Public scrutiny of Georgia’s voting system has increased in recent weeks after the Associated Press reported a central election server was erased. A month later another server was erased. It all happened at the Center for Elections Systems at Kennesaw State University. The center contracts with the Secretary of State’s office to handle the technical aspect of elections.
There’s no evidence election results were affected by any of the erasures, and the Secretary of State’s office has said repeatedly the current system is secure. But cybersecurity experts say the incidents exposed serious vulnerabilities in Georgia’s elections systems.
Here’s a timeline of what happened:
Cybersecurity researcher Logan Lamb discovers voter registration information for 6.7 million voters, PDFs with passwords for election workers, software files for devices used by poll workers to verify a voter is registered, and what appears to be databases used to tabulate votes. This is information that would allow outside parties to disrupt an election, according to cybersecurity experts. Georgia’s electronic voting machines have no paper trail to audit the results.
Lamb notified Merle King, the executive director of the KSU Center for Elections Systems, where a server (elections.kennesaw.edu) was housed that contained the information Lamb accessed. King pressed Lamb not to talk to anyone about what he’d found, according to a Politico report published in June 2017.
29th: KSU Chief Information Security Officer Stephen Gay is notified of what another security officer would later call “critical and severe vulnerabilities” in the server’s (elections.kennesaw.edu) setup.
William Moore, associate executive director of the KSU information security officer, says more than 40 “critical vulnerabilities” remain in the server’s (elections.kennesaw.edu) setup.
8th: In the presidential election, Donald Trump wins Georgia. No major, widespread issues with the state’s voting system are reported.
Information security specialist Christopher Grayson accesses the server at the Center for Elections Systems and finds the same information discovered in August by Lamb is still available.
1st: Grayson contacts a friend, Andy Green, who teaches IT security at KSU. Green discovers the vulnerability for himself and contacts KSU’s Chief Information Security Officer, Stephen Gay. Gay alerts the Center for Elections Systems of an “alleged data breach” on the server (elections.kennesaw.edu). The KSU information security office seizes the server.
3rd: KSU turns the server (elections.kennesaw.edu) over to the FBI, which has recently opened an investigation into the breach.
4th: The school’s IT security officers report the Center for Elections Systems has begun using another server (Unicoi.kennesaw.edu), and it’s accessible from the KSU campus network. The server holds ballot information from previous elections, and the personal information of 5.7 million registered voters. The server (Unicoi.kennesaw.edu), is then shutdown.
17th: In an email, KSU’s Gay says the FBI has confirmed it has a “forensic image” of the server (elections.kennesaw.edu). The FBI has not confirmed it has a copy of the server.
31st: KSU issues a public statement saying “there is no indication of any illegal activity” and no personal information was compromised after the “unauthorized access” of the server (elections.kennesaw.edu), presumably by Lamb and Grayson.
3rd: Election advocates file a lawsuit seeking to throw out the results of the 6th District Special Election, and require the state to re-examine its election system. The suit names Secretary of State Brian Kemp (pictured above), the state elections board, and Merle King, the executive director of the Center for Elections Systems.
7th: A KSU IT security technician reports erasing the server (elections.kennesaw.edu). KSU has said it was following standard procedure, and an after-action report dated April 2017, recommended repurposing the server. But critics say there’s no good reason a server with such sensitive material should have been erased, even if the FBI was known to have a copy.
Critics also say the timing of the erasure, just days after the lawsuit was filed, raises questions. Once the news of the server wipe went public in October, Kemp’s office said it had nothing to do with it. The KSU after-action report included no mention of the August incident when Logan Lamb accessed data on the election’s server.
6th: The Attorney General’s office says the central server (elections.kennesaw.edu) was erased on March 17, 2017, as well as a “back-up” server (Unicoi.kennesaw.edu). The AG was representing the defendants named in the case.
18th: The AG’s office says it has “now learned” the (elections.kennesaw.edu) was actually erased on July 7, 2017, and the “back-up” server was erased on August 9, 2017. This appears to be a reference to the secondary server (Unicoi.kennesaw.edu). That server did not contain an exact replica of the information on the central server (elections.kennesaw.edu.)
24th: This is the date the Secretary of State Brian Kemp’s later says it heard about the erasure of the server.
26th: The Associated Press reports the server was erased. Republican Secretary of State Brian Kemp, who is running for governor, blames the Center for Elections Systems, calling the server wipe “undeniable ineptitude.”
2nd: Attorney General Chris Carr (pictured above) releases a public statement explaining why his office is withdrawing from the defense of Secretary of State Brian Kemp, members of the state elections board, and Merle King, executive director of Center for Elections Systems. It appears to reference earlier statements from Kemp about the Center for Elections Systems.
“In this situation, one state defendant in the Curling lawsuit made public statements that took a position adverse to another party that we also represented in the litigation,” said Carr, a Republican running for reelection. “Mindful of the rules governing attorney representation of multiple clients, our office withdrew from our representation of all of the state defendants in this litigation.”
The law firm of former Democratic Gov. Roy Barnes now represents Kemp and the state elections board. The law firm Holland & Knight represents Merle King.
The lawsuit seeking the state to stop using the current election system remains in federal court. It no longer seeks to throw out the results of the 6th District Special Election. State legislators have shown interest in a major overhaul of the state’s election systems, and some have said the erasure of the elections servers, amongst other things, raises questions about the integrity of the current system. In recent municipal elections, the Secretary of State’s office tested a paper ballot system.
Is Georgia’s Election System Secure?
The state’s machines aren’t directly connected to the internet. Memory cards are used to load ballot information and pull results from the machines. Cybersecurity experts say if malware was loaded onto those memory cards from a server, it could be transferred to a voting machine and potentially manipulate election results.
If a hacker manipulated the state’s voter registration database, they could shut down an entire precinct, keep people from voting.
In addition to these vulnerabilities, Georgia uses electronic voting machines without a paper trail to confirm results. That goes against the recommendation of security experts.
There’s no evidence election results were affected, and the Secretary of State’s office has said repeatedly the current system is secure.