After this post was published, Brian Kemp won the primary. He will be the Republican candidate for governor.
Last week, when Donald Trump endorsed Brian Kemp over Casey Cagle in Georgia’s Republican-gubernatorial-primary runoff election—which takes place on Tuesday—it looked like the President was simply choosing the candidate who was running as the self-proclaimed “politically incorrect conservative.” But, in fact, there is very little political distance between Kemp, Georgia’s secretary of state, and Cagle, the lieutenant governor: both are avowed right-wing Christians who extol the blessed trinity of school choice, the elimination of abortion rights, and the primacy of the Second Amendment, and both are vocal supporters of Trump. They are so closely aligned politically that the New York Times called the President’s endorsement “unexpected.” And, though it’s possible that Trump split the difference by focussing on the candidates’ most significant policy disagreement—Kemp is a vociferous critic of the Affordable Care Act, and Cagle wants to expand Medicaid in Georgia—he also happened to endorse a candidate whose views on election hacking and Russian meddling most reflect his own.
This issue of election security became newly relevant for Georgia on July 13th, five days before Trump tweeted his endorsement of Kemp, when Robert Mueller, the special counsel, issued an indictment accusing twelve Russian military-intelligence officers of hacking the computers and e-mail accounts of Hillary Clinton’s campaign staff and Democratic Party operatives during the 2016 election. The indictment also revealed—for the first time—that the Russians had targeted county Web sites in Georgia, looking for election-related vulnerabilities. (The indictment said that the hackers also looked at county Web sites in Iowa and Florida.) In one sense, this was an unremarkable fact: the top cybersecurity official in the Department of Homeland Security, Jeanette Manfra, told Congress in April that Russians hackers had likely targeted every state’s systems in 2016. But, for the past two years, Kemp has been contemptuous of efforts by the D.H.S. to shore up election systems nationally. And, though not going so far as to say that Russian interference is “all a big hoax,” as Trump has, Kemp has been an outspoken advocate of not taking the whole thing so seriously.
In August, 2016, when the scope of the Russian hacking effort was becoming clear to President Obama—and as he and his advisers struggled to find a response that would not undermine the legitimacy of the upcoming elections, or provoke the Russians to do more damage, or appear to confirm Trump’s assertion that the election was rigged—Jeh Johnson, the Secretary of Homeland Security at the time, suggested designating the American election system as “critical infrastructure,” a category that includes bridges and the power grid. This designation would enable D.H.S. to offer cybersecurity support to individual states. And this inflamed Brian Kemp.
Labelling elections as critical infrastructure, Kemp declared, opened the door for the federal government to “subvert the Constitution to achieve the goal of federalizing elections under the guise of security.” Georgia is one of only five states that uses voting machines that create no paper record, and thus cannot be audited, and the Center for American Progress has given it a D grade for election security. But, when D.H.S. offered cybersecurity assistance, Kemp spoke out against it. (Georgia has since accepted some help from D.H.S.)
“It seems like now it’s just the D.C. media and the bureaucrats, because of the D.N.C. getting hacked—they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Kemp said at the time. “And that’s just not—I mean, anything is possible, but it is not probable at all, the way our systems are set up.”
And yet, as it turned out, that was exactly the way the system in Georgia was set up. We know this because, a few days before Kemp blasted the D.H.S. and dismissed the D.N.C. hack, a young security researcher in Georgia named Logan Lamb began poking around the Web site of Kennesaw State University’s Center for Election Systems, looking for vulnerabilities. The Center was under contract with the Georgia secretary of state’s office—Kemp’s office—to program and test all the voting machines in the state, train state election workers, and distribute the state’s electronic voter-registration database to the counties. With the entire state election system housed in one place, the Center was a high-value, potentially vulnerable target. Lamb, who worked for an Internet-security company called Bastille, wanted to find out how vulnerable.
On the Center’s Web site, Lamb quickly discovered a trove of unsecured files—fifteen gigabytes’ worth. Among the files were lists of passwords that would allow election workers to sign into a central server on Election Day, and the systems that prepared ballots and tabulated votes. He also found software for the state’s “poll books,” electronic databases that are often used to verify people’s eligibility to vote, as well as a security hole through which he could download the entire database of the state’s 6.7 million registered voters. The files had been publicly exposed for so long that they were cached on Google. He also saw that the Center had failed to fix a well-known glitch in its content-management system through which hackers could take control of the site. A patch for this issue had been publicly available for two years.
Having discovered all of this, Lamb alerted the Center’s executive director, Merle King, first by e-mail, and then by phone. According to a subsequent legal filing, King warned Lamb to keep quiet about the compromised server or risk being “crushed” by the politicians “downtown.” King also told Lamb that “the issues would be remediated.” Satisfied that he had done due diligence, Lamb walked away—temporarily. In February, 2017, he and another researcher, Chris Grayson, reinvestigated the case, and found that all the files Lamb had stumbled upon six months earlier still hadn’t been secured. And this time they also found information from the 2016 election and a training video that showed election workers how to download files from the Election Center Web site, put them on a memory card, and insert that card into their local voting machines. This is the same series of steps that would enable a hacker to install malware on a voting machine that is not connected to the Internet.
If Kemp did not know in August, 2016, that his state’s centralized, unauditable election system was vulnerable to hacking, and if he wasn’t aware from Lamb’s investigation that it was riddled with holes, any one of which could compromise an election, he certainly knew by March, 2017, when Lamb’s findings were made public. Georgia was three months away from the runoff in a special election to replace Congressman Tom Price, who had joined the Trump Administration as the Secretary of Health and Human Services. Grayson notified a professor at Kennesaw State, and the F.B.I. was called in—not to look into the state’s election system but to determine whether Lamb and Grayson had broken the law. (They hadn’t.) The F.B.I. then undertook a cursory investigation to see if anyone besides Lamb and Grayson had gained access to the system prior to the Presidential election.
It took F.B.I. investigators less than a month to determine that no other unauthorized persons had accessed the Center for Election Systems’ servers. This got the attention of more than a dozen computer-security researchers from, among other institutions, Yale, Stanford, M.I.T., Berkeley, Brown, and the Lawrence Livermore National Laboratory. In a letter written to Kemp on May 24, 2017, they pointed out that “a truly comprehensive, thorough and meaningful forensic computer security investigation likely would not be completed in just a few weeks, and it could take many months to know the extent of all vulnerabilities at KSU, if any have been exploited and if those exploits extended to the voting systems. Time and again cyber breaches are found to have been far more extensive than initially reported.” Then they asked Kemp to replace Georgia’s paperless voting machines with paper ballots and to implement post-election audits before the special election.
That didn’t happen. That election, between the Republican Karen Handel, Kemp’s predecessor as secretary of state, and the Democrat Jon Ossoff, a political newcomer, was widely considered a referendum on Trump himself. It went ahead, on June 20th, using the existing machines. Handel won by nine thousand two hundred and eighty-two votes. It was a big win for the Republicans, and a big win for the President.
New Yorker writers on the 2018 midterm elections.
This is where the story loops back, again, to Trump’s choice of Kemp in the gubernatorial race. A few weeks after the special election, a group called the Coalition for Good Governance sued Kemp and other state officials for failing to insure a fair election, free from interference. They asked, among other things, that the court invalidate the special election. (Handel took her seat in Congress the week after the election.)
The suit was filed on July 3rd. Four days later, the servers at the Center for Election Systems were wiped clean. On August 9th, less than twenty-four hours after the case was moved to the U.S. District Court for the Northern District of Georgia, all the data on the Center’s backup servers were destroyed as well. As the Coalition said in a brief, “The State of Georgia and its officials have the legal, moral, and ethical obligation to secure the State’s electoral system. Sadly—and inexplicably—they appear to lack the will to do so.” The Coalition is now looking ahead to the November midterms, and it is asking the court, yet again, to require Georgia to replace its aging, paperless, massively insecure voting machines before then. In one recent motion, the defendants asked the court to dismiss the case on the grounds that the alleged injury—the possibility that votes will be compromised—is speculative. But that gets to the heart of the matter: maybe they will be, and maybe they won’t be, and no one will know for sure. In a system with absolutely no accountability, claiming that votes were not changed and outcomes were not affected is just as credible as saying that they were.
It is not clear yet if the information in the Mueller indictments will influence the disposition of the case against Kemp and his cohort. On July 17th, the day before Trump endorsed Kemp, Common Cause, the National Election Defense Coalition, and Protect Democracy filed an amicus brief on behalf of the Coalition for Good Governance. In it, they wrote that “the facts have fundamentally changed since the 2016 election. Risks that may have seemed hypothetical in the past are now very real. And there can be no question that the miscounting or diluting of Plaintiffs’ votes – resulting from cyberattacks, software bugs, or other errors – will constitute grave irreparable harm.”
For almost two years now, the American public has been told that, despite the various incursions by Russian agents, our election system—because it is decentralized, because it is a patchwork of different kinds of makes and models of voting machines—is likely insulated from the kind of hacking that results in votes being manipulated. This has been Brian Kemp’s argument. But, as the experience of his own state demonstrates, it’s flat-out wrong.
An earlier version of this article misstated the amount of cybersecurity assistance Georgia accepted from the Department of Homeland Security.
