Brian Kemp, the Republican candidate for governor, had a problem. As did Brian Kemp, Georgia’s secretary of state.
It was Nov. 3, a Saturday, 72 hours to Election Day. Virtually tied in the polls with Democrat Stacey Abrams, Kemp was in danger of becoming the first Georgia Republican to lose a statewide election since 2006. And, now, a new threat. The secretary of state’s office had left its voter-registration system exposed online, opening Kemp to criticism that he couldn’t secure an election that featured him in the dual roles of candidate and overseer.
But by the next day, Kemp and his aides had devised one solution for both problems, an investigation by The Atlanta Journal-Constitution shows.
They publicly accused the Democratic Party of Georgia of trying to hack into the voter database in a failed attempt to steal the election. The announcement added last-minute drama to an already contentious campaign. More important, it also pre-empted scrutiny of the secretary of state’s own missteps while initiating a highly unusual criminal investigation into his political rivals.
But no evidence supported the allegations against the Democrats at the time, and none has emerged in the six weeks since, the Journal-Constitution found. It appears unlikely that any crime occurred.
“There was no way a reasonable person would conclude this was an attempted attack,” said Matthew Bernhard, a computer scientist at the University of Michigan who has consulted with plaintiffs in a lawsuit challenging Georgia’s use of outdated touch-screen voting machines.
To reconstruct the campaign’s final weekend, the Journal-Constitution interviewed more than 15 people — computer security experts, political operatives, lawyers and others — and reviewed court filings and other public records. That examination suggests Kemp and his aides used his elected office to protect his political campaign from a potentially devastating embarrassment.
Their unsubstantiated claims came at a pivotal moment, as voters were making their final decisions in an election that had attracted intense national attention.
The race seemed to turn on whether rapid demographic changes – coupled with dislike of Kemp’s most prominent supporter, President Donald Trump – would help break the Republicans’ hold on political power in Georgia. Kemp was a typical Georgia Republican standard bearer: conservative, business-oriented, an abortion-rights opponent and a gun-rights advocate. Abrams was different: the first African-American and the first woman nominated for the state’s highest office, an unapologetic progressive appealing to young and minority voters who felt disenfranchised.
Ultimately, Kemp won with 50.2 percent of the nearly 4 million votes cast. In Georgia’s closest race for governor since 1966, any voters swayed by a purported Democratic cyberattack could have tipped the election.
The episode highlighted the inherent conflicts that Kemp straddled throughout this election. He rejected calls to resign as secretary of state or to step away from election-related duties, despite concerns that he could use his elected office to his campaign’s advantage. When he assigned his own staff to investigate his opponents, Democrats say, Kemp proved their point.
“He was doing anything he could do to win,” said Rebecca DeHart, executive director of the Democratic Party of Georgia. “It was an extraordinary abuse of power.”
In his only public statement on the investigation, Kemp said his office handled the case like any other. “Because I can assure you if I hadn’t done anything and the story came out that something was going on, you’d be going, ‘Why didn’t you act?’” Kemp said on the election’s eve.
“I’m not worried about how it looks,” he said. “I’m doing my job.”
The secretary of state’s office declined to release documents concerning its investigation, including more than 80 internal emails from the weekend before Election Day. The agency said that because its lawyers were part of the email chains, the documents were subject to attorney-client privilege.
Candice Broce, a spokeswoman for the secretary of state's office, said the agency gave law enforcement agencies "extensive forensic evidence" of attempted intrusions into its system, inluding "digital fingerprints of these thwarted attempts."
Her agency's "expert cybersecurity vendors" concluded that "someone had spent a great deal of time and effort, utilizing specialized equipment, to attempt to infiltrate the secretary of state’s systems and that this attempt was potentially illegal,” Broce said in an email.
She did not identify the experts. Unlike in earlier statements, she did not allege involvement by the Democrats.
However, Richard DeMillo, the Charlotte B. and Roger C. Warren Chair in Computer Science at Georgia Tech, said accessing unsecured files required no sophisticated skills or knowledge.
“There are millions of people who know how to do this,” he said — for instance, anyone with the book “Cybersecurity for Dummies.”
Announcing an investigation before compiling evidence was, DeMillo said, “a knee jerk, defensive reaction on the part of people who don’t know what’s going on with their own systems.”
That reaction was consistent with how Kemp handled other computer security issues, real and imagined.
“The pattern,” DeMillo said, “has been to either ignore or to attack the person who exposed the vulnerability.”
‘Anything is possible’
In 2015, Kemp’s office accidentally sent political organizations, media outlets and others a trove of confidential information about every Georgia voter. Kemp blamed a single employee, whom he fired.
The following year, Kemp was one of just seven state election directors who rejected the federal government’s help to secure their voting systems. Kemp called the offer an “overreach” by the administration of President Barack Obama after hackers stole emails from the Democratic National Committee.
“It seems like now it’s just the D.C. media and the bureaucrats, because of the DNC getting hacked – they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Kemp said in an interview with Politico in August 2016. “And that’s just not – I mean, anything is possible, but it’s not probable at all, the way our systems set up.”
At that moment, the computer servers that ran Georgia’s election system were wide open to potential intruders. Voters’ personal data, passwords that poll supervisors used on Election Day, the coding for memory cards with which voters cast ballots – all of it was readily accessible.
The cybersecurity researcher who discovered this vulnerability, Logan Lamb, notified officials at Kennesaw State University, which housed the servers under a contract with the secretary of state. But it wasn’t until seven months later, when Lamb and a colleague found that the data still had not been secured, that officials shut off unauthorized access to the servers. Kemp said at the time that he expected the FBI to catch the “perpetrators.”
“There were no perpetrators,” Lamb, who works for the Atlanta-based online security firm Bastille, said recently. “We are computer security professionals. We were trying to go through the process of responsible disclosure to make sure the system was secure.”
For months, Lamb said, “anyone could just have downloaded” – or manipulated – all the state’s election files.
During that time, Kemp focused elsewhere, on what he considered a different cyberattack by the Obama administration.
On Dec. 8, 2016, Kemp wrote to Homeland Security Secretary Jeh Johnson, demanding to know why the federal agency “was attempting to breach our firewall.” Kemp said a computer traced to Homeland Security had executed a “large unblocked scan” of the secretary of state’s website.
The intrusion, Kemp suggested, was in retaliation for his refusing the government’s help before the 2016 election.
Johnson replied four days later. He said a worker at his agency’s Federal Law Enforcement Training Center in Brunswick, Georgia, had merely verified the professional licenses of job applicants – “a service, as I understand it, your website provides to the general public,” Johnson wrote.
Through a spokesman at his New York law firm, Johnson recently declined to comment.
Kemp wasn’t satisfied with Johnson’s response. “I will be elevating my concerns to the incoming administration,” he wrote back, and the same day, he asked Trump, then the president-elect, to investigate the Obama administration’s “failed cyberattacks” on Georgia. Republicans in Congress warned Johnson not to destroy evidence of what Rep. Jason Chaffetz, then chairman of the House Oversight Committee, called a possible breach of “state sovereignty” and a violation of state and federal laws.
Finally, in June 2017, a report by Homeland Security’s inspector general said a digital forensic investigation found no evidence of a cyberattack. Instead, the report said, a worker at the law enforcement training center had merely verified the professional licenses of job applicants – precisely what Johnson had told Kemp the previous December.
Kemp accepted the findings. But he said he was “disappointed that it took a new administration to investigate this highly important incident.”
‘Download any file’
As this year’s election neared, a Georgia man identified as Richard Wright logged onto the My Voter Page on the secretary of state’s website. Wright wanted to make sure his registration information was up to date. It was. But not everything else appeared to be in order.
Wright, who apparently has a background in software development, discovered two significant security flaws that could jeopardize the election’s integrity. First, downloading a sample ballot also “allows you to download any file on the system,” he later wrote in an email to the Democratic Party. Second, he said, the web address for each individual’s voter registration page included a unique numerical identifier, apparently assigned sequentially. Just by changing the digits, he wrote, “you can download anyone’s data and that includes a lot of PII” – that is, personally identifiable information, such as driver’s license numbers or the last four digits of Social Security numbers.
Computer security experts said both flaws would have enabled a hacker to delete any voter’s registration or to make changes that might render a voter ineligible. The experts also said hackers could have systematically targeted large numbers of voters who belonged to certain minority groups or those who appeared to favor one political party over another.
Efforts to reach Wright have been unsuccessful. He apparently has given no interviews.
Wright has said that when he discovered the vulnerabilities in late October, he stopped short of accessing files in a way that might break the law. A few days later, less than a week before Election Day, he reached out to organizations suing the state over its antiquated voting machines. That led him, on Friday, Nov. 2, to Washington attorney David Cross. After a telephone conversation, Cross asked a computer security firm to check out Wright’s claims.
Just before 11 the next morning, Wright also emailed a volunteer on the voter-protection hotline at the Georgia Democrats’ headquarters near downtown Atlanta, describing how he inadvertently discovered the vulnerabilities.
The volunteer, Rachel Small, forwarded Wright’s email to her supervisor, who in turn sent it to two computer security experts at Georgia Tech, all before noon Saturday.
That appears to have been the extent of the Democrats’ involvement.
DeHart, the party’s executive director, said no one in the organization knew Wright before receiving his email. When she first heard about it, she said, she didn’t even recognize its possible significance.
One of the security experts from Tech, however, notified a national security agency (he declined to say which one) because he worried a hacker could manipulate Georgia’s election. Cross shared Wright’s findings with the FBI, then got in touch with attorneys representing the secretary of state in the voting-machine case.
What the secretary of state’s staff did with the information on Saturday is not clear.
They did not notify the State Election Board, which adopts rules and decides election challenges, said David Worley, a Democratic appointee to the panel. “With any major controversial thing,” Worley said, “they ordinarily would give the board a heads-up.”
Nor did they consult with Wenke Lee of Georgia Tech, a computer security expert working with the secretary of state’s office on another matter. Lee, the director of Tech’s Information Security Center and a computer science professor, said he would have advised caution.
“Typically,” Lee said, “you want to get all the data and analyze the data before you make any claims.”
Kemp’s aides broke their silence early Sunday.
At 4:47 a.m., Candice Broce, the secretary of state’s spokeswoman, received a message from the online news site WhoWhatWhy, which says it practices “forensic journalism.” Its reporters had heard about Wright’s email and were preparing to post a story at 6 a.m. The website said it told Broce its story would describe a security breakdown in the secretary of state’s office, not a failed hack by the Democrats.
Exactly one hour later, a statement appeared on the secretary of state’s website, on the same page where voters search for sample ballots, find their polling place or check their registration.
In all-capital letters, the headline announced:
“AFTER FAILED HACKING ATTEMPT, SOS LAUNCHES INVESTIGATION INTO GEORGIA DEMOCRATIC PARTY.”
“While we cannot comment on the specifics of an ongoing investigation,” Broce was quoted as saying, “I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes.”
‘Who is Rachel Small?’
Pressed for evidence, Kemp’s aides pointed to a single email – the one from Richard Wright that Democratic volunteer Rachel Small forwarded to her supervisor.
Then, on Sunday afternoon, Broce sent a text message to reporters suggesting Small was suspected of criminal activity.
“The FBI is looking for information on ‘Rachel Small,’” Broce wrote. “We welcome any information about this person’s identity or motives to provide to federal authorities.
“Who is Rachel Small?” Broce continued. “Is that her real name, and for whom does she work? Why was she talking about trying to hack the secretary of state’s system…?”
About the same time, Kemp’s campaign released its own statement, claiming that Democrats had attempted “a fourth-quarter Hail Mary pass that was intercepted in the end zone.”
“These power-hungry radicals should be held accountable for their criminal behavior,” the campaign said.
The two statements shaped the narrative of the final hours before Election Day.
Dozens of stories appeared online, many of them repeating the hacking accusation without skepticism. Some drew no connection between Kemp the candidate and Kemp the secretary of state.
“Georgia Sec. of State Calls for FBI Vote Hacking Investigation,” declared a headline on CNBC’s website.
“Georgia Dems ‘Under Investigation for Possible Cybercrimes’ Ahead of Midterms,” another headline said. This was from the Sputnik News Service, owned by the Russian government.
More than a month later, state Democratic officials say no law enforcement agency has been in touch about the alleged crime. Lawyers and others involved in the episode say they’ve heard nothing, either. The agencies won’t comment on their investigations.
How much the claims of a Democratic-backed cyberattack mattered in the final outcome may never be known.
Abigail Collazo, the director of strategic communications for Abrams’ campaign, said that as Election Day approached, the Democrat’s staff had begun to think she might win outright, with no runoff. Kemp’s advisers may have had the same thought, she said.
“I think they got desperate and felt like they just had to make something up,” Collazo said. Because Kemp could level the allegation through the secretary of state’s office rather than his campaign organization, she said, it may have resonated with more voters.
“There is a gravitas associated with the office.”
The episode might have taken a different turn if the Democrats had immediately gone public with Wright’s email three days before the election.
“We certainly could have done other things with that information,” said Seth Bringman, the Georgia Democrats’ communications director. “We could have sent it to the press. We could have tried to embarrass Kemp.”
Then, he said, the headline may have read, “Voters’ Personal Info Exposed Again.”