A voter in Marietta, Ga., on April 18, 2017, en route to cast her ballot in the highly contested 6th Congressional District race. (DAVID BARNES / DAVID.BARNES@AJC.COM)

State considers dropping election data center

Security lapses cast a pall over Kennesaw State University facility

The Kennesaw State University center that has helped run Georgia’s elections for the past 15 years may lose its contract in a matter of weeks because of concerns over security lapses that left 6.5 million voter records exposed.

The secretary of state’s office said Wednesday that it is “actively investigating alternative arrangements” to using Kennesaw State University’s Center for Election Systems, news that coincided with the unmasking by Politico Magazine of the security researchers behind a data scare involving the center that became public in March.

“All options are on the table,” said Candice Broce, a spokeswoman for Georgia Secretary of State Brian Kemp. The center’s annual $800,000 contract with the state ends June 30.

In the Politico report, Logan Lamb, an Atlanta-based internet security researcher, and Chris Grayson, a security colleague, for the first time detailed finding voter records, instructions and passwords for election workers, software files that could create electronic voter lists for poll workers, and what appeared to be databases for the state’s election management system.

It is not clear whether those files were current. The center, for example, does not maintain the state’s voter registration database — the files it collects are separate from the state’s main system, which is connected to the internet but housed on different servers in a different location using different security protocols.

Georgia’s more than 27,000 voting machines are self-contained and not connected to the internet, and neither are the in-house systems that create and maintain the electronic pollbooks or the election management system.

But none of the files the researchers found should have been accessible, they said, especially after Lamb initially notified the center before last year’s presidential election of the potential problem.

The danger is that they could be used as a blueprint for anyone looking to exploit the system’s vulnerabilities, a fear that has escalated with regular news reports about alleged attempts by Russian hackers to meddle in the 2016 presidential election.

It also comes as Georgia holds a nationally watched runoff Tuesday between Republican Karen Handel and Democrat Jon Ossoff, a race seen as an early referendum on President Donald Trump’s administration.

Cybersecurity experts as recently as last week said the state should run a technical review of its entire system to check for cyber penetration and add preventive measures to protect against both malicious attacks and unintended problems. Critics also sued the state to force it to use paper ballots during the runoff, citing similar concerns.

A Fulton County judge dismissed the lawsuit last week, saying there was an “absence of evidence” of widespread problems.

Experts have also said they knew of no examples of ongoing attacks on Georgia’s system and said there is no evidence it has been hacked.

The state has employed an ongoing, multilayered effort to secure the system’s safety and integrity, which includes working with private security vendors to scan the system and thwart any probing attempts — something state officials have said happens almost weekly.

Georgia officials reiterated Wednesday, however, that they do not believe Georgia was one of the 39 states reportedly targeted by Russian hackers ahead of the presidential election.

“Our elections systems have not been compromised,” Broce said. “We have been, and we will continue to be, hyper-vigilant in this environment. Secretary Kemp remains confident in Georgia’s elections systems and voting equipment.”

The Federal Bureau of Investigation earlier this year investigated the probing by Lamb and Grayson but did not file charges, saying they had not broken federal law.

A subsequent report prepared for the university after the breach cited concerns inside the center that included an unlocked IT closet and wires plugged into an internet port that had not been documented.

Center officials, who did not respond earlier this week to questions of whether it had addressed the security report, referred questions Wednesday to the university. A university spokeswoman declined comment.

The issue has also become fodder for the campaign trail, with one of the authors of an 11-year-old Georgia Tech report saying Handel — who at the time was secretary of state — didn’t follow up on recommendations then for stronger system security.

Rob Simms, a spokesman for Handel, on Wednesday told The Washington Post that asking “if we ever ‘responded’” to a report done more than 10 years ago didn’t “make sense.”

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.