Experts are voicing their concern about Georgia's election security practices and whether they will prove effective against myriad threats during the high-profile 2020 presidential race.
In 2016, a vulnerability was discovered in Georgia's election system that exposed the information of some 6.7 million voters and would've given a hacker the ability to manipulate or delete any information within voting machines across the state, according to people familiar with the discovery.
While the state has since taken steps to patch the holes, activists are still concerned that the state's subpar election security practices will endanger the results of the 2020 presidential race.
Marilyn Marks, executive director of the advocacy group Coalition for Good Governance, said that while Georgia has corrected some mistakes, it still hasn't addressed its fundamental weaknesses. The group, which is currently engaged in one of several election-related lawsuits against the state, released a statement this week alleging that the state's presidential primary was "at risk of failure."
With a highly contentious election looming and heightened concerns about foreign interference, the question remains: has Georgia done what it takes to protect voters and the democratic process?
The state's 2016 breach was discovered by Logan Lamb, a 29-year-old security researcher who stumbled upon the vulnerability while doing a cursory search of the state's election center website.
At the time, Georgia's elections were handled by the Center for Election Systems, an office out of Kennesaw State University that reported to the Secretary of State's office. The center was in charge of programming and testing voting machines for the entire state.
Having just moved to Georgia to work for a security firm, Lamb, who had previously studied computer engineering and was employed for a time by Oak Ridge National Laboratory, said it didn't take long to discover a glaring issue on the KSU site: thousands of files, openly available, that could be scraped and used to hack into voting machines and manipulate elections.
“I started perusing the website a little bit and quickly discovered it looked like they had an open directory structure on the website," Lamb said, speaking with Government Technology.
Lamb threw together a shell script, a program to download all openly available data on the website. In no time, the program had downloaded some 15 gigabytes, including sensitive information like election day supervisor passwords and comprehensive voter registration information like names, birthdays, addresses, and social security numbers. According to Lamb, the center's server had been misconfigured so that the password protected firewall was unnecessary to access the files.
Furthermore, Lamb said, there was a vulnerability in the server's content management software that would've allowed hackers to easily commandeer and manipulate the information inside of it.
"It had everything that someone would need to control all of Georgia's elections," said Marks, explaining what Lamb had told her.
Out of concern for the state's election integrity, Lamb reached out to officials to try to warn them about these weaknesses. He was met by a combination of hostility and indifference, by his account. "To put it succinctly, I just don't think security was a priority [for them]," he said.
Lamb's discovery was less revelatory than affirming for critics of the state's election system, who during the state's 2018 elections pointed to the ways in which the aging voting infrastructure had led to claims of voter fraud and suppression.
According to Lamb, it took the state months to acknowledge some of the issues that he had pointed out. Since then, KSU lost the contract to manage the state's elections and the Center for Election Systems has been retired. Elections are now run exclusively out of the Secretary of State's office. The Secretary of State's office could not be reached for comment for this story.
Georgia has also since replaced its voting machinery. The state previously used aging touchscreen voter kiosks, also known as direct-recording electronic (DRE) machines, for its elections, which left no auditable paper trail, and which security researchers characterize as an open door for hackers. In 2019, a federal judge ruled the system unconstitutional and ordered that it be disposed of by the end of the year. The state did so, kicking off a massive, high-speed process to replace the outdated voting system.
For activists and researchers, this seemed like an opportunity to invest in a low-cost, hand-marked paper ballot system.
However, instead of going that route, the state opted instead to purchase another set of touchscreen machines, albeit ones with a paper ballot component. Spending $107 million, the state hired vendor Dominion Voting Systems to apply a kind of hybrid approach that includes touchscreens and paper — machines with a voter verifiable paper audit trail (VVPAT). Now, instead of paperless machines, Georgia voters will select their choices on a kiosk, which will then print their choices on a paper ballot; voters must then confirm their choices on another machine. The last of these new machines were just recently shipped into the state.
“Elections security is my top priority,” said Secretary of State Brad Raffensperger, upon announcement of the new system. “We look forward to working with national and local elections security experts to institute best practices and continue to safeguard all aspects of physical and cybersecurity in an ever-changing threat environment.”
However, to activists like Marks, this new approach seems like an overly complicated process, one unnecessarily populated by machines that could be hacked or suffer some other malfunction. "This new system is just as vulnerable as the old one," said Marks. "They could've purchased a system that was much more secure and cost a third as much."
If Georgia has been imperfect in trying to update and secure its voting infrastructure, it's not alone. At least six states currently still exclusively use DREs in certain communities, leaving no auditable paper trail. Additionally, numerous reports have emerged — including a recent one from MIT — that show vulnerabilities in state systems.
"Hand-marked paper ballots with audits would solve many of the security issues we are dealing with," Marks said. "If you have a system that is resilient with good, secure chain of custody, then even if bad guys get inside the systems it can't be [totally] compromised."
Elizabeth Howard, an election security specialist with the Brennan Center, largely agrees with this assessment, but said that there is no easy formula for success, and that election officials must continually weigh the pros and cons of the machines and systems that they rely on.
"We're living in a different world, a constantly evolving threat landscape," Howard said, in reference to threats of foreign influence from the likes of Russia, China and Iran. "And from a security standpoint, we just have to replace [these old machines]."
“From an election security standpoint, the three main priorities are: you have to have a paper record of every ballot cast, you have to do a post-election audit where you actually go back and look at the paper record, and then you have to have as robust cybersecurity in place as possible.”
This isn't always easy, given financial concerns, but luckily states are trending that way. Georgia's decision to abandon a totally paperless system mirrors the nationwide drift of states attempting to revamp their systems by going more analog, as the threat of outside manipulation grows.
"In 2016, there were 14 states that used paperless voting equipment, and Georgia was one of them. We estimate that in 2020 [there are] eight states, almost half of them will have transferred to paper-based systems. That is a huge step forward, though obviously there is still more work to do," Howard said.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.