Warnings that hackers appear to have targeted elections systems in Arizona and Illinois have served as a wake-up call for Georgia officials, who began investigating Tuesday how the state’s public agencies can get a better handle on data security.
“It is our responsibility here to make sure we put in policies and protections for the citizens, and this is a huge threat,” said state Sen. Bruce Thompson, R-Cartersville, who is spearheading the initiative as chairman of the Senate Data Security and Privacy Study Committee.
“We’ve got to be able to look at this and say, ‘Hey, where are these threats coming from, are we appropriately staffed, appropriately funded, to be able to thwart that?” Thompson said. “We’ve got to lay that in concert with what we’re doing federally, so we don’t either duplicate their efforts or negate their efforts. And that’s the biggest challenge we have right now.”
While there is no evidence Georgia’s election system has been compromised or even targeted, Secretary of State Brian Kemp’s office has not responded to questions from The Atlanta Journal-Constitution since Monday about whether it has taken the advice of federal officials to boost election security or initiated a review of the system.
Kemp told Politico, in a story published Sunday, that he had turned down an offer from the federal government to help prevent hackers from manipulating the presidential election. Such an intrusion, he said in the article, was “not probable at all, the way our systems are set up” and he said federal officials and the media were exaggerating concerns of cyberthreats.
The FBI’s cyber division warned states Aug. 18 that it was investigating incidents related to elections data systems in two states, although the warning was not made public until Monday. The warning came days after Homeland Security Secretary Jeh Johnson hosted a call with elections officials from across the nation about cybersecurity and election infrastructure.
The Georgia effort to get a handle on agencies’ data security was previously planned, but the timing was fortuitous. Among those participating on the panel undertaking the review are Calvin Rhodes, the state’s chief information officer, as well as Bobby Laurine, who holds a similar position with the University System of Georgia.
Tom Wilson, who oversees the Southern Co.’s response to cyber security risks as its chief information security officer, told the group Tuesday that at minimum they needed to be flexible and have the financial ability to upgrade their technology.
Then there is the question of who would try to breach the system, which Wilson said could run the gamut from nations to criminals who viewed hacking as a low-risk way to make money. In this case, some experts have already pointed to the influence of Russia and said that country may be involved in attempted breaches related to the November election.
“There may be actors in the world who may want to influence that process in some way,” Wilson said. “There are a lot of upsides moving to a more digital economy, but there are also risks.”
Those risks do not just sit with the Secretary of State’s Office, although that agency in particular was responsible for the exposure last fall of the personal data of over 6 million registered voters.
Robert Swiggum, the chief information officer for the Georgia Department of Education, said Tuesday that his agency holds one of the largest collections of private data in Georgia government. The state currently keeps tabs on about 1.7 million public school students in Georgia, and it has been collecting that data annually for more than a decade.
The challenge for agencies such as his, Swiggum said, was finding a secure balance between keeping the data private and making it accessible for those who needed to see it, such as local school officials.
Keeping all that data can bring problems.
In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers. At the time, Georgia officials said the state used data encryption and other controls aimed at preventing a similar type of intrusion.
The breach in the Secretary of State’s Office last fall did not involve hacking or an external incursion into the state’s system. Rather, personal data — including Social Security numbers, birth dates and driver’s license numbers — were inadvertently included with other information sent to 12 organizations that regularly subscribed to “voter lists” maintained by the state.
Thompson at the time criticized Kemp for being too slow in releasing public records detailing how that breach happened. But on Tuesday, he said Kemp has worked to address his concerns, including an audit of his office’s information technology operations, policies, procedures and system security.
“He has been very good and forthcoming with me, very diligent to say, ‘Hey, here are all the things we’ve done, here’s all the people we’ve (talked to) and here’s the things we’ve put in place,” Thompson said. “From my position, I would say I’m confident in what he’s telling me.”