Was Georgia’s Election System Hacked in 2016?
The indictment last week of 12 Russian military officers is focusing new attention on election servers in Georgia that are currently embroiled in a lawsuit between election integrity activists and the secretary of state. The activists, intent on proving that the state’s paperless voting machines are not secure and should be replaced, want to examine two state election servers to look for evidence that Russian hackers or others might have compromised them to subvert elections. But the state has been fighting them for more than a year, citing sovereign immunity from lawsuits and also insisting to the news media that Georgia was never targeted by Russian hackers.
For the past year it seemed the latter might be true.
Story Continued Below
When the Department of Homeland Security notified 21 states in 2017 that they had been targeted by Russian hackers intent on interfering with the 2016 U.S. presidential election, Georgia—despite having one of the most vulnerable voting systems in the country—was not among them. Trump won the state by nearly 6 percentage points over Democrat Hillary Clinton, whose campaign had hoped to pick up the reliably Republican state for the first time since 1992.
DHS said Russian hackers had probed websites in the 21 states looking for vulnerabilities, and in at least one state—Illinois—they found a vulnerability in a server that hosted the state’s voter registration database, allowing them to access 90,000 voter records. But the Russians were apparently unsuccessful in finding vulnerabilities in other state election sites and evidently never bothered at all with servers in Georgia, according to the agency.
This was odd because around the same time the Russians were targeting other states, a security researcher in Georgia named Logan Lamb discovered a serious security vulnerability in an election server in his state. The vulnerability allowed him to download the state’s entire database of 6.7 million registered voters and would have allowed him or any other intruder to alter versions of the database distributed to counties prior to the election. Lamb also found PDFs with instructions and passwords for election workers to sign in to a central server on Election Day as well as software files for the state’s ExpressPoll pollbooks—the electronic devices used by poll workers to verify voters’ eligibility to vote before allowing them to cast a ballot.
The unpatched and misconfigured server had been vulnerable since 2014 and was managed by the Center for Election Systems, a small training and testing center that until recently occupied a former two-story house on the Kennesaw State University campus. Until last year, the Ccnter was responsible for programming every voting machine across the state, raising concerns that if the Russians or other adversaries had been able to penetrate the center’s servers as Lamb had done, they might have been able to find a way to subvert software distributed by the center to voting machines across the state.
But Georgia Secretary of State Brian Kemp, who was the only state election official to refuse security assistance from the Department of Homeland Security prior to the election, has insisted for more than a year that his state’s voting systems were never at risk in the 2016 election, because DHS told him the Russians had not targeted Georgia.
This changed on Friday, however, when the Justice Department unsealed the indictment against 12 Russian intelligence officers who oversaw an operation that, the department says, included targeting county websites in Georgia.
On or around Oct. 28, 2016, Anatoliy Sergeyevich Kovalev and Aleksandr Vladimirovich Osadchuk, both officers in the Russian military assigned to Unit 74455, allegedly conspired with others to hack into computers involved in U.S. election administration, according to the complaint. This included scoping out the websites of unidentified counties in Iowa, Florida and Georgia to identify vulnerabilities they could use to access back-end servers. The indictment doesn’t state directly, but implies, that the servers were part of infrastructure for county election offices.
Asked about this new revelation, a spokeswoman for the Georgia secretary of state’s office declined to address it directly, saying only that the secretary of state’s own office had never been breached.
“We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted,” Candice Broce wrote in an email. “Georgia has secure, accessible, and fair elections because [Secretary of State Brian] Kemp has leveraged private sector solutions for robust cybersecurity, well before any of those options were offered by the federal government.”
In truth, Kemp’s office would not have been the most likely target for Russian hackers, since his office has had little to do with the administration of elections in Georgia since at least 2002, when it contracted that responsibility to the Center for Election Systems. For 15 years, it was well known that the Center was responsible for training election workers, programming the state’s electronic voting machines before each election and distributing the voter registration database to counties. The Center’s servers would have been the ideal target for Russian hackers, says Marilyn Marks, executive director of the Coalition for Good Governance, the group behind the lawsuit against the secretary of state.