Yes, Georgia Elections Can Absolutely be Hacked
Earlier this week, the folks in GA-6 elected a new representative to serve them in Washington. Congratulations to Congresswoman-elect Karen Handel.
That said, you may have seen the headlines from Politico and others regarding the security of Georgia elections in the run up to the runoff, and I’ll admit, they were outright terrifying, so the editors achieved their purpose. In case you were wondering, no, it’s not fake news. Yes, Georgia elections can be hacked. We know this because it’s happened. Now, we had few-to-no issues contributing to the results on Tuesday night regarding election fraud, certainly not enough to alter the result, so regardless of what else you read, Karen Handel was the winner on Tuesday because more people in GA-6 intentionally voted for her. Please make no mistake, though: We’ve been lucky. Exceptionally lucky, given our system. We need to make changes before our luck runs out. Next time, it may not be a “friendly” who hacks us.
I had — until I moved to North Carolina in 2014 — never voted in person in any other method other than on an electronic machine. My experience voting in Durham County, North Carolina was quite the shock when I was handed paper and pen, but it’s a story for another time. (Also, the paper and pen may not have been as backward as I thought at the time. More on that later.) 2000 was the first election in which I was able to vote, and Columbia County was a test site for electronic machine voting. Then-Secretary of State Cathy Cox moved to adopt machine voting statewide for the 2002 election. We’re using the same kind of machines in 2017 that I used in 2000. Even if we knew nothing else about our voting system, it should concern us, given what we know about obsolescence, that our state has not upgraded or changed models of machines for nearly 20 years. Dude, are you still plunking away on that Dell Slacker Steve convinced you to buy in 2002? No? Didn’t think so.
To give you a little insight into the system we use, our machines are AccuVote-TS, originally produced by Global Election Management Systems, which was acquired by Diebold Election Systems between the time the state purchased them and the time they were put into circulation in 2002. Counties use servers with GEMS software purchased as part of the original contract. This software runs on the Microsoft Windows 2000 Operating System with Service Pack 4 installed. Microsoft stopped supporting this operating system in 2010. The machine software runs on a modified Windows/CE Operating System. Of note: The last certification for our voting system occurred in 2005.
Prior to the 2002 election, counties were responsible for their voting equipment, but in 2001, the Georgia General Assembly mandated that the state move to a uniform system. People thought the “lost ballots” in Florida were ugly in 2000, but Georgia actually had a much higher rate of “lost ballots” in that election than our neighbor to the south, which is what prompted the swift change. The Center for Elections Systems at Kennesaw State University has assisted with the implementation, operation, and support of Georgia’s electronic voting system since 2002.
The first year of statewide electronic voting was messy, to put it kindly. Cox insisted that implementation was a success, but even back then, critics complained about the lack of a print-out to verify their votes. The machines were glitchy, many had to be rebooted, and one county couldn’t get any of its machines to transfer vote totals to the county server. None the less, expert analysis of the 2002 election found that we had fewer “lost ballots” in that election than in previous elections, so Cox was validated. The machines were better than our previous hodgepodge system.
However, better doesn’t mean perfect — or even good enough. A team of experts from Georgia Tech noticed vulnerabilities in our voting system, which they reported to then-Secretary Karen Handel in 2008, though they felt as if she didn’t respond to them, according to The Washington Post‘s columnist Dave Weigel’s recent column. First, let me assure you that though Secretary Handel commissioned the report from Tech, she was under no obligation to let them know what she did or didn’t do with their suggestions. Secondly, in 2008, there would have been more concern with system failure than system hacking, especially since most of the hacking to that point required the internet, and the servers were (and are still) supposed to be kept offline. Could Secretary Handel have done more with the report? Probably, given a simple systems analysis would have pointed out the shaky wisdom of allowing prisoners to transport voter machines, for example. However, she has been out of office for seven and a half years — more than enough time for her successor to make necessary corrections or own the consequences.
Current Secretary of State Brian Kemp often states that because our systems are offline, they are therefore not hackable. He also has explained the steps his office takes to ensure elections integrity. The problem is that there are have been ways around those protocols for many years, as noted by two Princeton graduate students in this short video and this much more detailed report. (Yes, those are the machines we use in Georgia.) Notice that they were able to break into a machine and install a virus in less than five minutes. Are poll workers ever alone with the machines for five minutes? How about the student workers, or heck, even the employees at Kennesaw State? As noted in the video and report, the virus created does have the ability to jump from machine to machine through data loaded onto the GEMS servers. There are several scenarios in which we could have even small amounts of votes stolen that could change the outcome of an election. If the recent NSA leak taught us nothing from the report itself, we should note that we can’t always know the minds of people, even when they have a previous pristine service record and even when they have been vetted. Therefore, having equipment with obvious, known vulnerabilities in situations that could give individuals (even ones we believe to be trustworthy!) the opportunity to alter results is a security failure on the part of the state. It’s one of the biggest reasons why many states have reverted to paper balloting, meaning Durham County in the Old North State probably isn’t as backward as I thought it was when I voted there. (All the states in gray here use this low tech method; Georgia is one of five tan-colored states, which offer no paper trail.)
What’s far more likely than intentional sabotage, of course, is carelessness. This seems to be the what caused the most recent black eye for Secretary Kemp regarding Georgia elections security. Last year, cybersecurity researcher Logan Lamb (as noted in the Politico report) conducted an experiment out of curiosity on the Center for Election System’s website that exposed a stunning amount of information, none of it password protected:
Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.
The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.
Subsequent reports have noted that systems that were meant to be offline have been plugged into internet ports at times. Given what was accessed by Lamb from scraping the website, it seems highly unlikely that the Center or Secretary Kemp can accurately say the servers and machines are never online. This data breach came just over a year after Secretary Kemp’s office mailed out the complete voter registration file to 12 entities. He assured us all he got the 12 discs back and no one made copies, but there is no guarantee of that.
As a reminder, your driver’s license and social security number are included in your voter file. It has been exposed twice that we know of in the past three years.
The response from Merle King, the director of the Center, when Lamb let them know what he’d found was to threaten him and ignore his suggestions until he and another security expert, Chris Grayson, notified the head of IT at Kennesaw State, who ensured that the Secretary of State and Governor were notified. During the April special election, Cobb County had some voting equipment stolen and delayed reporting the theft to the Secretary of State. Now, two incidents don’t make a pattern, but it seems highly coincidental that neither were in a rush to notify Secretary Kemp. Why? Did they feel he wouldn’t care, or were they afraid he’d come down hard on them? Was the Center correct in hinting to Lamb that “downtown” would go after him instead of fixing the problem? Most importantly, is there a reporting schedule for issues like these, and if so, is it being followed?
The Atlanta Journal-Constitution reported last week that the Center for Elections Systems might lose its contract with the state on June 30 now that the issues have come to light. I’d be more surprised if they kept their contract than if they didn’t. Secretary Kemp has to do something to divert most voters from the realization that I have come to in that he’s in over his head when it comes to data security.
Which brings me to my real annoyance. Sure, I’m unhappy that my voter file was available to everyone who wanted it for who knows how long? I’m also deeply displeased that we are still using voting equipment that is about half my age and we are told to believe that it is secure because of a series of tests that I know can be circumvented after two IS courses in data curation and digital forensics. But no, there’s more.
Data security is nerdy. It’s vitally important, but the general public doesn’t care unless it affects them negatively. That means it’s up to us, those of us in CS and IS fields, to care — and that absolutely must include the Secretary of State in a state that has a uniform statewide electronic voting system because, for heaven’s sake, man, it’s your job!
We elect our Secretary of State like every other statewide position, so there’s no requirement that we hire someone who understands IT. That’s fine. I don’t expect the Governor to come with a Ph.D. in economics, either. What it does mean, though, is the person who seeks the job must be willing to accept help from those who do have expertise in the field and recognize who “the bad guys” are who are out to compromise elections and steal voter information. (Hint: It’s not the U.S. Department of Homeland Security.)
My absolute biggest issue is that Secretary Kemp displays all of the intellectual curiosity of a wooden post on the topic of data security and yet still somehow disdains those who would offer help, warn him of blatant problems or, apparently, deign to attend an Ivy League school. I can forgive a lot of mistakes, but I cannot and will not forgive refusing to learn or care, especially when it is a critical part of one’s job that affects the personally identifiable information (PII) of millions of people in Georgia. To be sure that I’m being fair to Secretary Kemp, I want to include an article with the state’s responses to many of the security issues raised here, though I should point out it was King doing the responding to the Atlanta Journal-Constitution, and his reputation has taken a bit of a hit over the Center’s security lapses.
As a digital archivist who is an employee of the state of Georgia, I would expect to be put on notice if I exposed donor PII once and fired if I exposed it twice. I would further expect not to make tenure, much less receive a promotion, if I refused to increase my base of knowledge in a critical area of my field.
Secretary Kemp is like me in that he is an employee of the state of Georgia, but unlike me, he has 6.7 million supervisors who vote on his performance every four years. He’s not running for reelection in 2018, for which our PII can breathe a sigh of relief. However, he’s thrown his name in the ring for a bigger position — Governor. If his portfolio for tenure is questionable, and it definitely is, he shouldn’t receive that promotion.
About Author
Holly Croft
Holly is an archivist at one of Georgia's institutions of higher learning. In a past life, she was a legislative assistant on Capitol Hill. She cares a lot about records management, open records laws, and privacy laws. Political persuasion? It's complicated. What's not complicated is that she's proudly equal parts Bulldog and Tar Heel.
Add a Comment
You must be logged in to post a comment.
Thanks for continuing to spotlight.
“He assured us all he got the 12 discs back and no one made copies, but there is no guarantee of that.”
My recollection is that Kemp assured the public that the 12 discs had been returned or that recipients assured him they had destroyed their discs, an even lower standard.
A Tale of two voters. Voter ‘A’ registered years ago when citizens were duped to put their full social security number on the registration form. Voter ‘B’ re-registered recently and removed non-required identity information such as full social security number, telephone, race (just check unknown/other), etc. no longer required by law.
After the little identity oops…
Voter ‘A’ qualified for identity theft monitoring paid for by GA SOS.
Voter ‘B’ did not.
Moral of the story, re-register in your county to remove non-required personal information from your voter file.
That’s why the Secretary of State’s office and local Election Boards are supposed to have both internal and compensating controls when it comes to elections to help thwart fraud. In my county, the Board of Elections handles the maintenance of the machines locally and are locked in a closet near the security entrance, so a bailiff (or bailiffs) are normally there. Plus, the sheriff’s office is next door, so it’s highly unlikely that a person will break in and modify the voting machines in Walker County. Of course, that’s one county out of 159.
That’s not to say that this isn’t an important issue. It is, and I hope Secretary Kemp’s successor takes this seriously (including in-sourcing the management of systems with PII). We’ve probably reached the end-of-life for these machines, but there is not a single magical solution.
It is concerning that GEMS is on Windows 2000 and our voting machines run a version of Windows CE, but it’s also concerning that a number of ATMs are still running Windows XP for Embedded Systems and some cash registers are still running IBM’s OS/2 Warp. If we’re going to highlight vulnerabilities in systems, let’s also focus on some of those in private industry. Someone stealing my credit/debit card information or checking account information has more of an immediate impact on me than some of the perfect storm scenarios of hacking voting machines. No system is absolutely secure. That’s why those internal and compensating controls are there to help mitigate those risks.
When we update/modernize our election system, it will be an expensive process. There will be a lot of hemming and hawing at the price tag by representatives, the governor, and constituents, but it’s something we do need to look at doing in the near future. Although, folks advocating a return paper ballots shouldn’t complain when ballot tabulation takes *A LOT* longer on election night than using the DRE machines that we use currently.
My focusing on this system doesn’t mean that other systems aren’t important, of course. However, we have a problem (or, more accurately, many problems) with this system that allows us to exercise our right to vote. Though, I suppose ATMs and cash registers fit under Congressional jurisdiction (commerce), so they may want to insist on an update. The bankers will love it. 😉
It’s going to cost between $2500-$3000 per machine to replace the ones we have, and there are roughly 27,000 of them. That’s $67.5 million to $81 million to buy new machines, which is the second reason many states returned to paper ballots.
What is the solution to protect the vote?
Once the solution is defined the legislature has to authorize funding the fix, and the Gov. commit to support the State moving forward quickly. In 2011 I was having this same discussion with my House and Senate members about funding a fix…
What about a machine vote register that would produce an optical scan paper ballot to be deposited in a ballot box, presuming reliable reasonable cost printers? Precincts tallies could readily be audited by scan, and perhaps some even manually.
That was what Durham County was using, actually: http://www.pewresearch.org/fact-tank/2016/11/08/on-election-day-most-voters-use-electronic-or-optical-scan-ballots/ft_16-11-07_votingtechnology/
It took forever to vote up there, but that was mostly getting through the line. Those people believed in turnout, at least at my precinct. The check in process was clunky and insecure, but the voting itself was fine. We used black pens and had to fill in ovals completely. Then we handed the completed ballot to the poll worker at the scanner, who looked over our ovals, and then fed the ballot into the scanner.
Results in NC were, of course, slower than in GA, even with some hiccups from our machines. I was paying attention to their gubernatorial race this past year, and I know from Facebook that Durham County finally reported all ballots at 12:03 AM (they were the last outstanding county, I believe). It’s about a two hour difference from when we’re used to seeing our results finalized.
The National Council of State Legislatures says two types of scanners are needed, precinct scanners and central count scanners. I have no idea how many precincts exist in the state, but each one would need a precinct scanner, which costs between $2,000-$5,000, and every county would need the central count scanner, which is between $70,000 and $100,000. We have 159 counties, so that second part is easy to figure: $11.13 million to $15.9 million. Further, you can steal votes with these scanners, but a hand recount would ruin any attempt to change results unless the ballots themselves were switched.
Whatever we do is going to be expensive. Nathan’s right, we’ve got to prepare to spend money on updating the system now.
I recently voted in the GA-6 election where there was $150 in campaign expenses for every vote.
If only we could get people to send their donations to the government instead of candidates for political office…
We probably already have at least some of those scanners as I believe absentee and provisional ballots are currently optical scan.
Optical scan isn’t perfect either but random manual audits and audits of anomalous results should minimize any problems. FWIW, hand counting paper ballots isn’t exactly without problems too.
They do use optical scan. They are old, slow, and clunky, though. They have to be fed in as well. Current technology (not what is being used now) would allow you to do hundreds at a time. I watched a live feed of one of the counties in GA-6 and they stated that technology exists that could process 600 per minute.