Georgia’s vulnerabe election system: why election systems are designated ‘critical infrastructure’

There is a special election in Georgia’s 6th Congressional District on Tuesday, between Democratic candidate Jon Ossoff and Republican candidate Karen Handel. Georgia is one of only five states that use electronic voting without any “paper trail” available for verification of the vote. (h/t Ballotpedia).

Screen Shot 2017-06-17 at 6.10.59 AM

That’s bad enough, but wait, it gets worse. Kim Zetter at Politico Magazine had an in-depth report this week about just how unsecure the voting system in Georgia is. Will the Georgia Special Election Get Hacked?:

Last August, when the FBI reported that hackers were probing voter registration databases in more than a dozen states, prompting concerns about the integrity of the looming presidential election, Logan Lamb decided he wanted to get his hands on a voting machine.

A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.

“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.

“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.

As Georgia prepares for a special runoff election this month in one of the country’s most closely watched congressional races, and as new reports emerge about Russian attempts to breach American election systems, serious questions are being raised about the state’s ability to safeguard the vote. Lamb’s discovery, which he shared out of concern that state officials and the center ignored or brushed off serious problems highlighted by his breach, is at the heart of voting activists’ fears that there’s no way to be sure the upcoming race—which pits Democratic neophyte Jon Ossoff against Republican former Secretary of State Karen Handel—will be secure.

* * *

Marilyn Marks, executive director of the Rocky Mountain Foundation, which sued the state last month to prevent it from using the voting machines in the upcoming runoff, says Americans have reason to be concerned about the integrity of Georgia’s election system—and the state’s puzzling lack of interest in addressing its vulnerabilities. “The security weaknesses recently exposed would be a welcome mat for bad actors.”

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.

Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.

The center has played a critical role in the state’s elections for more than a decade, not only by testing the touch-screen voting machines used throughout the state and maintaining the software that’s used in the machines, but also by providing support for the GEMS servers that tabulate votes and creating and distributing the electronic ballot definition files that go into each voting machine before elections. These files tell the machines which candidate should receive a vote based on where a voter touches the screen. If someone were to alter the files, machines could be made to record votes for the wrong candidate. And since Georgia’s machines lack a proper paper trail — which would allow voters to verify their choices before ballots are cast and could also be used to compare against electronic tallies during an audit — officials might never know the machines recorded votes inaccurately. There have been no public reports indicating that this has ever happened in Georgia, but computer security experts say it’s not clear officials would be able to uncover this even if they tried.

The center also distributes the voter registration list to counties for use on their ExpressPoll pollbooks; if attackers were to delete voter names from the database stored on the center’s server or alter the precinct where voters are assigned, they could create chaos on Election Day and possibly prevent voters from casting ballots. This is not an idle concern: During the presidential election last year, some voters in Georgia’s Fulton County complained that they arrived to polls and were told they were at the wrong precinct. When they went to the precinct where they were redirected, they were told to return to the original precinct. The problem was apparently a glitch in the ExpressPoll software.

Last month, Marks and other plaintiffs filed a motion seeking an injunction to prevent the three counties casting ballots in the 6th Congressional District race—Fulton, DeKalb and Cobb—from using their touch-screen machines and use paper ballots instead. In court filings and a hearing last week, they cited Lamb’s breach of the center’s server as one reason the machines, and the center’s oversight of them, cannot be trusted. They sought the injunction without knowing the full extent of Lamb’s breach.

Their concerns were validated last week with the publication of a classified National Security Agency report, which stated that hackers associated with Russian military intelligence had been behind the previously reported targeting of voter registration systems as well as an extensive phishing scheme to hack election officials. A second story, published this week by Bloomberg, indicated that the hackers targeted voter registration systems in 39 states and had actually tried to delete or alter voter data in at least one state. They had also accessed the software used by poll workers to verify voters at the polls—the same kind of software that Lamb found on Georgia’s website.

The reports didn’t indicate whether Georgia was among the 39 targeted states, but several factors make Georgia an especially good candidate for hacking. Unlike other states, which use a patchwork of voting machine brands and models throughout their election districts—making it more difficult to affect a national election outcome—Georgia uses a uniform system statewide: touch-screen voting machines made by Premier Election Solutions (the company, formerly Diebold Election Systems, is now defunct). More than 27,000 of these years-old machines are used in the state, as are more than 6,000 ExpressPoll pollbooks, also made by Premier/Diebold. And unlike most other states that have a decentralized structure for managing elections—machines and ballots are prepared and managed by individual counties—Georgia’s reliance on the center to manage those responsibilities for counties makes it a bull’s-eye for someone wanting to disrupt elections in the state.

Despite these concerns, Fulton County Superior Court Judge Kimberly Esmond Adams ruled on Friday against the activists seeking an injunction, but she did so on a legal technicality—the activists brought the action against Georgia Secretary of State Brian Kemp and other election officials, but Georgia’s doctrine of sovereign immunity prevents such legal action against them. She also cited the lateness with which they brought the case—early voting for the June 20 runoff was already underway when the hearing began.

It’s unclear whether the secretary of state’s office was aware of the full extent of the breach before Politico contacted it this week, or whether it believed Lamb accessed only the voter registration database. The office declined to answer questions about the breach.

* * *

After Lamb discovered the initial problems last August, he notified Merle King, executive director at the center, who thanked Lamb and said he would get the server fixed. It was months before the presidential election, and King pressed Lamb not to talk about the issue with anyone, especially the media.

“He said, It would be best if you were to drop this now,” Lamb recalls. King also said that if Lamb did talk, “the people downtown, the politicians … would crush” Lamb.

King did not respond to messages Politico left for him at the center or to email queries. The center kept the incident under wraps and never notified the secretary of state’s office, which oversees elections in the state and pays the center’s $750,000 annual budget.

Lamb thought the issue was fixed. But months later, in March 2017, a security colleague named Chris Grayson discovered that although the center had addressed the Drupal vulnerability for the encrypted https version of its website, the unencrypted http version was still vulnerable. Grayson could still access all the same files Lamb had downloaded months earlier. “It looks like it was just very poor administration,” says Grayson.

Grayson contacted a friend who teaches information security at Kennesaw State’s information systems department, who in turn contacted the campus’ chief information security officer at the University Information Technology Services (UITS) office at Kennesaw State, which oversees the university’s networks. News of the breach reached the secretary of state’s office, the governor’s office and the media. The FBI was called in to investigate to determine whether Lamb and Grayson—still unidentified in media reports—had committed a crime. The FBI determined they had not but told Lamb he should “probably just delete” the files he’d collected from the site, which he says he did.

But the incident exposed the fact that the center had been operating its networks outside the scope of both the university system and the secretary of state’s office for years, according to a March 1 preliminary analysis produced by UITS and obtained by Politico.

Essentially, what that report is saying is that there was this rogue operation,” says someone familiar with the UITS analysis. “The Election Center was operating outside of [the university’s] processes, and they weren’t aligned with any larger security strategy.”

The UITS staff also discovered that although the center had separate public and private networks, there was a live network jack (going out to the public network) in the closet where the private network systems are kept, raising the possibility that workers could have, at some point, connected the private network systems to the internet. Workers had also installed their own wireless access point in the office—a possible point of entry into networks for attackers. Given all of these findings and the center’s lack of oversight before the breach, critics say it’s not clear that the center’s small staff, some of whom are non-technical students at the university, could be trusted to maintain the integrity of those separate networks.

“They’re asking us to take their word for it that they have very carefully isolated and carefully managed the private network, but where their practices are visible to us, they have not been careful,” says someone knowledgeable about the center and Georgia’s voting systems who asked not to be identified. He pointed to the GEMS database files that Lamb found on the unprotected server, which appear to be associated with specific primary and other elections last year in various counties. “[I]t’s hard to square the presence of these GEMS files on an internet-connected server with the claim that GEMS machines are never connected to the internet.”

* * *

According to emails obtained by Politico, after the March breach, the center was forced to bring in outside security experts to assess its networks and advise it on secure firewall installation and network configuration. The report and emails don’t indicate, however, whether any in-depth forensic analysis was done to determine whether other intruders, aside from Lamb and Grayson, had breached the center’s network. It’s also unclear whether the center even had sufficient network logs to attempt a forensic investigation. In King’s court testimony, he said the web server that Lamb breached was taken out of service after the second breach and has not been used since.

The security lapses at the center are important not only for what they mean for the upcoming special election but also because the center is held up by the federal Election Assistance Commission as a model for election management and implementation of touch-screen voting systems. King and his staff train county election workers in Georgia and are often asked to speak to officials in other states and other countries.

King and other election officials in the state have staunchly defended their security practices for years, as well as the security of the Premier/Diebold machines, despite numerous reports from computer security experts citing significant security problems with the machines. In 2007, after noted computer security expert and Princeton University professor Ed Felten published a video showing how someone with physical access to the machines could introduce a virus into them, King dismissed Felten and other computer security experts as “theoretical scientists” in an interview with the Chronicle of Higher Education. Another worker at the center, Chris Ambrose, described as “one of Mr. King’s protégés,” called Felten, who more recently served as deputy U.S. chief technology office in the Obama administration, an “idiot.”

That aversion to security experts has extended to the secretary of state’s office. Last year, as concern about Russia disrupting the election rose, the Department of Homeland Security offered to help states lock down their election systems. Georgia was one of only two states that rejected the offer. “[B]ecause of the DNC getting hacked—they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Secretary of State Brian Kemp told Politico at the time. “And that’s just not—I mean, anything is possible, but it is not probable at all, the way our systems are set up.”

But critics say the tests Georgia performs are inadequate and that the center has shown a pattern of security failures that can’t be dismissed. In addition to failing to install the 2-year-old patch on its server software, Georgia, testimony in the injunction hearing last week revealed, is still using a version of software on its touch-screen machines that was last certified in 2005. That voting software is running on the machines on top of a Windows operating system that is even older than this.

“They’re standing pat with whatever they were using 10 years ago even though the evidence that this is not a secure setup is continuing to pile up,” says the person knowledgeable about Georgia’s voting technology.

* * *

In 2006, when Karen Handel ran for secretary of state of Georgia, she made the security of the state’s voting systems one of her campaign issues. After her win, she ordered a security review of the systems and the procedures for using them.

Experts at Georgia Tech conducted the review and found a number of security concerns, which they discussed in a report submitted to Handel. But, oddly, they were prohibited from examining the center’s network or reviewing its security procedures. Richard DeMillo, who was dean of computing at Georgia Tech at the time and led the review, told Politico he and his team argued with officials from the center in Handel’s office, but they were adamant that its procedures and networks would not be included in the review.

“I thought it was very strange,” says DeMillo. “It was kind of a contentious meeting. The Kennesaw people just stamped their foot and said ‘Over our dead body.’”

Although Handel could have insisted that the center’s network be included in the security review, she didn’t. But when DeMillo’s team submitted a draft of their report, he says she sent it back instructing them to add a caveat about the center’s absence from the review. It reads: “The Election Center at Kennesaw State University fills a key role in Georgia’s statewide election procedures, which makes it a potential target of a systematic attack. We did not have sufficient information to evaluate the security safeguards protecting against a centralized compromise at the state level.”

But once they delivered the finished report to Handel, DeMillo says, “We never heard anything more about it.” It’s not clear whether Handel’s office acted on recommendations made in the report. (Handel’s campaign office did not respond to a call for comment.)

What is happening in Georgia is unacceptable by any security profession standards. In January, Obama’s Department of Homeland Security designated election systems as ‘critical infrastructure’:

“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” Secretary of Homeland Security Jeh Johnson said in a statement.

The lackadaisical response of election officials to security threats in Georgia indicates that, even after the Russian hacking of the 2016 election, the security threat is not being taken seriously by local election officials.

11 Responses to Georgia’s vulnerabe election system: why election systems are designated ‘critical infrastructure’

  1. on DU yesterday their was a video of poll watchers in wisconsin using hand held clickers to manually count every ballot fed into the opti scan machine . they came up with different count then machine tallied. when they complained to voter officials on the video they were told nothing would be done about it. as bad this is it does not compare to the to main vulnerabilities voter registration tampering and absentee ballot tampering. “THEY” say no votes were changed despite what I just said about the video ;however “THEY” do not say voters registrations were not tampered with because we can prove they were in at least 39 states and probably more. wasting time on collusion red herring has cost us precious time to get the popular vote for president to pass in more then the 11 states that had passed it before the 2016 election.

    • “… they came up with different count then machine tallied.”

      You don’t say whether or not the poll watchers came up with the same count among themselves. You also don’t say what the difference in the tallies were. Human error is far more mikely a source for the error than the machines. I am particularly willing to question the veracity of the whole project as being reported correctly on DU. DU is not noted for a high degree of accuracy in the rumors and stories it carries. They have a real tendency to shoot first, then ask questions.

      • look at the video. those doing the counting were from both parties. also reports of this happening in other places and other elections like ohio in 2004. even worse was the large number of american citizens who were removed from the voter rolls by every thing from cross check to russian hacking the voter registration rolls in at least 39 states including arizona. remember the presidential primary here in arizona where life long republicans and democrats were told they can’t vote because their registration had been mysteriously change to no party affiliation!

    • John Huppenthal

      this stuff has been beaten to death over and over again.

      Unknown to most people, we do a genuine audit of election results in Arizona and, it is a hand count, not a machine count.

      I know about it because I designed it.

      The word audit is severely abused – it is supposed to be a random selection of a universe with is then examined to determine whether it is accurate or not or to allow us to make conclusions about the nature of the whole universe.

      If, election after election, year after year, the randomly selected races are always correctly tabulatede, you can reliably conclude the entire process is reliably correct.

      So, after elections, political parties put forth representatives who come together for a grueling exercise where precincts are randomly selected and races within those precincts are randomly selected and hand counted.

      A true audit.

      This has been going on for over a decade.

      It is mind numbingly difficult to get hand counts to match the quality of machine counts. The research is clear, machine counts are vastly superior to hand counts in quality and accuracy. And, there is a lot of research on this point both theoretical and historical.

      • You didn’t design the Arizona audit. The people with the Citizen’s Election Integrity Committee designed it, all you did was to accept their design after the voters slapped your sorry ass and elected to have statewide random hand recount audits of the elections in a Citizen’s Initiative … which you opposed. And all that was after you gutted the original Audit bill in the Senate. Don’t you DARE try to take credit for something that you first tried to destroy.

        • John Huppenthal

          Go back to the original bill and look at that sorry mess and compare it to the final product.

          The art of great legislating is to make the guy on the other side of the table think it was his idea.

          Nobody on your side of the table had any knowledge of statistics, random samples, sample sizes, stratified samples, etc or had the ability to read the research to understand the weaknesses of hand counts.

          I suppose you think that design materialized out of thin air.

          So, where do you think that final design came from?

  2. In 2002, Georgia was the first state in the nation to use uniform electronic voting, a touch screen imaging device with three back-up systems. It also electronically purged rolls of dead and ineligible voters. Perhaps it was also the first state to be hacked. Polls very shortly before the 2002 Georgia gubernatorial election gave Dem. incumbent Gov. Roy Barnes a lead of several points over republican opponent Sonny Perdue. An upset victory of 51 to 46 percent gave the election to Perdue who became the state’s first republican governor since Reconstruction. Or perhaps his victory was due to voter discontent of Barnes educational reforms, removal of the confederate symbols from the state flag, or a general shift towards republicans state wide. There were, however, widespread allegations of hacking. (Perdue, as the current Secretary of Agriculture, was one of those who gave embarrassingly ridiculous praise to the president, at the beginning of Trump’s first cabinet meeting.)
    I have never understood why voters could not vote electronically, have an immediate print-out of how they voted to check against their screen vote, and deposit the print-out as a back-up for recounts if needed. But then I have never even understood how officials get away with making voting difficult for certain groups and easy for others.

    • “But then I have never even understood how officials get away with making voting difficult for certain groups and easy for others.”

      Doug, the standards and laws are exactly the same for everyone. How could it be easier for some and harder for others?

      • Several ways are possible. You create standards and laws that place a burden on groups that you don’t want voting. After Shelby County vs Holder, several Republican controlled states passed laws that would make it much more difficult for the poor, the elderly, and African Americans–traditional Democratic groups–to vote. These laws include photo ID laws, residency restrictions, and an end to early voting. In a recent N.C. case, the court ruled “Before enacting that law, the legislature requested data on the use, by race, of a number of voting practices. Upon receipt of the race data, the General Assembly enacted legislation that restricted voting and registration in five different ways, all of which disproportionately affected African Americans” and “with almost surgical precision.”
        Another way is to apply the exact same laws differently and we have a long, long history of doing that against African Americans and Latinos and others with poll taxes, literacy tests, residency requirements, and record-keeping requirements.
        Third, you control voting at the polling place. In areas you don’t want voting, you create fewer precincts, give older slower machine, under staff, or intimidate. You create long, slow lines in areas you dislike and fast, efficient lines in those you like.
        You can also render votes less meaningful by Gerrymandering, state manipulations such as County Unit systems (where votes in some counties count less than in others in state wide elections), creation of a senate where popular representation is so secondary that the two guys representing Wyoming are 66 times more power than the two women representing California, and an Electoral College where the nationwide popular vote is secondary to the popular vote within a state. (As an aside about the Gerrymandering, I happened to be at Emory when the head of the state redistricting committee stated to his fellow legislators, words to the effect, “Gentlemen, we ain’t creating a N—– district.” )
        Unfortunately, even if standards and laws may seem to be the same, they are too often applied differently, either institutionally or by individuals.

        • Doug, thank you for a serious and well thought response! You obviously put a lot of time and effort into it and I want to give it a fair response. One thing that jumped out at me is all of the things you mentioned have happened in the past. Steps were taken, laws were passed, and efforts made to stop all of them from continuing to occur. I think that, to a great extent, they were successful.

          BUT, I also think that if things are not carefully monitored, these nasty things could come back very easily. In fact, after listing them for me, you made me think that some of those things are probably still happening in certain areas because of complaints we have heard in recent elections. I usually dismiss complaints after an election because it is usually the losing side that cries “Foul!”. But some of those complaints have the ring of validity to them and that is why I think you may be correct about the same laws not being applied equally.

          Thank you for offering some things to think about. At the very least, I withdraw my smarmy question about how can the same law be applied differently to different people. ;o)