Kemp Cites Voter Database Hacking Attempt, Gives No Evidence
5.11.2018 securityweek
BigBrothers

The office of Secretary of State Brian Kemp, who is also the Republican gubernatorial nominee, said Sunday it is investigating the state Democratic Party in connection with an alleged attempt to hack Georgia's online voter database, which is used to check in voters at polling places in the midterm elections.

The statement offered no evidence for the claim and didn't specify allegations against Georgia Democrats. But it quickly became a last-minute flashpoint in one of the nation's most closely contested governor's races as Tuesday's election loomed.

Democrats viewed the development as more evidence that Kemp's office, which oversees elections, was serving as an extension of his gubernatorial campaign. Republicans, meanwhile, framed it as an instance of Democrats trying to arrange nefarious votes. It's playing out the same day that Kemp will campaign alongside President Donald Trump in Macon.

As he left the White House on Sunday for Georgia, Trump said he hadn't been briefed on the issue and didn't know anything about it.

Kemp's office said federal authorities had been notified. The FBI declined to comment on the matter. A representative for the Department of Homeland Security confirmed the agency had been notified, but it deferred to Georgia officials for details.

Sunday's announcement came as the Coalition for Good Governance, a plaintiff in a lawsuit against Kemp alleging gross negligence in managing the state's elections, cited published reports saying a third party had discovered that Georgia's online registered voter database — which his office manages — is subject to hacking that could alter voters' information or remove them from the registered voter list altogether.

University of Michigan computer scientist Matthew Bernhard reviewed the reported flaw — which the Democratic Party on Saturday asked several computer scientists to review — and told The Associated Press it could have allowed anyone with access to an individual voter's personal information to alter the record of any voter in the system.

The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.

Democrat Stacey Abrams, who would become the nation's first black female governor if she wins, has called Kemp "an architect of voter suppression" and says he's used his post as chief elections officer to make it harder for certain voters to cast ballots. Kemp counters that he's following state and federal law and that it's Abrams and her affiliated voting advocacy groups trying to help people, including noncitizens, cast ballots illegally.

The atmosphere has left partisans and good-government advocates alike worrying about the possibility that the losing side will not accept Tuesday's results as legitimate. Polls suggest a tight race.

The accusation is not the first from Kemp accusing outsiders of trying to penetrate his office. Immediately after the 2016 general election, Kemp accused the federal Department of Homeland Security of trying to hack his office's network, an accusation dismissed in mid-2017 by the DHS inspector general as unfounded.

Even before he was running for governor, Kemp faced criticism over Georgia's election system.

Georgia's current centrally managed elections system lacks a verifiable paper trail that can be audited in case of problems. The state is one of just five nationwide that continues to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don't leave a paper trail.

Kemp has previously been accused by election-integrity activists of mismanaging state elections as Georgia's top elections official through poor oversight and in resisting the transparency they say is necessary to instill faith in the process.

In 2015, Kemp's office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.

His office made headlines again last year after security experts disclosed a gaping security hole that wasn't fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia's 6.7 million voters, as were passwords used by county officials to access files.

Kemp's office laid the blame for that breach on Kennesaw State University, which managed the system on Kemp's behalf.

In the voting integrity case, a federal judge last month endorsed the plaintiff's arguments that Kemp has been derelict in his management of the state election system and that it violates voters' constitutional rights with its lack of verifiability and reliability.