Secretary of State Brian Kemp takes his case public for maintaining Georgia’s reputation for the country’s most insecure voting system.

Georgia Secretary of State Brian Kemp responded this morning to a USA Today editorial that points out an inconvenient fact:

in Georgia, where researchers discovered a gaping hole in election security last fall, it’s unclear what has been done to plug it. Georgia Secretary of State Brian Kemp has argued vehemently against replacing the state’s voting machines, which are susceptible to sabotage because they lack a paper record of votes.

Kemp could have defended himself by behaving like a responsible public servant and: (1) acknowledging the threat, (2) promising to marshal the considerable resources at his disposal to meet the threat, and (3) forming a national strength-in-numbers coalition of election officials to adopt the common-sense reforms that are the consensus recommendation of voting technology experts.  He did not do that.

Instead, Kemp laid out his case for placing his personal political ambitions above his duty to protect Georgia voters:

As reporters chase stories to feed the 24-hour news cycle, they dilute facts and develop false narratives about Russian hacking and potential vulnerabilities in the system. The prevailing plot line is that states like Georgia can’t provide suitable security for elections.

At last month’s Senate Intelligence Committee hearing, national security officials testified that there is no doubt about Russian hacking. Committee members-who have been briefed on the threats and vulnerabilities-showed rare bipartisan agreement. They also said that DHS has not conducted classified briefings for state election officials, so Brian Kemp actually has no way to know whether the “narratives” are false.

This sounds like me.  When I was Mayor of Amity, Chief Brody tried to get me to close the beaches because of a great white shark that was snacking on 4th of July tourists.  I was more concerned about the political implications than protecting people.  I’ve apologized for my irresponsible behavior.  My hope is that Brian Kemp follows suit, but I don’t think that’s very likely.

The next best outcome is for Kemp’s Republican gubernatorial opponent, Lt. Gov. Casey Cagle to use this shocking editorial to argue that Kemp should never again be allowed to represent the public interest.

In the meantime, Georgians are left to wonder whether the results of recent elections can be trusted.


You don’t know if an election is hacked unless you take steps to find out.

It was overlooked by the news networks, but there was a significant step forward in advancing public understanding of how to secure voting systems in yesterday’s Senate Intelligence Committee hearing.  California Senator Kamela Harris opened her questioning with an old cyber security riddle:

Q: How is not being hacked like being hacked?

A: Either way you don’t know.

This has been at the root of public misperceptions of election system security: since you can’t point to a successful vote-changing hack,  we must therefore be secure. In fact, most the of the Senate committee seemed hell-bent on propagating this idea by coaxing

No Senator, I don’t know if votes were actually changed in the November election

from witnesses who in fact have never tried to find out.

Alex Halderman tackled both sides of this fallacy with his opening statement.  First,  he pointed to a supervised hack of a Washington DC election that, over 48 hours changed every vote.

Even more importantly, he recommended risk-limiting post-election audits as a mandatory cost-effective and mathematically sound method of verifying election results:

 Specifically, if the reported outcome (usually the set of winner(s)) is incorrect, then a risk-limiting audit has a large, pre-specified minimum chance of leading to a full hand count that reveals the correct outcome. A risk-limiting audit can stop as soon as it finds strong evidence that the reported outcome was correct. (Closer elections generally entail checking more ballots.)

An important bottom line from yesterday’s hearing was an answer to the question whether you can ever know that an election was hacked.  You can, if you look.


At today’s hearing of the Senate Intelligence Committee, Prof. Alex Halderman gave a recipe for enhancing the security of our computerized voting systems:

Step 1: Replace DRE touchscreen systems with paper ballots and optical scanners.

Step 2: Use risk-limiting post-election audits to verify election results.

Step 3: Adopt best Cybersecurity practices and technologies appropriate to the threat.


Your daily data breach: 200 million voter records exposed, including contact information and voting preferences

Today’s announcement from Upguard that

the data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors

This makes it the largest breach of its kind.

Gizmodo reports that

Deep Root’s server was discovered by UpGuard’s [Chris] Vickery on the night of June 12 as he was searching for data publicly accessible on Amazon’s cloud service. He used the same process last month to detect sensitive files tied to a US Defense Department project and exposed by an employee of a top defense contractor.

It is now becoming clear that the network of voter databases allow well funded actors to combine information from various sources.  Someone with bad intentions can piece together enough information to interfere and disrupt elections.

Political operations might view such databases as easily commoditized marketing data that can be discarded after an election. A hacker, on the other hand, might take a longer view, realizing the damage to be done in misusing knowledge of voting patterns.





“We’re a very trusting society, but these machines are really bad.”

The polls in #GA06 indicate a razor-thin margin for Democratic challenger Jon Ossoff over former Georgia Sec. of State Karen Handel. A non-partisan group known as the New Georgia Project  has been canvassing minority neighborhoods to get out the vote, but the behavior of Georgia election officials has increased unease about the security of voting machines.

People are really concerned that a couple of hundred votes here, a couple of hundred votes there could be changed, [New Georgia Project director ] Ufot said.

@thinkprogress found voters like new #GA06 voter Jill Meyers who decided not to vote early in the hope that a lawsuit compelling the use of paper ballots would succeed.  As the defendants in that litigation pointed out, any voter can request a paper ballot at any time.  It was a claim that clearly annoyed Judge Adams, who pointed out that without clear announcements advising voters of their right to vote on paper, such a choice is meaningless.

“We’re a very trusting society,” [Meyers] said, “but these machines are really bad.”


What Georgia election officials are doing is as risky as “driving in a heavy rain at 100 miles per hour.”

Logan Lamb and Chris Grayson emerged this week as heroes of a  story that leaves experts and patriots from every political stripe shaking their heads in disbelief. Lamb, who in August 2016 stumbled into an open door at Georgia’s Center for Election Systems at Kennesaw State University, informed the Center’s director of the vulnerability.

In March [2017], a security colleague Lamb had told about the flaw checked out the center’s website and discovered that the vulnerabilities had only been partially fixed…The researcher Chris Grayson, said he, too was able to access the same voter record databases and other sensitive files in a publicly accessible directory.

Grayson and Lamb were questioned by the FBI. Lamb said he wanted to come forward after an NSA report about Russian hacking of U.S. elections became public.  Grayson said:

At the end of the day we were doing what we thought was in the best interest of the republic.

Experts have warned Georgia Secretaries of State for years that continued use of its outdated and compromised election technology was  risky. Those warning have been dismissed or even ridiculed.  @BrianKemp, the current Georgia SOS, seems content to repeat a now-discredited fiction that the state’s election system is “completely secure.”



Washington Post: Georgia’s election system needed a hard look, and she seemed interested in the results, but then did nothing.

Georgia Tech dean Richard DeMillo answered Karen Handel’s call to “take a look at our processes, take a look at our technology, and give us your opinion.”

In 2008, the Georgia Tech Information Security Center and Office of Policy Analysis and Research released its report, “A Security Study of the Processes and Procedures Surrounding Electronic Voting in Georgia.” A number of potential problems came up, from the transportation of election machines by prison laborers to password protection of machines and poll-watcher training.

The threats became real in 2017, but when asked about the report a Handel spokesman said, “It doesn’t make sense to me.”


Take-away from Politico story about Center for Election Systems hack: if you talk about this, the people downtown will crush you.

Today’s report by Politico’s @KimZetter on the security breach at the Center for Election Systems (CES) is a compelling must-read companion to this and this. Tick-tock starts last August, when 29 year old Logan Lamb from Oak Ridge National Laboratory stumbled onto 15GB of apparently sensitive material relating to CES administration of Georgia’s voting machines.

…his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election.

Lamb notified Merle King, director of CES. King seemed to be most concerned that Lamb keep the information to himself and warned him to not talk to the media about it, telling him

“It would be best if you were to drop this now,” Lamb recalls. King also said that if Lamb did talk, “the people downtown, the politicians … would crush” Lamb.