A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.
“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.
“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.
As Georgia prepares for a special runoff election this month in one of the country’s most closely watched congressional races, and as new reports emerge about Russian attempts to breach American election systems, serious questions are being raised about the state’s ability to safeguard the vote. Lamb’s discovery, which he shared out of concern that state officials and the center ignored or brushed off serious problems highlighted by his breach, is at the heart of voting activists’ fears that there’s no way to be sure the upcoming race—which pits Democratic neophyte Jon Ossoff against Republican former Secretary of State Karen Handel—will be secure. The special election has already become the most expensive House race in U.S. history and has drawn the attention of President Donald Trump, who has tweeted his support of Handel and ridiculed Ossoff, whose campaign is seen as a litmus test for the Trump resistance movement.
Marilyn Marks, executive director of the Rocky Mountain Foundation, which sued the state last month to prevent it from using the voting machines in the upcoming runoff, says Americans have reason to be concerned about the integrity of Georgia’s election system—and the state’s puzzling lack of interest in addressing its vulnerabilities. “The security weaknesses recently exposed would be a welcome mat for bad actors.”
***
Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.
The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.
And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.
Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.
The center has played a critical role in the state’s elections for more than a decade, not only by testing the touch-screen voting machines used throughout the state and maintaining the software that’s used in the machines, but also by providing support for the GEMS servers that tabulate votes and creating and distributing the electronic ballot definition files that go into each voting machine before elections. These files tell the machines which candidate should receive a vote based on where a voter touches the screen. If someone were to alter the files, machines could be made to record votes for the wrong candidate. And since Georgia’s machines lack a proper paper trail — which would allow voters to verify their choices before ballots are cast and could also be used to compare against electronic tallies during an audit — officials might never know the machines recorded votes inaccurately. There have been no public reports indicating that this has ever happened in Georgia, but computer security experts say it’s not clear officials would be able to uncover this even if they tried.
The center also distributes the voter registration list to counties for use on their ExpressPoll pollbooks; if attackers were to delete voter names from the database stored on the center’s server or alter the precinct where voters are assigned, they could create chaos on Election Day and possibly prevent voters from casting ballots. This is not an idle concern: During the presidential election last year, some voters in Georgia’s Fulton County complained that they arrived to polls and were told they were at the wrong precinct. When they went to the precinct where they were redirected, they were told to return to the original precinct. The problem was apparently a glitch in the ExpressPoll software.
***
Last month, Marks and other plaintiffs filed a motion seeking an injunction to prevent the three counties casting ballots in the 6th Congressional District race—Fulton, DeKalb and Cobb—from using their touch-screen machines and use paper ballots instead. In court filings and a hearing last week, they cited Lamb’s breach of the center’s server as one reason the machines, and the center’s oversight of them, cannot be trusted. They sought the injunction without knowing the full extent of Lamb’s breach.
Their concerns were validated last week with the publication of a classified National Security Agency report, which stated that hackers associated with Russian military intelligence had been behind the previously reported targeting of voter registration systems as well as an extensive phishing scheme to hack election officials. A second story, published this week by Bloomberg, indicated that the hackers targeted voter registration systems in 39 states and had actually tried to delete or alter voter data in at least one state. They had also accessed the software used by poll workers to verify voters at the polls—the same kind of software that Lamb found on Georgia’s website.
The reports didn’t indicate whether Georgia was among the 39 targeted states, but several factors make Georgia an especially good candidate for hacking. Unlike other states, which use a patchwork of voting machine brands and models throughout their election districts—making it more difficult to affect a national election outcome—Georgia uses a uniform system statewide: touch-screen voting machines made by Premier Election Solutions (the company, formerly Diebold Election Systems, is now defunct). More than 27,000 of these years-old machines are used in the state, as are more than 6,000 ExpressPoll pollbooks, also made by Premier/Diebold. And unlike most other states that have a decentralized structure for managing elections—machines and ballots are prepared and managed by individual counties—Georgia’s reliance on the center to manage those responsibilities for counties makes it a bull’s-eye for someone wanting to disrupt elections in the state.