Mediaboss Marketing

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as theyre published.

This article was co-published with The Atlanta Journal-Constitution.

It was a stunning accusation: Two days before the 2018 election for Georgia governor, Republican Brian Kemp used his power as secretary of state to open an investigation into what he called a failed hacking attempt of voter registration systems involving the Democratic Party.

But newly released case files from the Georgia Bureau of Investigation reveal that there was no such hacking attempt.

The evidence from the closed investigation indicates that Kemps office mistook planned security tests and a warning about potential election security holes for malicious hacking.

Kemp then wrongly accused his political opponents just before Election Day a high-profile salvo that drew national media attention in one of the most closely watched races of 2018.

The investigation by the GBI revealed no evidence of damage to (the secretary of states offices) network or computers, and no evidence of theft, damage, or loss of data, according to a March 2 memo from a senior assistant attorney general recommending that the case be closed.

Subscribe to the Big Story newsletter.

The internet activity that Kemps staff described as hacking attempts was actually scans by the U.S. Department of Homeland Security that the secretary of states office had agreed to, according to the GBI. Kemps chief information officer signed off on the DHS scans three months beforehand.

Although there was no malicious hack, the GBI files also report that the states website where voters can check their information did have a significant vulnerability a flaw Kemps staff still wont acknowledge a year and a half later.

Candice Broce, Kemps spokeswoman, continued to insist Friday that elections officials responded to a failed cyber intrusion, despite the GBIs findings that scans came from DHS.

The attorney general determined that the secretary of states office properly referred this matter to law enforcement for investigation, Broce said. The systems put in place by Brian Kemp as Georgias secretary of state kept voter data safe and secure.

In 2018, while the secretary of states office rushed to fix the vulnerability before Election Day, Broce, who was also Kemps spokeswoman then, said the last-minute patches to the website were standard practice.

The attorney generals office in March closed the investigation Kemp started, finding no evidence that would justify a prosecution.

After the investigation ended, The Atlanta Journal-Constitution used the Georgia Open Records Act to obtain 395 pages of GBI case files, including interview summaries, emails and election security reports.

Accusing an opponent of criminal acts without basis in fact, and lying to the public to cover up their own ineptitude, was a breach of public trust, Sara Tindall Ghazal, the Democratic Party of Georgias voter protection director at the time, said in an interview. Ghazal helped alert authorities to the election website vulnerabilities.

The GBI files dont explain the basis for the decision by Kemps office to blame the Democratic Party or support his accusation. Kemp went on to narrowly defeat Democrat Stacey Abrams in the election for governor.

Events unfolded quickly when Richard Wright, a Roswell voter, noticed vulnerabilities in the states election website shortly before voters went to the polls Nov. 6, 2018, according to the case files.

Wright, a Georgia Tech graduate and Democratic voter who works for a software company, had listened to a news report about a lawsuit over election security. He then checked his voter registration information and used his web browsers built-in tools to analyze the states My Voter Page.

When visiting the MVP site, I was curious if there were security issues given the recent news coverage I had heard, Wright wrote in a response to questions from the attorney generals office.

Wright found that he could look up other voters information by modifying the web address on the site, a flaw confirmed by ProPublica and Georgia Public Broadcasting before it was fixed.

He also made more disconcerting claims, that someone could download any file on the system as well as voters drivers license numbers and partial Social Security numbers. Those allegations were not substantiated. Wright told investigators he didnt attempt to look at any information on the website other than his own and his wifes.

Kemps office disputes Wrights allegations.

Richard Wrights allegations sent through the Abrams campaign and funneled to the Democratic Party of Georgia were false because you could not access confidential voter data, Broce said.

After discovering the vulnerability, Wright contacted plaintiffs in the election security lawsuit and the Democratic Party of Georgia. They passed along his concerns, which soon reached the FBI, the National Security Agency, the GBI, the Abrams campaign, Georgia Tech professors and attorneys for the secretary of states office.

Kemps staff began looking into Wrights claims. If true, they would be another blemish on Kemps election security record after his office had previously exposed voter data. (Georgia's Center for Election Systems at Kennesaw State University had wiped election servers soon after Kemps office was sued over another matter.)

His staffers, however, suspected hacking.

Our vendors research shows that the only way to accomplish this on the site is using tools designed to attack websites, which is what we fear is happening here, Ryan Germany, Kemps general counsel, wrote in a Nov. 3 email. Our vendor is making changes tonight to resolve the issue and is reviewing logs, but after our initial research it seems that we are dealing with an intentional attempt to hack a website.

An election security vendor for the state, Fortalice Solutions, later concluded, however, that there was no evidence that voter information had been accessed, manipulated or changed by bad actors.

Fortalice also confirmed vulnerabilities that exposed files on the My Voter Page. DHS exploited those vulnerabilities when it was testing Georgias election system in October 2018, according to the GBI files. Details of Fortalices findings were redacted from those files. The company said the vulnerabilities did not reveal confidential voter information.

Nevertheless, having an unpatched vulnerability like this is a really big problem, said Richard DeMillo, a Georgia Tech cybersecurity professor contacted by the Democratic Party with Wrights concerns. Since we know that the Russians were probing voter registration sites, why would you assume this kind of vulnerability wasnt something they could exploit?

Wrights email to the Democratic Party included an attached file that showed his web browsers interactions with the My Voter Page. The way the website worked suggested to Wright that the system could be exploited.

When that email reached Kemps office, Broce told investigators she thought the attachment was a script that could be used for hacking.

That wasnt true, according to a GBI digital forensic investigator. The file was merely a roadmap of the websites behavior.

But someone else was probing Georgias election websites: the U.S. government. The DHS Cybersecurity and Infrastructure Security Agency confirmed it was conducting cyberhygiene scanning to find vulnerabilities, tests that had been approved in advance by Kemps office.

Broce, who was both Kemps press secretary and a staff attorney, told investigators she was concerned that Wright had spoofed internet addresses to make it look like they were coming from DHS. Investigators later confirmed with Homeland Security officials and their network providers that they were the source of the scans.

It remains unclear how Kemps staff concluded that the Democratic Party was responsible for a hacking attempt. The partys only role was that it had forwarded an email about vulnerabilities to two cybersecurity professors at Georgia Tech, including DeMillo, who then alerted authorities. The GBI did not interview Kemp about the case.

Instead of immediately addressing the problem, it became political. It became an attack on the Democratic Party on the eve of the election, said David Cross, an attorney for plaintiffs in the election security lawsuit against the state. I dont see any way anyone could have a genuine belief there was any hacking done at all, much less by the Democratic Party.

While publicly denying Wrights claims about vulnerabilities, behind the scenes, Kemps staff was working to correct them.

ProPublica and GPB reported on the day before the election that Kemps office was patching problems with the states election website, even as Kemp maintained the system was secure. The GBI files confirmed that the My Voter Page was modified to restrict access to vulnerable areas.

The secretary of states firewall hadnt been set up to block access to the locations identified by Wright, according to a GBI agents report. Election officials then set up safeguards to restrict access to the vulnerable areas on the last two days before the 2018 general election.

ProPublica found at the time that the vulnerability gave access to some nonconfidential information on the My Voter Page, such as a voters absentee ballot status. Birthdates, Social Security numbers and drivers license numbers werent available. It wasnt clear what sensitive information, however, could have been inadvertently accessible before programming errors were fixed.

Even if the security vulnerabilities revealed public information, webpages would have been nonetheless visible to people who shouldnt have been able to see them. The flaws also exposed details of the computer system that could have given hackers a road map to inflict greater damage.

Georgia election officials and their cybersecurity companies should have detected the problem before Wright brought it to their attention, said Frank Rietta, the CEO of Rietta.com, a web application security firm based in the Atlanta suburb of Alpharetta. Users of the My Voter Page were able to access voter registration information without first logging in.

This type of weakness, called broken access control, is one of the 10 most critical web application security risks, according to the Open Web Application Security Project, an organization that works to improve software security.

The fact that theres one vulnerability is an indication that there might have been other vulnerabilities, Rietta said. We should want to fix vulnerabilities, not pretend theyre not there until it is exploited by the bad guys.

When Kemps office found out about the problem, Broce repeatedly dismissed it. While some of Wrights concerns werent validated, the GBI files confirmed that anyone could alter web addresses to access other voters information on the My Voter Page.

Then Broce said changes to the website were routine, meant to accommodate high traffic prior to Election Day, when in fact election officials were fixing a vulnerability Wright had brought to their attention.

We make changes to our website all the time, Broce told ProPublica and GPB at the time. We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.

Even after the GBI cleared Wright, Broce said the investigation was appropriate.

Wright declined to comment for this article, but he answered a list of questions for the attorney generals office about his findings.

I do not engage in hacking activities. I reported the vulnerability that I discovered on the SOS My Voter Webpage because I was concerned that our elections process might not be secure, Wright wrote.

Broce suspected a Democratic Party plot to undermine Kemps credibility, according to an interview with the GBI.

She was also facing questions about security weaknesses from reporters for the website WhoWhatWhy, who she speculated were working with the plaintiffs in the election security lawsuit.

Broce told investigators that cybersecurity companies had identified attempts to exploit voter registration websites, but they werent able to verify where the scans came from. Those companies later verified that they originated with Homeland Security.

Soon after WhoWhatWhy published its article alleging that a hacker could compromise Georgias election, Broce posted a press release on the secretary of states website saying that the office was opening an investigation of the Democratic Party, alleging a hacking attempt.

Ghazal, with the Democratic Party, said in an interview that the party reported the website vulnerabilities but made no effort to publicize them, contact news media or turn them into an attack.

Clarification, May 29, 2020: This story was updated to clarify who wiped election servers soon after Brian Kemps office was sued over another matter.

Read the rest here:
Law Enforcement Files Discredit Brian Kemp's Accusation That Democrats Tried to Hack the Georgia Election - ProPublica