Accusation that Democrats hacked Georgia voter database is “outrageous,” says cyber expert
Georgia Secretary of State Brian Kemp’s announcement Sunday that his office is investigating the state Democratic Party for hacking a voter registration database is a “shiny object” designed to undermine confidence in Tuesday’s gubernatorial election — in which Kemp is the Republican nominee — and distract from actual cyberthreats, Adam Levin, the founder of security firm CyberScout, told StateScoop.
“I think it’s outrageous,” Levin said. “It’s a way to say that ‘If I win, I’ve overcome all these obstacles,’ and ‘If I lose, they stole it from me.'”
Kemp has not offered the public any evidence to back up his accusation. He announced his investigation shortly after the investigative journalism website WhoWhatWhy reported that the state Democratic Party had discovered a vulnerability in Georgia’s voter registration system that could allow a person to gain access to and potentially alter millions of records. Kemp also said he had referred the matter to the FBI and the Department of Homeland Security.
A DHS official said the department is deferring inquiries back to Georgia. The Center for Internet Security, the nonprofit group that runs the Election Infrastructure Information Sharing and Analysis Center, did not respond to questions about Kemp’s claim.
Kemp’s office did not respond to StateScoop’s request for more details on the alleged hacking. His Democratic rival for the governor’s mansion, Stacey Abrams, called his allegation a “witch hunt that was created by someone who is abusing his power.” Recent public polling shows the race between Kemp and Abrams to be neck-and-neck.
But Levin said an accusation of tampering with a voter registration system as unverified as Kemp’s does a disservice to legitimate efforts to bolster election cybersecurity, which has been a top concern for many states’ election officials since 2016, when agents of the Russian government attempted to penetrate the voter files in at least 21 states.
“The issue is not one party hacking the other,” Levin said. “The issue is a nation-state trying to hack our system. It is not a partisan issue. There is only one party when it comes to election security, and that is the American people. When you take something that’s deadly serious, that’s a nonpartisan issue that affects the underpinnings of democracy.”
Levin also said that his firm, CyberScout, has analyzed several states’ election systems to look for weaknesses ranging from the accessibility of voter registration databases to the susceptibility of government websites to denial-of-service attacks.
“There is no such thing as a completely secure system in a world where breaches occur and cyberwar has replaced the Cold War,” he said. “That’s why it takes constant vigilance.”
Georgia is not one of the states CyberScout has monitored. But Kemp has a history of rebuffing offers for assistance on cybersecurity. Shortly before the 2016 presidential election, he was one of 11 secretaries of state to reject a DHS offer to run cyber-hygiene scans on his statewide voter file. In December of that year, Kemp accused DHS of hacking Georgia’s computer systems; it turned out to be a false alarm set off by a Homeland Security employee verifying a professional license issued by the secretary’s office.
Scares about cybersecurity have the potential to turn people off from voting. A survey last year by the security firm Carbon Black reported that one in four people said they would skip future elections based on worries their votes could be compromised.
And even before his new allegation against his political rivals, Kemp had been criticized for holding up 53,000 voter registrations, citing an “exact match” law that requires the information on a registration application to be 100 percent identical with the information on a voter’s identification document, down to punctuation marks. (Though voters in that group are permitted to request provisional ballots that will be counted after their personal information is confirmed.)
Even if Kemp’s accusation against the Georgia Democratic Party proves false, Levin said voters — in Georgia and elsewhere — should still be vigilant for signs of potential cyberattacks on Election Day.
“If there are long lines because suddenly there’s been a disruption between a server and an [electronic] poll book, that could be an issue where someone’s attempting to do a denial-of-service attack,” he said. “If websites of secretaries of states go down, [that could be another issue]. There are states that have risen to the challenge to make their elections as secure as possible, and there are states that have not been as vigorous. This could be a once-in-a-generation election, so the minute anyone sees anything, they’ve got to say something.”