State of Georgia Election System Feared at Risk in 2020 Vote

(Bloomberg) -- The state of Georgia’s new voting system may be at risk of a cyber-attack leading up to the 2020 election because the state failed to eradicate malware that exposed sensitive data six years ago, a cybersecurity expert said as part of a lawsuit against the state.

A server central to Georgia’s election system was infiltrated and taken over by a hacker in 2014, according to Logan Lamb, a cybersecurity expert who is part of a lawsuit between voting integrity advocates and the state over the election system. The server was wiped and taken offline in 2017, but the contract between Georgia and its new vendor, Dominion Voting Systems, indicates old data was “imported” into the new system.

That old data could carry remnants of the “Shellshock” malware used to attack the state in 2014, according to filings in the lawsuit. Shellshock allowed unauthorized users to access sensitive layers of a network.

“Because this compromised server is inextricably connected to Georgia’s voting systems past and present, it is unreasonable to assume that the new election system ... is not already potentially compromised,” according to documents filed Thursday by the nonprofit Coalition for Good Governance. The group has filed its suit to block the state from destroying their old voting system records. The Associated Press reported earlier on the filings.

Dominion rejected the claim that Georgia’s new elections system has been compromised. The company has “attested to the fact that we have not imported any data from the prior system,” said Kay Stimson, vice president of government affairs for the Toronto-based company. “All voting equipment goes through logic and accuracy testing before every election.”

Attorneys for Georgia Secretary of State Brian Raffensperger, in what they called a “limited” reply brief, said Lamb hadn’t ruled out the possibility that something other than hacking could have created the evidence he found, and that additional forensic investigation is needed. The secretary of state’s office didn’t respond Thursday to a request for comment.

The security of voting systems across the U.S. has been a focus of attention since federal authorities reported that Russian hackers attempted in 2016 to infiltrate election systems in most states and downloaded voter data in Illinois. Georgia remains one of the most hotly contested jurisdictions for election security advocates demanding transparency in the voting process.

In 2002, it became the first state to deploy paperless voting machines with no auditing trail. In 2016, Secretary of State Brian Kemp, now governor, refused the assistance of the U.S. Department of Homeland Security to secure Georgia’s voting systems, while cybersecurity experts branded their machines among the most vulnerable in the country.

The state replaced those machines for the 2020 vote, spending about $150 million on “ballot-marking devices” that experts argue are equally flawed.

The dispute dates to August 2016 when Lamb discovered the earlier vulnerabilities through a website hosted on the server that acted as a hub for the election system. That server was left unattended on the internet amid warnings from the federal government, until it was wiped and taken offline in March 2017.

The FBI created a forensic image of the server and its logs should explain when it was attacked and how its data was altered, but those logs only date back to Nov. 10, 2016, two days after Donald Trump won the presidency, according to the lawsuit. Election files were also deleted just before the server was taken offline, according to Lamb’s declaration in the lawsuit.

“The missing logs could be vital to determining if the server was illegally accessed before the election, and I can think of no legitimate reason why records from that critical period of time should have been deleted,” according to the declaration from Lamb, formerly affiliated with the cyber unit at Oak Ridge National Lab and now a security engineer for scooter startup Bird Rides Inc.

Lamb didn’t immediately respond to an email seeking comment on his declaration.

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.