Georgia Secretary of State Brian Kemp, who has refused to recuse his position as the state’s top election monitor as he runs for governor on the Republican ticket, is running a desperate race against his opponent, Democrat Stacey Abrams. Georgia is a Republican stronghold and hasn’t had a Democratic governor since 2003, but the race is now so close in the polls that Republican officials believe it will go to a runoff.
Kemp’s office has faced relentless criticism for allegedly abusing its power to purge voters before the race, and this weekend, it announced it was investigating the Democratic Party of Georgia (DPG) for “possible cyber crimes” related to state election sites. The DPG called the supposed investigation “a reckless and unethical ploy” before the imminent election. It’s become abundantly clear that Kemp is trying to characterize the discovery of a security vulnerability in one of the electoral systems he is responsible for as a crime—and according to ProPublica, state officials are quietly patching said bug even as Kemp’s office accuses those involved of alerting his office to it of a criminal conspiracy.
On Sunday, news broke that the Georgia Democratic Party (GDP) had received detailed information from a tipster about a vulnerability in the state’s My Voter Page and online registration system that could potentially let hackers access or modify protected data, and subsequently passed on that information to security experts. Those experts then forwarded the tip, which had an attachment containing a script that could exploit the vulnerability, to Kemp’s office, GDP officials told the Washington Post.
Explaining the nature of a vulnerability and how it can be exploited is beyond routine for cybersecurity experts—it’s the core basis of the entire field. It is like a fire marshall warning you of frayed wires near shoddy gas lines. Many tech firms, and even U.S. government entities like the Air Force, run bug bounty programs specifically designed to reward security researchers who discover major issues before malicious parties learn of them on their own.
Kemp has a long record of either failing to understand or deliberately misleading people on cybersecurity and election systems, including wiping a voter database after it was reported to have inadequate security measures and baselessly accusing the Barack Obama-era Department of Homeland Security of trying to hack his office’s computer systems. When he announced his supposed “investigation” on Sunday morning, it created the very strong impression that he was abusing his position to retaliate against political opponents who had stumbled across evidence of his office’s incompetence.
Georgia officials have repeatedly denied that there was in fact any issues with the system. But according to ProPublica, which examined the original tipster’s vulnerability report, it now looks like state officials are quietly rewriting elements of the page’s code to fix their mistakes:
Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.
ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.
ProPublica’s attempt to take the next step—to poke around the concealed files and the innards of the operating system—was blocked by software fixes made that evening. According to the tipster’s recipe, it was also possible to view a voter’s driver’s license, partial Social Security number and address.
According to ProPublica, their investigation found “traces of the same vulnerabilities” identified by the original tipster.
ProPublica added that the state was apparently unaware that the GDP had merely received a tip until Sunday evening, when ProPublica contacted them. Instead, ProPublica wrote Kemp’s office claimed it was under the impression the GDP had written the script attached to the tip themselves.
Kemp spokesperson Candice Broce said on Monday that “There was nothing to substantiate” allegations of a major cybersecurity issue, and characterized changes being made to the website as routine pre-election maintenance, the site wrote. Still, Broce doubled down in a statement to the site that the “investigation” is warranted:
“You don’t have to actually have someone who is successful in running up against your system,” they don’t have to find a vulnerability for it to be potentially criminal or even try and execute it, Broce said. “All you need, to open an investigation, is information suggesting plans and an attempt to put together some kind of program or utilize specialize tools to find a vulnerability. We did have evidence,” she said, referring to the email forwarded by Small.
It’s true that any entity can claim to have launched an “investigation” into anything on whatsoever basis it chooses. But as national security and civil liberties journalist Marcy Wheeler noted on Twitter, the Georgia secretary of state’s office is not a law enforcement entity, and thus its assertions of “possible cyber crimes” are little more than bluster unless they are subsequently pursued by organizations like the FBI.
Further, as ProPublica noted, officials’ rush to fix the vulnerabilities could create additional problems: “Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.”
Election Day, when voters can decide just how they feel about Kemp’s handling of this issue and others, is Tuesday, Nov. 6.