hacking, politics, stacey abrams, voter suppression, vulnerabilities