Release: Monday, March 13, 2017
Georgia Democrats Demand Action & Transparency from SoS Brian Kemp Regarding Elections System Data Breach
Atlanta, GA – Today, leaders at the Democratic Party sent a letter to the Georgia Secretary of State, Brian Kemp, demanding that he partake in the election security measures provided by the Department of Homeland Security prior to the upcoming election in the 6th Congressional District. This effort was precipitated by the news that Georgia’s Election System has been breached as recently as the last month and the action necessitated the involvement of the FBI and the U.S. Attorney’s office.
The Department of Homeland Security urgently warned states during the 2016 election that such attacks might— and later did— occur. The Department offered a series of proactive security measures at no cost to the states to ensure that the election systems in each of the state were uncorrupted. Brian Kemp represented only a handful of states that refused the assistance.
Over the past week, leaders at the DPG have consulted with leading legal authorities about their concerns about the security of the elections in Georgia— particularly because the Special Election in the 6th Congressional District has garnered intense national attention.
“The voters of the 6th Congressional District— regardless of Party affiliation— deserve to know that their personal information is intact and that the election they are about to participate in is secure and that it will be conducted accurately,” said Chairman DuBose Porter.
The Democratic Party and its team of Voter Protection lawyers are making this request today so that the Department of Homeland Security, as an impartial third party, can conduct their security measures prior to the start of Early Vote on March 27th. Absent the scrutiny from the agency, the Party is asking that the election be conducted on paper ballot as those ballots have already been created and printed for absentee and overseas voters and the counties already have the proper scanning machines needed to count the ballots.
The letter sent to the Secretary of State’s Office— and CCed widely to other state leaders— can be found at this link. Below and at this link is a timeline of events that led the Democratic Party to take this action.
Georgia Elections Cybersecurity Timeline
August 15, 2016 – Dept. of Homeland Security hosted a phone call with members of the National Association of Secretaries of State (NASS) and other Chief Election Officials to discuss the cybersecurity of the election infrastructure. Secretary Johnson offered the assistance of the Department’s National Cybersecurity and Communications Integration Center (NCCIC) to conduct vulnerability scans, provide actionable information, and access to other tools and resources for improving cybersecurity. – DHS.Gov
Media reports relay that “Georgia Secretary of State Brian Kemp was very vocal in the telephone call in telling Johnson the states don’t need any help from the federal government.”
August 18, 2016 – The Federal Bureau of Investigation issues a cyber bulletin headlined Targeting Activity Against State Board of Election Systems. The bulletin stated they “received information of an additional IP address, 126.96.36.199, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 188.8.131.52 used in the aforementioned compromise.” – Yahoo News
August 25, 2016 – Georgia SoS Brian Kemp tells Nextgov it the Office of SoS will rely on its own security crew to maintain the integrity of voter data, stating in a written email “The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security…Designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States.” – Nextgov / The Hill
September 16, 2016 – DHS Secretary Johnson states “We have also seen some efforts at cyber intrusions of voter registration data maintained in state election systems.” DHS also announces services available to state election officials to assist in their cybersecurity. Some of the services included:
Cyber hygiene scans on Internet-facing systems, Field-based cybersecurity advisors and protective security advisors, Risk and vulnerability assessments, a 24×7 cyber incident response center, and information sharing through the Multi-State Information Sharing and Analysis Center. – DHS
September 28, 2016 – Brian Kemp testifies before the House Oversight Committee’s Subcommittee on Information Technology. In his prepared remarks, Kemp says “It is not the time for inexperienced federal agencies to guess at changes that should be made.”
When asked by Congresswoman Robin Kelly what Congress could do to help secretaries of state, Kemp says “I would encourage Congress to let the states be flexible in what systems they’re using. I think there’s great value in that.” – US House Committee on Oversight and Government Reform
October 7, 2016 – DHS and the Office of the Director of National Intelligence warn they are “confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”
They also announce “some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company.”
Again, DHS “continues to urge state and local election officials to be vigilant and seek cybersecurity assistance from DHS. A number of states have already done so.” – DHS
October 10, 2016 – DHS urges holdout states like Georgia to join 33 states and 11 county or local election agencies to take advantage of election cybersecurity services. – DHS
October 31, 2016 – By this date, 46 states had accepted DHS’s offer to scan their elections systems. Georgia remained one of four that still declined DHS assistance. – CNN
November 4, 2016 – DHS says they are “very concerned” by the possibility of a cybersecurity incident causing confusion on Election Day. – CNN
March 2, 2017 – Kennesaw State University notifies state officials of a data breach in at their Center for Election Systems. – AJC
March 3, 2017 – The Federal Bureau of Investigation opens an investigation in to the KSU breach. Reports state that as many as 7.5 million voter records were involved, also noting that the latest breach would be the “second time in as many years” Georgia voters have had their personal information compromised.
Governor Nathan Deal’s office says it asked the GBI to contact the FBI after learning of the breach.
Brian Kemp says very little, except that his office reached out to law enforcement upon learning of the incident.
KSU issues a statement that afternoon, stating they were “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems.” – AJC
March 13, 2017 – Democratic Party of Georgia Chair DuBose Porter sends formal letter of request to Brian Kemp demanding he contact DHS immediately and accept their repeated offer to scan Georgia’s elections infrastructure, make public the extent of the latest breach, identify a process for assuring the security of all aspects of Georgia’s voting systems, and a request for a paper ballot process in the special election in the 6th Congressional District if Kemp is unable to assure a fair and accurate election.
Previously, the Office of the Secretary of State exposed the personal information and social security numbers of more than six million Georgia voters. – AJC
The two breaches in the span in two years have been a pattern of mismanagement and disarray at the Office of the Secretary of State under Brian Kemp’s leadership. – GeorgiaVRA.org