Are Georgia Voting Machines Secure? Frankly, My Dear, They Don't Give a Damn
Hey, Georgia does have a Springfield...
A whole lot of money and political energy has gone into the big special election run-off between Democrat Jon Ossoff and Republican Karen Handel coming up next Tuesday. The race for the sixth congressional district seat formerly held by Tom Price, before he went off to help dismantle the nation's healthcare system, is probably the best chance for Democrats to take a seat in the House this year. Oh, there is one tiny problem: Georgia seems to have absolutely wretched security for its electronic voting machines. Not that anything will go wrong, because the state has taken careful measures to ignore people warning of potential problems. Say, did we mention Georgia's voting machines don't leave any paper trail, either?
The story of Georgia's sad sorry voting security is one of those things that will leave your face a little fatigued from all the times you raise your eyebrows and drop your jaw, starting with what cybersecurity researcher Logan Lamb discovered last August when stories of Russian hacking of state election systems became known. Logan heard there might be concerns about Georgia's election security, so he went to check out the website for the Center for Election Systems at Kennesaw State University, which handles the job of making sure all the state's voting machines are in good working order. He got a bit of a surprise:
“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.
“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,”
Whoops! After state elections officials didn't seem terribly interested in the problems he uncovered, Lamb went public with what he found in hope that public pressure might move them to tighten things up. A government-accountability group sued the state last month, calling for the state to use only paper ballots in this month's election; the motion was denied last week under the state's doctrine of sovereign immunity -- you can't sue the government without its permission. Besides, early voting had already started for the runoff.
Now, Lamb and other security wonks haven't shown that the state actually has been hacked -- just that its election systems are outdated and could be vulnerable in a number of ways which we won't detail here, because Yr Wonkette is more in the business of making jokes about entirely different hardware and software, if you know what we mean and we think you do. Suffice it to say there are a lot of potential security holes (HA!) that could give hackers a backdoor ( teehee ) into Georgia's antiquated touch-screen voting machines, which all use that same software. It would be quite possible for hacks to be made without even leaving detectable traces of the tampering. Fun, huh?
It's also not known whether Georgia is among the 39 states whose election systems were hacked last year, as discovered by Bloomberg politics. It's also worth noting that, when Homeland Security offered last year to help states upgrade their election computer systems' security, Georgia was one of only two states to say "no thanks, we're fine":
“[B]ecause of the DNC getting hacked—they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Secretary of State Brian Kemp told Politico at the time. “And that’s just not—I mean, anything is possible, but it is not probable at all, the way our systems are set up.”
Reassuring! Also, if you read the Politico report, POSSIBLY completely untrue!
Also worrisome: When Logan Lamb went to the Center for Elections Systems with the problems he found, he got a polite thank you and a warning from executive director Merle King. King said he'd definitely get the server fixed, but also told Lamb to keep quiet about the problems, and especially not to talk to the media:
“He said, It would be best if you were to drop this now,” Lamb recalls. King also said that if Lamb did talk, “the people downtown, the politicians … would crush” Lamb.
And here's a huge surprise: The center neglected to notify the secretary of state's office about the security problems, either. Not only that, but in March, Chris Grayson, another security researcher, found that while some vulnerabilities on the website had been fixed, others hadn't. Oops. When Grayson told a friend at Kennesaw State, word went up through various offices until eventually it reached the secretary of state and the governor. Obviously, there was a problem, so swift action was taken: The FBI was sicced on Lamb and Grayson to see if they'd committed a crime (they hadn't). Lamb was told to delete the files he'd accidentally downloaded, and he did.
Not to worry, says Georgia: Since the voting machines and the software that runs them aren't connected to the internet, so there's no way to hack them. Which doesn't at all explain why Lamb found those voter files from the secure system on the center's website, but that one server has been shut down, so please stop making a big deal about all this, OK?
And wait, just one more thing, from last year: When DHS offered to help Georgia protect its systems, it got a BIG OL' HISSYFIT in response. First they accused DHS of hacking them and then:
Georgia was one of only two states in the country that refused assistance offered by DHS in the run-up to last month’s race, Cyberscoop reported, notwithstanding heightened concerns from coast to coast at the time over the possibility of the contest being sidelined by a cyberattack. [...]
“We basically said we don’t need DHS’s help,” [Kemp Chief of Staff David] Dove said, because the state had already obtained the assistance of a third-party cybersecurity firm.
The office of the Georgia Secretary of State declined to say who exactly the state has sought out for its cyber assistance, but that the the company “analyzes more than 180 billion events a day globally across a 5,000+ customer base which includes many Fortune 500 companies,” Cyberscoop reported.
We're just going to assume the third-party cybersecurity firm Georgia refuses to name is Kaspersky. Sound right to you?
Go read the full article; it may well leave you whomperjawed. And while you're at it, you might also enjoy this WaPo piece on how Karen Handel asked for a review of Georgia's election cybersecurity when she was secretary of state -- and then apparently did exactly nothing with the final report, which found -- you guessed it! -- vulnerabilities that could leave election systems open to hacking. Here's a nifty little excerpt!
Asked about the data breach, Handel’s campaign deferred questions to Rob Simms, who was deputy secretary of state for much of Handel’s term and is now working to elect her to Congress.
“You’re asking if we ever ‘responded’ to a report/study that was done more than 10 years ago?” Simms asked. “Doesn’t make sense to me.”
Pfft, you nerds and your worries about "hacking"! What are you, a bunch of wacky tinfoil-hat-wearing conspiracy theorists? Now, let's get to the important stuff: When are Loretta Lynch and Hillary Clinton finally going to be indicted, huh?