Yes, Georgia Elections Can Absolutely be Hacked

Earlier this week, the folks in GA-6 elected a new representative to serve them in Washington. Congratulations to Congresswoman-elect Karen Handel.

That said, you may have seen the headlines from Politico and others regarding the security of Georgia elections in the run up to the runoff, and I’ll admit, they were outright terrifying, so the editors achieved their purpose. In case you were wondering, no, it’s not fake news. Yes, Georgia elections can be hacked. We know this because it’s happened. Now, we had few-to-no issues contributing to the results on Tuesday night regarding election fraud, certainly not enough to alter the result, so regardless of what else you read, Karen Handel was the winner on Tuesday because more people in GA-6 intentionally voted for her. Please make no mistake, though: We’ve been lucky. Exceptionally lucky, given our system. We need to make changes before our luck runs out. Next time, it may not be a “friendly” who hacks us.

I had — until I moved to North Carolina in 2014 — never voted in person in any other method other than on an electronic machine. My experience voting in Durham County, North Carolina was quite the shock when I was handed paper and pen, but it’s a story for another time. (Also, the paper and pen may not have been as backward as I thought at the time. More on that later.) 2000 was the first election in which I was able to vote, and Columbia County was a test site for electronic machine voting. Then-Secretary of State Cathy Cox moved to adopt machine voting statewide for the 2002 election. We’re using the same kind of machines in 2017 that I used in 2000. Even if we knew nothing else about our voting system, it should concern us, given what we know about obsolescence, that our state has not upgraded or changed models of machines for nearly 20 years. Dude, are you still plunking away on that Dell Slacker Steve convinced you to buy in 2002? No? Didn’t think so.

To give you a little insight into the system we use, our machines are AccuVote-TS, originally produced by Global Election Management Systems, which was acquired by Diebold Election Systems between the time the state purchased them and the time they were put into circulation in 2002. Counties use servers with GEMS software purchased as part of the original contract. This software runs on the Microsoft Windows 2000 Operating System with Service Pack 4 installed. Microsoft stopped supporting this operating system in 2010. The machine software runs on a modified Windows/CE Operating System. Of note: The last certification for our voting system occurred in 2005.

Prior to the 2002 election, counties were responsible for their voting equipment, but in 2001, the Georgia General Assembly mandated that the state move to a uniform system. People thought the “lost ballots” in Florida were ugly in 2000, but Georgia actually had a much higher rate of “lost ballots” in that election than our neighbor to the south, which is what prompted the swift change. The Center for Elections Systems at Kennesaw State University has assisted with the implementation, operation, and support of Georgia’s electronic voting system since 2002.

The first year of statewide electronic voting was messy, to put it kindly. Cox insisted that implementation was a success, but even back then, critics complained about the lack of a print-out to verify their votes. The machines were glitchy, many had to be rebooted, and one county couldn’t get any of its machines to transfer vote totals to the county server. None the less, expert analysis of the 2002 election found that we had fewer “lost ballots” in that election than in previous elections, so Cox was validated. The machines were better than our previous hodgepodge system.

However, better doesn’t mean perfect — or even good enough. A team of experts from Georgia Tech noticed vulnerabilities in our voting system, which they reported to then-Secretary Karen Handel in 2008, though they felt as if she didn’t respond to them, according to The Washington Post‘s columnist Dave Weigel’s recent column. First, let me assure you that though Secretary Handel commissioned the report from Tech, she was under no obligation to let them know what she did or didn’t do with their suggestions. Secondly, in 2008, there would have been more concern with system failure than system hacking, especially since most of the hacking to that point required the internet, and the servers were (and are still) supposed to be kept offline. Could Secretary Handel have done more with the report? Probably, given a simple systems analysis would have pointed out the shaky wisdom of allowing prisoners to transport voter machines, for example. However, she has been out of office for seven and a half years — more than enough time for her successor to make necessary corrections or own the consequences.

Current Secretary of State Brian Kemp often states that because our systems are offline, they are therefore not hackable. He also has explained the steps his office takes to ensure elections integrity. The problem is that there are have been ways around those protocols for many years, as noted by two Princeton graduate students in this short video and this much more detailed report. (Yes, those are the machines we use in Georgia.) Notice that they were able to break into a machine and install a virus in less than five minutes. Are poll workers ever alone with the machines for five minutes? How about the student workers, or heck, even the employees at Kennesaw State? As noted in the video and report, the virus created does have the ability to jump from machine to machine through data loaded onto the GEMS servers. There are several scenarios in which we could have even small amounts of votes stolen that could change the outcome of an election. If the recent NSA leak taught us nothing from the report itself, we should note that we can’t always know the minds of people, even when they have a previous pristine service record and even when they have been vetted. Therefore, having equipment with obvious, known vulnerabilities in situations that could give individuals (even ones we believe to be trustworthy!) the opportunity to alter results is a security failure on the part of the state. It’s one of the biggest reasons why many states have reverted to paper balloting, meaning Durham County in the Old North State probably isn’t as backward as I thought it was when I voted there. (All the states in gray here use this low tech method; Georgia is one of five tan-colored states, which offer no paper trail.)

What’s far more likely than intentional sabotage, of course, is carelessness. This seems to be the what caused the most recent black eye for Secretary Kemp regarding Georgia elections security. Last year, cybersecurity researcher Logan Lamb (as noted in the Politico report) conducted an experiment out of curiosity on the Center for Election System’s website that exposed a stunning amount of information, none of it password protected:

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

Subsequent reports have noted that systems that were meant to be offline have been plugged into internet ports at times. Given what was accessed by Lamb from scraping the website, it seems highly unlikely that the Center or Secretary Kemp can accurately say the servers and machines are never online. This data breach came just over a year after Secretary Kemp’s office mailed out the complete voter registration file to 12 entities. He assured us all he got the 12 discs back and no one made copies, but there is no guarantee of that.

As a reminder, your driver’s license and social security number are included in your voter file. It has been exposed twice that we know of in the past three years.

The response from Merle King, the director of the Center, when Lamb let them know what he’d found was to threaten him and ignore his suggestions until he and another security expert, Chris Grayson, notified the head of IT at Kennesaw State, who ensured that the Secretary of State and Governor were notified. During the April special election, Cobb County had some voting equipment stolen and delayed reporting the theft to the Secretary of State. Now, two incidents don’t make a pattern, but it seems highly coincidental that neither were in a rush to notify Secretary Kemp. Why? Did they feel he wouldn’t care, or were they afraid he’d come down hard on them? Was the Center correct in hinting to Lamb that “downtown” would go after him instead of fixing the problem? Most importantly, is there a reporting schedule for issues like these, and if so, is it being followed?

The Atlanta Journal-Constitution reported last week that the Center for Elections Systems might lose its contract with the state on June 30 now that the issues have come to light. I’d be more surprised if they kept their contract than if they didn’t. Secretary Kemp has to do something to divert most voters from the realization that I have come to in that he’s in over his head when it comes to data security.

Which brings me to my real annoyance. Sure, I’m unhappy that my voter file was available to everyone who wanted it for who knows how long? I’m also deeply displeased that we are still using voting equipment that is about half my age and we are told to believe that it is secure because of a series of tests that I know can be circumvented after two IS courses in data curation and digital forensics. But no, there’s more.

Data security is nerdy. It’s vitally important, but the general public doesn’t care unless it affects them negatively. That means it’s up to us, those of us in CS and IS fields, to care — and that absolutely must include the Secretary of State in a state that has a uniform statewide electronic voting system because, for heaven’s sake, man, it’s your job!

We elect our Secretary of State like every other statewide position, so there’s no requirement that we hire someone who understands IT. That’s fine. I don’t expect the Governor to come with a Ph.D. in economics, either. What it does mean, though, is the person who seeks the job must be willing to accept help from those who do have expertise in the field and recognize who “the bad guys” are who are out to compromise elections and steal voter information. (Hint: It’s not the U.S. Department of Homeland Security.)

My absolute biggest issue is that Secretary Kemp displays all of the intellectual curiosity of a wooden post on the topic of data security and yet still somehow disdains those who would offer help, warn him of blatant problems or, apparently, deign to attend an Ivy League school.  I can forgive a lot of mistakes, but I cannot and will not forgive refusing to learn or care, especially when it is a critical part of one’s job that affects the personally identifiable information (PII) of millions of people in Georgia. To be sure that I’m being fair to Secretary Kemp, I want to include an article with the state’s responses to many of the security issues raised here, though I should point out it was King doing the responding to the Atlanta Journal-Constitution, and his reputation has taken a bit of a hit over the Center’s security lapses.

As a digital archivist who is an employee of the state of Georgia, I would expect to be put on notice if I exposed donor PII once and fired if I exposed it twice. I would further expect not to make tenure, much less receive a promotion, if I refused to increase my base of knowledge in a critical area of my field.

Secretary Kemp is like me in that he is an employee of the state of Georgia, but unlike me, he has 6.7 million supervisors who vote on his performance every four years. He’s not running for reelection in 2018, for which our PII can breathe a sigh of relief. However, he’s thrown his name in the ring for a bigger position — Governor. If his portfolio for tenure is questionable, and it definitely is, he shouldn’t receive that promotion.

12 Comments

Add a Comment