He had one job.
Brian Kemp, Georgia’s Republican nominee for governor, is terrible at his job. As Georgia’s secretary of state, he “coordinates and monitors all election activity: this includes voter registration; municipal, state, county, and federal elections; campaign finance disclosure for state and federal candidates and political action committees; and certification of election results.” Arguably, the most important aspect of Kemp’s job is making sure every eligible voter in Georgia has the opportunity to exercise his or her right to vote.
News outlets across the country, including this one, have reported on Kemp’s repeated attempts to disenfranchise Georgia voters. He has purged voters (pdf) from the rolls, tossed out absentee ballots, closed polls in areas with large minority populations and asked voters for proof of citizenship. At every turn, his actions have been deemed illegal or untenable by courts, but he has shown no signs of slowing down.
However, Kemp’s biggest professional failure is less widely reported. Remember the part in Kemp’s job description that says he “monitors all election activity?” The other part of Kemp’s job as Georgia’s election chief is ensuring that Georgia’s election systems are secure and tamper-proof.
Not only has Kemp been derelict of duty on this front, but new revelations show that he might be overseeing one of the most vulnerable election systems in America. Even worse, every time citizens have attempted to inform him of the weaknesses in Georgia’s election systems, he has rebuffed their advice and attacked the messenger.
In a series of interviews over the course of nearly three months, The Root has spoken with the country’s leading cybersecurity experts, advocates and plaintiffs in court cases against Kemp.
They unanimously agree that Brian Kemp either is either terrible at keeping Georgia’s elections safe or he is intentionally making them easy to rig. Because these are the only logical conclusions, voters in Georgia are only left with one hope.
We should all pray that Brian Kemp is inept.
On Sunday, Brian Kemp issued a statement on the Georgia secretary of state’s website announcing that he was investigating the Democratic Party of Georgia.
“We opened an investigation into the Democratic Party of Georgia after receiving information from our legal team about failed efforts to breach the online voter registration system and My Voter Page,” the statement said, adding: “We are working with our private sector vendors and investigators to review data logs.”
But the story behind the supposed investigation is a fascinating look into Kemp’s failure as secretary of state.
To fully understand the crisis in Georgia, one must first know the name Logan Lamb. According to Politico, in August 2016, Lamb, a 29-year-old cybersecurity researcher, heard reports from the FBI that hackers had probed voter-registration databases in more than a dozen states.
Lamb discovered that Kemp’s office had issued a contract that put Georgia’s entire electronic systems on a single server at Kennesaw State University. Logan found it incredibly easy to get onto the server, so he wrote an automated script to see just what Kemp’s office had stored on the server. Lamb went to lunch and when he came back, he checked to see what the script had downloaded.
Lamb had the database containing the registration for every voter in Georgia. He had downloaded the instructions and passwords that election officials used to sign onto the central server on Election Day. He also appeared to have stumbled across the databases for the so-called GEMS servers.
“These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals,” Politico reports.
“I was like whoa, whoa. … I did not mean to do that,” Lamb told Politico. “I was just looking for PDFs or documents.”
Eventually, Lamb shared his information with a number of organizations, including the Coalition for Good Governance, a nonprofit focused on First Amendment rights, elections, government transparency and accountability. The main goal was to make sure that these vulnerabilities were addressed and to make Georgia elections more secure. But when they shared their information with Kemp, who was in charge of fixing the issues, the FBI immediately opened an investigation ...
Into Logan Lamb.
So, on June 3, 2017, the Coalition for Good Governance and other parties filed a lawsuit against Kemp and other Georgia entities on behalf of five Georgia voters. One of the most important goals of the lawsuit was to examine the data on the servers to see if they had been tampered with.
On June 7, according to court documents in the case, Curling v. Kemp (pdf), someone wiped the state’s election server clean.
Then they wiped the backup server.
“The people in charge of securing elections refuse to examine the data, which leads to speculation and distrust,” said Richard DeMillo, who spoke to The Root in August.
DeMillo, the distinguished professor of computing at Georgia Tech University and one of the most respected election-systems experts in the world, explained: “The reason for the wild speculations is because the people responsible for analyzing the data aren’t interested in doing so.”
Which brings us to 2018.
As with many states, Georgia residents have the ability to check the status of their registration by logging on to the secretary of state’s website. In Georgia, the page is called the “My Voter Page” (MVP), which is run by PCC Technologies Inc., a technology firm that handles voter registrations in 15 states according to PCC’s website.
In late October, a Georgia voter, described as someone with a “background in software,” logged on to MVP to check his voter information and discovered a vulnerability that allowed users to access other voters’ information. The voter realized there was a massive fault on the My Voter Page that could allow someone to individually change voter registrations.
Two cybersecurity experts told The Root that an individual with rudimentary technical abilities could easily use the flaw to write a script that could search for registered Democrats by zip code and change their voter registrations, addresses or names, making them eligible to be purged or invalid when they went to the polls.
After notifying a friend, who was a plaintiff in Curling v. Kemp, at 10:40 a.m. on Saturday, according to emails obtained by The Root, the voter contacted Democratic Party volunteer Rachel Small, via email, writing:
Nate asked me to provide you with details on the issues that I’ve discovered, and I believe he spoke to you about.
I’ve attached a postman file which shows details on the two issues I’ve discovered. The first issue is with the MY Voter Page site. It has a url to download sample ballots and poll cards; however, the url allows you to download any file on the system. The second issue is with the online voter registration. On that site... [REDACTED] you can download anyones data and that includes lots of PII (ie drivers license and last 4 of Ssn).
Feel free to call me at [REDACTED] if you have questions.
Small put him in touch with Sara Tindall Ghazal, the voter-protection director for the Democratic Party of Georgia. Ghazal reached out to the Coalition for Good Governance, who then contacted a list of experts asking them to verify the issue, warning of a “massive vulnerability,” according to Marilyn Marks, the executive director for the Coalition for Good Governance, and WhoWhatWhy, who first covered the issue.
“All of [the computer experts] were hesitant to exploit the weakness,” Marks told The Root on Monday. “Because of the legal implications, they didn’t go any further, even though they could see it superficially. At that point [Saturday night], we contacted the secretary of state’s attorneys and got back a terse response saying ‘message received.’
“What we later learned is that the other plaintiffs had already acted,” said Marks. “And they had informed the secretary on Saturday morning. So, by the time they got our warning, they had already known for at least a half a day, possibly longer.
“So one question is: Why does the website still have these vulnerabilities? And that is is the story that nobody’s looking at,” she explained. “We reported that the door was open, and 24 or 48 hours later, the door’s still open!”
To determine if Brian Kemp and PCC could have fixed the issue in 24 hours, The Root turned to one of the experts contacted by the CGG and the Democratic Party of Georgia, Matt Bernhard. Bernhard is a Ph.D. candidate at the University of Michigan’s Center for Computer Security and Society and serves as the technical expert in Curling v. Kemp.
Bernhard said any computer expert could have fixed the issue in a half a day
“It absolutely should have been fixed by now,” Bernhard told The Root. “There’s absolutely no excuse why it hasn’t been fixed by now. I don’t know the full back end of their system but I can’t imagine that it would take you half a day. This is the kind of vulnerability that, when we’re teaching computer security, is level one.
“It’s unreasonable that this vulnerability exists, he added. “It shows a real lack of security engineering and testing and certification. It would be like a car manufacturer forgot to put seatbelts in a car. I’m baffled at how this slipped through the cracks.”
So what did Brian Kemp do when alerted to this problem?
He called the police ...
On the Democrats.
On Saturday evening, after they were informed of a hole that could potentially affect the security of Tuesday’s election, Georgia’s secretary of state office blamed the Democratic Party and issued the following announcement:
After a failed attempt to hack the state’s voter registration system, the Secretary of State’s office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.
He later issued another statement on Sunday calling for an investigation of the Democratic Party of Georgia by the feds.
When asked to explain, in layman’s terms, the potential harm that Georgia voters faced, Bernhard said: “It means that anyone who had [a voter’s personal information] could find and alter any other voter-registration record in the state of Georgia, which means they could potentially disenfranchise Georgia voters en masse ... It would be like if the key you had to your safe deposit box was given to everyone.”
Even worse, it is not clear if PCC Technologies was even aware of the issue or if they could actually tell if voter registrations were ever changed.
“Based on the level of engineering I’ve seen on the front end, I would bet money that PCC can’t tell themselves ... It’s really astounding,” Bernhard explained.
“This is the problem with all of Georgia’s voting systems. There’s no way to know what’s going on. The state can’t even tell you, with any measure of confidence, that the voting machines aren’t hacked or the voter rolls weren’t hacked. It’s a complete black box and no one knows what’s going on.”
Bernhard did say that the lack of security isn’t necessarily a sign that Kemp intentionally left the door open.
“It’s an example of Hanlon’s razor,” Bernhard said. “Never ascribe to malice what could easily be ascribed to stupidity. If you were evil, I don’t know why you would let this vulnerability stick around, because it just makes you look evil.
“The state of Georgia is really bad at running elections,” he continued. “It doesn’t mean that they aren’t recording votes. It doesn’t mean that they aren’t maintaining voter registration.”
In a statement, the Democratic Party of Georgia said:
This is yet another example of abuse of power by an unethical Secretary of State. To be very clear, Brian Kemp’s scurrilous claims are 100 percent false, and this so-called investigation was unknown to the Democratic Party of Georgia until a campaign operative in Kemp’s official office released a statement this morning. This political stunt from Kemp just days before the election is yet another example of why he cannot be trusted and should not be overseeing an election in which he is also a candidate for governor. It is also a fact that Brian Kemp is the last person who can be trusted on cyber security given his record of leaking the personal information and social security numbers of six million Georgians. 11th hour, cynical ploys come as no surprise from Brian Kemp, a man who raided the offices of organizations who register people to vote and had a woman arrested for helping her blind father cast his ballot. Brian Kemp is desperate to save his failing campaign, and it’s likely we’ll see even more of his abuses of power as the election nears, but Georgians will keep working hard, knocking on doors, making phone calls, and voting to make sure he doesn’t get a promotion.
“Instead of going to Lamb; instead of going to the Democratic Party and saying ‘Thank you for telling us about this. What else did you see while you were in there?’ their response was kind of a third-world, banana republic response,” said Marks. “Their response was to throw out crazy allegations. Their response was to investigate the opponent.”
Both Bernhard and Marks said that every Georgia voter should be aware of this problem when they go to the polls. One way to combat it, Bernhard said, is for voters to diligently check their status on the My Voter Page.
“If I’m a Georgia voter, the first thing I would do every day is [to] log on to the system and make sure my voter-registration information was the same before I go vote,” he said. “Then I would print it out and take it to the polls when I voted.
“Beyond that, there’s no reason to have confidence in [the Georgia election system] at all. Even if the page tells you you’re registered to vote, it could be that you’re not ... I personally wouldn’t have any faith in it. However, with that being said, I wouldn’t let that discourage me from going to vote.
“Time and time again, we’ve seen that [Kemp] has refused to take advice from security experts, to fix obvious problems in the system,” Bernhard said.
“If I was a Georgia voter I’d be mad as hell about this.”
On Tuesday, the state of Georgia will elect its next governor. In order for Kemp’s opponent, Stacey Abrams, to emerge victorious, she will not only have to get more votes than Kemp, she will have to defeat the man who verifies the voter registrations. She will have to beat the man in charge of the voting machines. She has to overcome the man responsible for the software that tabulates the votes. She must also best the man responsible for certifying the election.
She must knock out her opponent and the referee.
And Brian Kemp, the secretary of state in Georgia and the Republican nominee for governor, only had one job.
As of Monday morning, Brian Kemp still had not done it.