The indictment last week of 12 Russian military officers is focusing new attention on election servers in Georgia that are currently embroiled in a lawsuit between election integrity activists and the secretary of state. The activists, intent on proving that the state’s paperless voting machines are not secure and should be replaced, want to examine two state election servers to look for evidence that Russian hackers or others might have compromised them to subvert elections. But the state has been fighting them for more than a year, citing sovereign immunity from lawsuits and also insisting to the news media that Georgia was never targeted by Russian hackers.
For the past year it seemed the latter might be true.
Story Continued Below
When the Department of Homeland Security notified 21 states in 2017 that they had been targeted by Russian hackers intent on interfering with the 2016 U.S. presidential election, Georgia—despite having one of the most vulnerable voting systems in the country—was not among them. Trump won the state by nearly 6 percentage points over Democrat Hillary Clinton, whose campaign had hoped to pick up the reliably Republican state for the first time since 1992.
DHS said Russian hackers had probed websites in the 21 states looking for vulnerabilities, and in at least one state—Illinois—they found a vulnerability in a server that hosted the state’s voter registration database, allowing them to access 90,000 voter records. But the Russians were apparently unsuccessful in finding vulnerabilities in other state election sites and evidently never bothered at all with servers in Georgia, according to the agency.
This was odd because around the same time the Russians were targeting other states, a security researcher in Georgia named Logan Lamb discovered a serious security vulnerability in an election server in his state. The vulnerability allowed him to download the state’s entire database of 6.7 million registered voters and would have allowed him or any other intruder to alter versions of the database distributed to counties prior to the election. Lamb also found PDFs with instructions and passwords for election workers to sign in to a central server on Election Day as well as software files for the state’s ExpressPoll pollbooks—the electronic devices used by poll workers to verify voters’ eligibility to vote before allowing them to cast a ballot.
The unpatched and misconfigured server had been vulnerable since 2014 and was managed by the Center for Election Systems, a small training and testing center that until recently occupied a former two-story house on the Kennesaw State University campus. Until last year, the Ccnter was responsible for programming every voting machine across the state, raising concerns that if the Russians or other adversaries had been able to penetrate the center’s servers as Lamb had done, they might have been able to find a way to subvert software distributed by the center to voting machines across the state.
But Georgia Secretary of State Brian Kemp, who was the only state election official to refuse security assistance from the Department of Homeland Security prior to the election, has insisted for more than a year that his state’s voting systems were never at risk in the 2016 election, because DHS told him the Russians had not targeted Georgia.
This changed on Friday, however, when the Justice Department unsealed the indictment against 12 Russian intelligence officers who oversaw an operation that, the department says, included targeting county websites in Georgia.
On or around Oct. 28, 2016, Anatoliy Sergeyevich Kovalev and Aleksandr Vladimirovich Osadchuk, both officers in the Russian military assigned to Unit 74455, allegedly conspired with others to hack into computers involved in U.S. election administration, according to the complaint. This included scoping out the websites of unidentified counties in Iowa, Florida and Georgia to identify vulnerabilities they could use to access back-end servers. The indictment doesn’t state directly, but implies, that the servers were part of infrastructure for county election offices.
Asked about this new revelation, a spokeswoman for the Georgia secretary of state’s office declined to address it directly, saying only that the secretary of state’s own office had never been breached.
“We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted,” Candice Broce wrote in an email. “Georgia has secure, accessible, and fair elections because [Secretary of State Brian] Kemp has leveraged private sector solutions for robust cybersecurity, well before any of those options were offered by the federal government.”
In truth, Kemp’s office would not have been the most likely target for Russian hackers, since his office has had little to do with the administration of elections in Georgia since at least 2002, when it contracted that responsibility to the Center for Election Systems. For 15 years, it was well known that the Center was responsible for training election workers, programming the state’s electronic voting machines before each election and distributing the voter registration database to counties. The Center’s servers would have been the ideal target for Russian hackers, says Marilyn Marks, executive director of the Coalition for Good Governance, the group behind the lawsuit against the secretary of state.
“These sophisticated agents certainly [would have known] that Georgia’s entire election programming and management system, including private voter data, was on a single central computer managed by Secretary of State Kemp’s contract agent at Kennesaw State University,” she told Politico.
The unpatched and insecure server that Lamb breached weren’t the Center’s only problem. A report produced by the university’s IT department after the Lamb breach found numerous other security problems as well. These security problems are all the more alarming, Marks and others say, because Georgia uses a single model of touchscreen voting machine statewide that security researchers have shown to be vulnerable to hacking. The machines do not have a paper trail and therefore provide no means of conducting an audit of their election results—an ideal scenario for anyone who wants to subvert an election. Marks and her fellow plaintiffs in the lawsuit want the state to replace these machines with ones that use paper ballots.
As part of their discovery demands, they want to examine the Center’s servers to see if anyone other than Lamb had breached them prior to the 2016 presidential election or a special congressional runoff election that was held on June 20 the following year between Karen Handel, Kemp’s predecessor as secretary of state, and Jon Ossoff. With the revelations in Friday’s indictment, Marks says an examination of the Center’s servers is more important than ever.
“The indictment’s reference to Russians searching for Georgia vulnerabilities makes it all the more imperative that plaintiffs in the federal lawsuit be promptly granted the right to conduct forensic discovery on the remaining electronic records related to the server,” Marks told Politico.
This might be difficult to do, however. Shortly after the plaintiffs filed their lawsuit in July 2017, technicians at Kennesaw State University wiped the Center’s servers clean, destroying any evidence that might have been on them. Two backup servers also were wiped a month later—news the plaintiffs learned only months later after obtaining emails that disclosed the data destruction. Kemp’s office initially distanced itself from the destruction, accusing the technicians of “ineptitude” for wiping servers that were part of litigation. Kemp later said, however, that the wiping had simply been standard operating procedure performed any time servers were taken out of service.
The good news is that FBI agents in Atlanta made a mirror image of the server that Lamb breached when they were investigating his intrusion, and the plaintiffs are hoping the judge overseeing their case will rule that they can examine this image. It’s unclear, however, whether the image preserved everything that was on the server and whether the image still exists.
A spokesman for the FBI’s Atlanta office refused to comment on the matter and referred POLITICO to KSU. KSU did not respond.
Marks says it’s astonishing how little curiosity or concern Kemp and Georgia’s Election Board have shown toward the Center’s server. “[The] Russians would not have had to ‘hack’ or force their way in. The electronic door was wide open … and KSU’s wiping of the server logs would have likely concealed their tracks.
“[It] appears that Kemp and the State Board prefer not to know [what may have happened on that server],” Marks told me. “Nor do they want plaintiffs to find out, as they are continuing to block all attempts at litigation discovery.”