Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached. But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show. The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country. “I am sure that you are aware that these are opportunities for malicious users to gather account credentials,” William Moore, a cybersecurity official on a Kennesaw State University team tasked with running Georgia’s election system, wrote to a colleague in October. Officials at Kennesaw’s Center for Election Systems were struggling to respond to the report of a cyber watchdog who nosed around the system to test its defenses two months earlier and wound up gaining access to a colossal, 15-gigabyte store of confidential material, including voter data and passwords to the system.
The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections. “I think these emails reveal that they recognized this system was catastrophically insecure,” said Robert McGuire, a Seattle lawyer representing citizen activists in a lawsuit that seeks to force Georgia to scrap its paperless electronic voting machines this fall and shift to paper ballots.
Secretary of State Brian Kemp, whose office oversees the state’s elections, says he was unaware of the system vulnerabilities at the time. Kemp, the Republican nominee for governor in this fall’s election, still maintains Georgia’s system is secure.
However, Kemp has created a commission with members of both parties to examine how to replace the state’s voting system in time for the 2020 election.
McGuire said cyber experts refer to the breach of the center’s Drupal servers as “Drupalmageddon,” a condition that “would let a malicious person take over as administrator of that server, like you had the root password.