“Since contacting DHS with these concerns, we have collaborated with the agency and provided extensive, additional information,” Kemp wrote. “Last night I received a letter from Secretary Johnson which lacked any specific information as to the attacks’ intent or origin despite the fact that many questions remain unanswered.”
Kemp's office detected what he called a "large attack on our system" in November. His staff was able to trace the breach to the Department of Homeland Security. DHS has denied it tried to break through the state's computer firewall.
An agency spokesman declined comment Wednesday. But in the letter Johnson sent Kemp on Monday, the Homeland Security secretary said they traced the computer in question to a contractor at its Federal Law Enforcement Training Center in Brunswick.
Johnson said the contractor is not part of the department’s cyber security team.
“He told us that he accessed your website as part of his normal job duties at FLETEC to determine whether incoming FLETEC contractors and new employees had a certain type of professional license – a service that, as I understand it, your website provides to the general public,” Johnson wrote, noting that their analysis showed it was “normal Microsoft Internet Explorer interaction by the contractor’s computer with your website.”
Kemp is not convinced.
“The scenario DHS has proposed has still not been verified by Microsoft,” Kemp wrote Johnson late Tuesday. “There are still many questions regarding the origin and intent of this attack that remain unanswered.”
Kemp, a potential Republican candidate for governor in 2018, told The Atlanta Journal-Constitution that DHS’s explanations keep changing and that Kemp’s own information technology staff cannot replicate what the feds say happened.
“It’s almost like they’re making it out to be that this is some sort of false positive,” Kemp said. “And we just have all these questions that haven’t been answered. The best way to get those answers was to ask the new administration to look at it.”
Federal officials seem to think the situation is resolved, Kemp said, but he is not ready to move on.
“Georgians are asking me about it,” he said. “We need to get to the bottom of it. And they’re acting like they already have. I need some proof.”
Steve Akridge, owner of BorderHawk LLC, an Atlanta-based cyber security company, questions Johnson’s explanation.
“The concept of an Internet Explorer guy doing a search on the Secretary of State’s website giving signs that you’re being scanned, trying to break into that machine … I would find that very hard to believe,” Akridge, who was the state of Georgia’s first chief information security officer in 1999, said.
But, Akridge said it is also difficult to know for sure without more information.
In his letter to Trump, Kemp also said his staff uncovered other attempts to break his system’s firewall. They detected 10 separate “scans” of Georgia’s elections systems between Feb. 2 and Nov. 15, all traced back to DHS. Many occurred suspiciously close to other events, Kemp said, including the day he testified against Homeland Security before a congressional committee and election day.
Kemp publicly questioned alarms raised by federal officials before the presidential election over the issue of election security.
Georgia was one of two states that did not accept federal help to secure its election systems, after the FBI’s cyber division warned states in August that it was investigating hacking incidents in two states — believed to be Arizona and Illinois.
A month later, state officials said Georgia was not among the states that had voter registration systems targeted in recent months by hackers. That claim came after FBI Director James Comey told House Judiciary Committee members that his agency had detected a variety of “scanning activities” related to election systems in the United States.
Kemp said Wednesday that the agency’s outside cyber security vendor only alerted them to the Nov. 15 incident because it was a more serious event. Once the incident was traced to DHS, the office found the nine earlier incidents that were not considered to be as serious.
“We get 2,000 low level pings, hits, scans whatever you want to call them on our network, a week,” Kemp said. “We have four or five of those that will get tagged for whatever reason that are higher level. There is something about them that the network security provider kicks back to us. Normally we run those down, there’s a good explanation for it, we dismiss it we move on.”
The Nov. 15 event was different, he said. “It got tagged, but nobody could easily explain what was happening, which is why it rose to my level and it really got on our radar when we figured out the IP address. It’s only because of that we would go back and look at these lower level ones.”