This weekend one of the most heated, and some would say racist, races in American politics in decades took a suspicious and chaotic turn. In the race for Georgia Governor, between Georgia Secretary of State Brian Kemp, who also is responsible for the state’s election oversight and security, and Stacey Abrams, his Democrat opponent, it appears as though politics may be taking priority over security.
Yesterday morning Kemp’s press secretary Candice Broce issued a statement which read as follows:
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes. We can also confirm that no personal data was breached and our system remains secure.”
While the claims that Kemp, a Republican, is investigating the Democratic Party of Georgia just three days before the election seems suspicious, that pales in comparison to what really appears to have taken place behind the scenes.
According to investigative journalists at WhoWhatWhy.org, the Georgia Democratic Party is not only being investigated for a crime that they did not commit, but they were actually the ones who pointed out the flaws in Georgia’s voter registration system prior to Kemp’s office making his announcement.
Just before noon on Saturday, the Democratic Party of Georgia contacted election security experts, indicating that there were “massive” vulnerabilities within the state’s voter registration system, including Georgia’s My Voter Page. WhoWhatWhy gained access to this email, thanks to a third party, and published part of it on their website this weekend. Sara Tindall Ghazal, the voter protection director for the Democratic Party of Georgia, wrote the following email to two security experts at 11:43 am on Saturday morning. The email also included a document describing the vulnerabilities in detail.
I hope you both are well and do not mind that I am reaching out to you directly. We received an email today with the attached data. If this is accurate, it is a massive vulnerability. I do not have the sort of technical background to evaluate it property.
Thank you for your time, and I look forward to hearing from you. I also hope you both might be available AFTER November 6 to have a longer conversation about election security and election systems.
These vulnerabilities would allow for some of the least sophisticated hackers to break into the database, which includes millions of voters, and would allow them to not only access that information but edit the data as well. Doing so could allow voter registrations to be completely deleted, causing chaos and preventing Georgians from being able to vote on November 6.
Since this story broke, multiple computer security experts have independently verified that the state’s voter registration system is clearly vulnerable to attacks similar to those described in the email sent from Georgia’s Democratic Party to election security experts prior to Kemp launching an investigation into Georgia’s Democratic Party.
“For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,” Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. “They should not be trusted with personally identifiable information again. They have showed incompetence in proper privacy-protecting data custodian capabilities.”
In addition to Georgia’s Democratic Party notifying security experts of the hackable databases, Bruce Brown, an attorney for the nonprofit Coalition for Good Governance had emailed both Roy Barnes and John Salter, counsel to Brian Kemp, to notify them of the same vulnerabilities. This email was sent on Saturday evening at 7:03pm.
Kemp’s office said themselves that they launched the investigation into the Democratic Party of Georgia on “the evening of Saturday”.
Considering the fact that Georgia’s Democratic Party reported the vulnerabilities to security officials before noon on Saturday and Brown contacted Kemp’s counsel about the vulnerabilities at 7:03 PM on Saturday, it appears as if Kemp was only tipped off about the vulnerabilities hours before launching his investigation into those very people who may have helped tip him off.
“That Kemp would turn this around and blame other people for his failures is reflective of his complete failure as Secretary of State,” said Bruce Brown, the attorney for the Coalition for Good Governance.
It is unknown if hackers have accessed the voter database within the state of Georgia, and if they have, what damage may have already been done. With that said, it appears as if Kemp is shifting blame for his own lack of responsibility and security to the party of his opponent, and those who may have helped tip him off about his lack of oversight just days before one of Georgia’s most tightly fought elections in modern history.