In the run-up to nationwide elections set for Tuesday, the Secretary of State of Georgia has made explosive and seemingly unsubstantiated allegations that the Democratic Party of Georgia is somehow implicated in a “failed cyberattack” of the state’s online voter registration system.
However, neither Brian Kemp—who is also running as a Republican candidate for governor—nor anyone from his office has provided any evidence that there was indeed a cyberattack. There is also no evidence that the state’s Democrats were involved. Kemp is running against Democrat Stacey Abrams in a tight race.
The allegation was first reported on Sunday by the website WhoWhatWhy, which described a vulnerability that would have allowed an automated script to grab numerous pieces of personal information, including mailing address, partial Social Security number, and more. In June 2018, Ars reported on a similar weakness in digital security in a California election.
However, by Monday afternoon, ProPublica reported that the vulnerabilities had been fixed the night before.
In 2016, Kemp had accused the Department of Homeland Security of hacking the voter registration database. But then as now, he also provided scant evidence. Back in 2015, Kemp’s office sent out CDs that included personal information of six million Georgia voters.
When Ars asked Kemp’s office on Monday morning to provide further details about this purported attack, spokeswoman Candice Broce initially referred us to the Georgia Bureau of Investigation (GBI) and declined to respond to further questions.
GBI spokeswoman Nelly Miles declined to respond to Ars’ questions. She put out this brief statement: “The GBI has been requested by the Secretary of State to investigate allegations of computer crimes related to the Secretary of State’s website(s). A criminal investigation will be conducted by the GBI’s Georgia Cyber Crime Center.”
When Ars pressed via email, Broce wrote: “I believe that ProPublica has made corrections to their article. There are no such vulnerabilities.” ProPublica reporter Jessica Huseman denied that the site had made any corrections to the story. Still, Broce maintained the Secretary of State’s office was unable to duplicate ProPublica’s efforts.
“We immediately reviewed claims of such vulnerabilities once we received them, and our cyber security team—which includes top-notch, private sector cyber security vendors—could not substantiate any of them,” Broce continued. “To be clear, those Web pages are not linked to a location containing files with confidential or sensitive information. I told one of the authors that we routinely makes changes to these websites leading up to an election.”
The FBI also would not comment to Ars.
So what exactly happened?
According to David Cross, an attorney representing a group of Georgia plaintiffs currently suing Kemp over inadequate voting security, the flare-up began when a Georgia voter named Richard Wright contacted the group Coalition for Good Governance.
Wright, whom Ars has been unable to locate, apparently determined two vulnerabilities on the Georgia Secretary of State’s website.
This is how Wright described the situation in an email to a party volunteer named Rachel Small (his description has since been republished by Georgia Democrats):
I’ve attached a postman file which shows details on the two issues I’ve discovered. The first issue is with the MY Voter Page site. It has a .url to download sample ballots and poll cards; however, the .url allows you to download any file on the system. The second issue is with the online voter registration. On that site, you can download a form to print and mail your registration to the local election office. That .url contains an ID number for your request. If you change that ID #, which is just a counter–i.e., 1, 2, 3, …, you can download anyone’s data, and that includes lots of PII (i.e., drivers license and last four of SSN).
Postman is a well-known application that allows for analysis of Web pages and associated API calls.
“He brought that to our attention Friday afternoon,” Cross told Ars.
The attorney explained to Ars that, as soon as his clients were notified of the possible vulnerability, they contacted the FBI and the office of the Secretary of State, hoping that the problem would be fixed.
“We hoped that’s what they would do, but instead they decided to politicize these allegations that nobody has substantiated,” he said.
Previously, Broce told ProPublica Sunday evening evening that simply attempting to find a vulnerability justified opening an investigation.
“You don’t have to actually have someone who is successful in running up against your system,” Broce said. “All you need to open an investigation is information suggesting plans and an attempt to put together some kind of program or utilize specialize tools to find a vulnerability. We did have evidence.”
On Monday afternoon, Broce reiterated this position in an email to Ars, writing that Wright’s email “had a computer program attached”—even though Wright describes a Postman file—”according to our security staff and independent cyber security experts, shows a likely attempt to intrude into the system.”
It now appears that the file in question may have actually been written by a third party potentially affiliated with plaintiffs in ongoing litigation against the state. Under federal and state law, this information is more than enough to warrant the opening of an investigation and suggests possible cyber crimes. To be crystal clear, you do not need to successfully hack a system to constitute a crime. An attempt is also a crime. Election systems are afforded heightened protections under federal guidelines. You should consult federal and state law to see the elements of such crimes.
Finally, she concluded that these vulnerabilities “did not and do not exist.”