Who Will Watch the Election Watcher in the Georgia Governor’s Race?

(Bloomberg Businessweek) -- When not in use, each of Georgia’s 27,000 ballot-casting machines collapses to the size of a suitcase. For elections they unfold, storklike, onto spindly legs, with wings to shield their electronic screens. There’s a flaw in their engineering, though. The digital memory cards that record votes produce no independent paper trail that can be audited. A citizen can’t verify that the equipment has accurately recorded her vote.

Computer scientists have been demonstrating disastrous security issues in these kinds of machines for more than a decade—and Georgia election officials have been aware of the risks since at least 2008. In 2016 it became clear that the threats were neither imaginary nor theoretical and that Georgia’s system was among the most exposed and vulnerable in the country. Meanwhile, the man charged with overseeing the state’s elections for the past eight years has scoffed at cybersecurity concerns.

That would be Brian Kemp, Georgia’s secretary of state, who’s running for governor in November and refuses to step aside, unlike past secretaries of state who’ve become their party’s nominee for a higher office. Ryan Mahoney, a spokesman for the campaign, says no one asked Kemp to resign when he ran for reelection in 2014. Why should he do so now?

The race, in which Kemp faces Democrat Stacey Abrams, a former Georgia House minority leader, epitomizes how the major parties diverge on election threats. Kemp has spent years pursuing alleged voting frauds. But they aren’t Russian. His targets have included activists who helped elect a majority black school board in a rural area and a group—headed by Abrams—that led a large minority registration drive in 2014.

Kemp has remarkably little to show for his efforts; his critics suggest the real point was intimidation. Now he’s a defendant in a suit accusing him and other officials of ignoring the security holes in Georgia’s system and allowing elections to proceed, knowing they aren’t safe from hackers. The plaintiffs, a group of voters and a nonprofit, sought an injunction to force the state to use paper ballots in the midterms. Kemp has demanded the case be thrown out. Judge Amy Totenberg has expressed frustration. “I’m concerned that we’re here at this 11th hour,” she said at a hearing in September. “Why are we just dealing with this now?”

After a last-minute endorsement from Trump, Kemp came out on top in the Republican primary for governor in July, which was described by his main opponent, Lieutenant Governor Casey Cagle, as a battle over who could be craziest. In one ad, Kemp pointed a shotgun at his teenage daughter’s suitor while lecturing him about respect. In another, he vowed to blow up government spending as an explosion took out a piece of his backyard and climbed into a giant pickup to say in an exaggerated drawl, “I got a big truck, just in case I gotta round up criminal illegals and take ’em home myself.”

A former state senator, Kemp was appointed secretary of state in 2010 when Karen Handel stepped down to run for governor. Reelected since, he’s focused on policing who is allowed to vote. The Georgia chapters of the American Civil Liberties Union and the NAACP successfully sued him in 2016 over a system that blocked more than 30,000 voter registrations when details such as a missing initial or stray hyphen didn’t match other public records. Sixty percent of the blocked voters were black, according to Sean Young, legal director for the state ACLU. Under Kemp, Georgia removed 721,202 voters from the rolls from 2012 through 2016 and 668,691 last year. Civil rights groups are threatening to sue over the latest wave of removals, saying they targeted minority voters. Mahoney, the Kemp spokesman, called allegations of voter suppression baseless and says 1 million voters have been added to the rolls. “Thanks to Brian Kemp, it’s easy to vote and hard to cheat in Georgia.”

In 2016, amid evidence of Russian interference, Kemp called an offer by the U.S. Department of Homeland Security to test Georgia’s election cybersecurity an Obama administration attempt “to achieve the goal of federalizing elections under the guise of security.” In testimony to Congress that September, he called out “conspiracy theorists, campaigns, and members of the media” as election threats. He also accused DHS of trying to hack Georgia’s system in 2016. The “hacks” turned out to be routine web searches for gun licenses.

Not long before that, a local cybersecurity researcher had discovered a far more serious threat. In August 2016, Logan Lamb was nosing around the website of the Center for Election Systems at Kennesaw State University (KSU), which had managed large chunks of the state’s voting infrastructure for more than a decade. He says he was hoping to find information about how the center worked, using Google to search for PDF files. Instead, he turned up documents listing tens of thousands of voters, including driver’s license numbers. Lamb found he could tap into the databases used to program voting-machine memory cards and tally, store, and report votes for some counties. “I’m not a nation-state adversary like Russia,” he says. “I’m pretty sure I had the ability to compromise that server, modify that database, and then get the county workers themselves to put that manipulated file on the poll books.”

Lamb immediately contacted Merle King, then the head of the election center, to warn him of the vulnerabilities. King asked him not to publicize what he’d found, saying Lamb would be “crushed” by politicians if he did, according to court filings. But the problems weren’t fixed. In February 2017, Lamb and another researcher looked into the system again and found the same flaws. This time the center alerted the FBI—which investigated the incident as a hack. (It did not find that Lamb had broken the law.)

Kemp and state officials downplayed the episode, saying Lamb hadn’t gained access to core systems. They focused instead on preparations for a House special election. In July came the lawsuit by the nonprofit Coalition for Good Governance and several state residents accusing Kemp and other officials of negligence for allowing the election to be run on a compromised voting system. They asked the court to declare the results void and stop Georgia from using its equipment.

Days after the suit was filed, KSU destroyed the servers Lamb had tapped into. There’s been no accounting of whether anyone at the center or the FBI checked computer logs for malicious hacking. Kemp first expressed outrage but later said the wiping was routine. Last December, though, he ended the state’s relationship with the center. He continues to insist elections are secure but concedes the machines should be replaced by 2020.

As for the lawsuit, Kemp’s response in an August court filing was derisive: “There is no ‘paper ballot fairy’ who, with a magic wand at the ready, can save plaintiffs’ half-baked ‘plans’ from devolving into a fiasco.” But at a hearing on Sept. 12, Judge Totenberg warned that Georgia can’t ignore the problem. “It affects the credibility of the system,” she said.

A few days later, Totenberg handed Kemp a reprieve, ruling it was too late to switch to paper for Nov. 6. But she refused to throw out the case, warning election officials they had “buried their heads in the sand.” Kemp and other defendants have appealed and filed a motion to stay the case during the process. That could stall things well into 2019. Kemp remains ready to certify the results, his own included.

To contact the editor responsible for this story: Howard Chua-Eoan at hchuaeoan@bloomberg.net

©2018 Bloomberg L.P.