First elections, then probes into hacking. Now, the lawsuits over election hacking. A group of Democrat and Republican voters in Georgia is suing the state to overturn its fiercely fought June special election, saying evidence the state’s voter database was exposed to potential hackers for at least eight months invalidates the results. The lawsuit, which went to pre-trial conferences this week, could be a sign of disputes to come as revelations mount about the vulnerability of the U.S. election system and Russian attempts to infiltrate it. “As public attention finally starts to focus on the cybersecurity of election systems, we will see more suits like this one, and eventually, a woke judge will invalidate an election,” said Bruce McConnell, vice president of the EastWest Institute and former Department of Homeland Security deputy undersecretary for cybersecurity during the Obama administration. Plaintiffs argue the disclosure in August 2016 by Logan Lamb, a Georgia-based computer security expert, that much of Georgia’s voting system was inadvertently left out in the open on the Internet without password protection from August 2016 to March 2017 should make the results moot. What’s more, Georgia’s use of what the plaintiffs say are insecure touch-screen voting computers, which they claim don’t comply with Georgia state requirements for security testing, means the election results couldn’t legally be certified, they say.
Georgia: Thousands of voting machines in limbo because of 6th District lawsuit | Atlanta Journal-Constitution
Thousands of voting machines from the hotly contested 6th Congressional District special election are currently off-limits for future use because of a lawsuit seeking to invalidate the results. That worries metro Atlanta officials who say they could be short of spare machines to run municipal elections in November. The suit, filed over the July 4 holiday, demands that Republican Karen Handel’s win in a June 20 runoff be thrown out and the contest redone over concerns some election integrity advocates have about the security and accuracy of Georgia’s election infrastructure. The machines and related hardware are central to that system, and the three metro counties with areas in the 6th District — Cobb, DeKalb and Fulton — have stored the machines used in the special election after plaintiffs sought to preserve electronic records that could have bearing on the suit.
One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be. “It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia. The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a “Voting Machine Village” where attendees can try to hack a number of systems and help catch vulnerabilities. The conference acquired 30 machines for hackers to toy with. Every voting machine in the village was hacked.
In 2006, Princeton computer science professor Edward Felten received an anonymous message offering him a Diebold AccuVote TS, one of the most widely used touch-screen voting machines at the time. Manufacturers like Diebold touted the touch-screens, known as direct-recording electronic (DRE) machines, as secure and more convenient than their paper-based predecessors. Computer experts were skeptical, since any computer can be vulnerable to viruses and malware, but it was hard to get ahold of a touch-screen voting machine to test it. The manufacturers were so secretive about how the technology worked that they often required election officials to sign non-disclosure agreements preventing them from bringing in outside experts who could assess the machines. Felten was intrigued enough that he sent his 25-year-old computer science graduate student, Alex Halderman, on a mission to retrieve the AccuVote TS from a trenchcoat-clad man in an alleyway near New York’s Times Square. Felten’s team then spent the summer working in secrecy in an unmarked room in the basement of a building to reverse-engineer the machine. In September 2006, they published a research paper and an accompanying video detailing how they could spread malicious code to the AccuVote TS to change the record of the votes to produce whatever outcome the code writers desired. And the code could spread from one machine to another like a virus.
Georgia’s top elections official stood out by refusing help from the Department of Homeland Security last August amid national concerns about the integrity of U.S. elections. Republican Secretary of State Brian Kemp called it an attempted federal takeover and insisted his office was already protecting Georgia’s vote from hackers. That stance earned him national media coverage ahead of his campaign for governor. But Kemp’s assurances threatened to become a liability after new details emerged last month about major security mistakes at the center managing Georgia’s election technology. It turns out that the contractor left critical data wide open for months on the internet, and that for the second time under Kemp’s tenure, the personal information of every Georgia voter was exposed. With his critics demanding accountability, Kemp announced Friday that he plans to bring the center’s operations in-house within a year. His brief statement made no mention of the security flaws, saying “the ever-changing landscape of technology demands that we change with it.”
“I worry that what we have here in Georgia is the Titanic Effect,” Georgia Tech Computer Scientist Richard DeMillo observed, regarding the myriad security issues revealed during the course of last month’s U.S. House Special Election in Georgia’s 6th Congressional District. “Georgia officials are convinced the state’s election system cannot be breached. Shades of the ‘unsinkable ship’. They have neglected to give us life boats…a fail-safe system designed so that in case of a catastrophe Georgia voters can easily verify that reported vote totals match voter intent. It is the sort of common-sense approach that first-year engineering students learn. Other states have that capability. Inexplicably, Georgia does not,” DeMillo said in a statement quoted in support of a legal challenge filed contesting the 100% unverifiable results of the June 20 contest. The computer scientist’s concerns are hardly the first expressed about Georgia’s absurd voting system. In fact, they cap well over a decade of chilling revelations, shocking vulnerabilities and dire warnings issued from the community of experts who have examined the Peach State’s voting system, including a number of those who installed it in the first place back in 2002.
Georgia: State to shift elections work in-house, away from Kennesaw State | Atlanta Journal Constitution
Georgia, for the first time in more than a decade, has decided to move all its elections work in-house after a series of security lapses forced it to step away from its longtime relationship with the beleaguered elections center at Kennesaw State University. The Georgia Secretary of State’s Office and university officials both confirmed to The Atlanta Journal-Constitution that the two entities have signed a final contract good through June 2018. For the first time, however, it includes a provision for either party to terminate it midstream. That’s because the office over the next year will build its own team to run Georgia’s elections — work the KSU center has done for the past 15 years. ”Today my office and Kennesaw State University executed what will be the final contract between our two entities related to the Center for Election Systems,” Secretary of State Brian Kemp said in a statement to the AJC. “The ever-changing landscape of technology demands that we change with it.
Voting being the essential democratic function that it is, the Glynn County Board of Elections is charged with keeping the county’s voting machines running and in good condition. That task has become more difficult this year. The board voted Tuesday to buy five used voting machines from San Diego County, Calif., to use as backups. The machines board members chose to buy have only been used once and can be had at a savings. However, they did not have the option to buy new machines. No county in Georgia does. Glynn County Board of Elections Supervisor Tina Edwards said the board was prompted to buy the machines because the newer models are no longer being sold by the manufacturer, Electronic Systems and Software. San Diego County is the only source of the machines that she is aware of at the moment. The company has no plans to stock more in the near future, leaving Georgia counties with no choice but to buy machines secondhand or from third parties, Edwards said.
The call to overhaul Georgia’s 15-year-old voting system is getting bipartisan support. State lawmakers on both sides of the aisle have proposed on social media to work together on an update. The problem isn’t a new one. Georgia’s voting machines leave no paper trail — that means there’s no way to confirm that what someone voted for is what gets recorded. Democratic state Rep. Scott Holcomb, who represents District 81, said what’s different about this moment is the national conversation about cybersecurity. “Part of Russian foreign policy — this is really simple, it’s not complicated — they purposely involve themselves in manipulating the elections in Western democracies,” Holcomb said. He said ensuring the public’s belief in the accuracy of Georgia’s voting system is especially important in a time when hacking headlines are a daily occurrence.
Karen Handel’s win in the hotly contested 6th Congressional District special election should be thrown out and the contest redone, according to a new lawsuit seeking to ultimately invalidate Georgia’s aging electronic voting system. The suit, filed in Fulton County Superior Court, is the second pursued in less than two months by a Colorado-based group over the security of Georgia’s election infrastructure. The suit says those concerns include private cybersecurity researcher Logan Lamb’s finding last year that a misconfigured server at Kennesaw State University’s Center for Election Systems — which has helped run Georgia’s elections for the past 15 years — exposed more than 6.5 million voter records and other sensitive information that opponents said could be used to alter results. The same records were accessed a second time earlier this year by another security researcher. The FBI investigated both Lamb’s and the second researcher’s probing but did not file charges, saying neither of the two had broken federal law.