Georgia’s Election Was A Battle Royale. Was It Hacked?

On Tuesday, Georgia held the most expensive House election in history, with more than $50 million spent on a battle royale between veteran GOP operative Karen Handel—who ultimately won—and Democratic newcomer Jon Ossoff. With the nation’s eyes upon Georgia’s 6th congressional district, one would hope for a baseline guarantee of electoral integrity.

But last week, cybersecurity researcher Logan Lamb exposed an array of vulnerabilities in Georgia’s voting system. The big reveal was his ability to easily “scrape” 15 gigabytes of detailed voter data from the Georgia Center for Election Systems website, but there’s more.

Georgia’s election software is running on Microsoft Server 2000 (called a “crap system” by security experts), it relies on the infamously hackable Diebold voting machines, and there is absolutely no paper trail—thanks in large part to a ruling earlier this month from Superior Court Judge Kimberly Esmond Adams dismissing the need for paper ballots. Oh, also voter rolls were stolen from a Georgia election official’s pickup truck this year, and the state’s main voting database at Kennesaw State University was hacked in March. You can view a copy of the internal report embedded at the end of this story.

More than 20 national and global security experts wrote a letter to Georgia’s Republican Secretary of State Brian Kemp pleading with him to overhaul the state’s systems. Kemp blithely dismissed the warnings of these “Ivy League professors” and insisted (without apparent proof) that Georgia’s voting machines are “safe and accurate.” Kemp also celebrated the dismissal of a lawsuit brought against the state by voting-transparency activists this month.

Professor Richard DeMillo, former dean of computing at Georgia Tech, was one of the academics who drafted the letter to Kemp, as well as one of two experts called by plaintiffs in the recent lawsuit. DeMillo is a nonpartisan pro who has been scrutinizing Georgia’s voting security for some time now. We caught up with him just before Tuesday’s special election to get his take.

Has voting security always been your focus?

In 2006 and 2007, I was asked to supervise a small team of experts reviewing the security of Georgia’s voting procedures. We were asked [by then-Secretary of State Karen Handel] to look at things like poll worker training, polling center procedures, chain of custody—that kind of thing. We were specifically not supposed to look at the Diebold machines themselves; there was broad consensus about how insecure they were.

What were the results of this review?

The authors agreed that there were two main points of vulnerability: the machines and their lack of a paper trail, and the Center for Election Systems at Kennesaw State. We had pointedly been told not to look at Kennesaw State, but we still included it in the report as the biggest cause for concern.

Can you explain the importance of Kennesaw State?

They are responsible for all the state’s voting software, and they are responsible for maintaining all the software databases and the Microsoft products that the system runs on.

Were there reasons you weren’t supposed to look at procedures there?

None that I’d care to speculate on. So much of what happens at the Center for Election Systems is shrouded in mystery.

Wouldn’t a paper trail help reassure everyone that their votes are secure?

Common sense would say yes. I teach a class on cyberethics, and that is the number one question I’ve received from my students. Why would we ignore the one solid piece of backup we could have? It’s not like we just need to worry about hacking—what if there was a tornado that hit a polling center?

When did voting security become your primary concern?

I thought that the threats were manageable in the decade since our initial report, but I’ve been very alarmed since last summer. Once I saw those DNC emails were being hacked, it put me on alert—all sorts of threat scenarios started popping into my head.

Tell us more about this year’s hack at Kennesaw State.

The official statement was that there was an intrusion into Kennesaw’s voting systems. The FBI reported that the intrusion had been shut down, but that is very far from saying the system had a clean bill of health. From March 1 to April 18 [the date of the 6^th district primaries], there was a rolling series of alarming revelations.

Like what?

Like the electronic poll books being stolen at a shopping center and found discarded. Or on election night, there was a serious glitch in uploading vote tallies from memory cards. Or the number of blank ballots received being unusually high. But everything is so opaque; we’re just told not to worry about it.

Why do you suppose that is?

On some level, I suppose they don’t want voters to worry. As in, “It would just upset people if they thought the election was vulnerable.” But the danger potential here is quite serious. And we’re just not seeing any real level of concern from our election officials.

Are you personally concerned about today’s election?

I am. On a human level—and it’s more than just Brian Kemp—it’s alarming to have politicians more concerned with telling people that everything is okay, rather than do everything they can to get our systems right. But also, with everything I read about foreign [hacking] capabilities, it ratchets up my level of concern. As a citizen, it’s just horrifying.

Internal report regarding the March 1 breach at Kennesaw State, made public via FOIA request and part of the public trial record by GOOD Magazine on Scribd