A group of Georgia voters and a Colorado-based watchdog organization filed a lawsuit late Monday asking a judge to overturn the results of last month's 6th Congressional District special election and scrap the state's voting system, Colorado Politics has learned.
The complaint, filed in Fulton County Superior Court, alleges that state and local election officials ignored warnings for months that Georgia's centralized election system — already known for potential security flaws and lacking a paper trail to verify results — had been compromised and left unprotected from intruders since at least last summer, casting doubt on Republican Karen Handel's 3.8-point win over Democrat Jon Ossoff in the most expensive House race in the nation's history.
The June 20 runoff election followed a first round "jungle primary" in April to replace Republican Tom Price, who was appointed by President Donald Trump to head the U.S. Department of Health and Human Services.
The plaintiffs — including Colorado nonprofit Coalition for Good Governance and Georgia voters from both major political parties and a conservative third party — charge that recent revelations about a security hole on a computer server used to run Georgia elections only amplified longstanding concerns about the state's antiquated voting equipment and its susceptibility to hackers.
"We aren't questioning one candidate over another," lead plaintiff Donna Curling told Colorado Politics. "We're saying it's impossible to know."
"We are in a completely different environment of cybersecurity threats than when this equipment was purchased 15 years ago," said election integrity activist Marilyn Marks, who heads the foundation spearheading the lawsuit and has been a persistent thorn in the side of Colorado election officials for years. (She recently moved to the East Coast for family reasons and changed the name of the nonprofit from the Rocky Mountain Foundation to Coalition for Good Governance.)
In Colorado, Marks led the charge on numerous complaints and legal challenges over voting matters — including one treat voted ballots as public records under the Colorado Open Records Act, a 2012 federal lawsuit to remove bar codes from Colorado ballots because of privacy concerns and another last year that sought to overturn the Colorado GOP's delegate selection process to the Republican National Convention.
The Georgia lawsuit isn't alleging the election system has been hacked, but computer security experts argue that the state's voting equipment and computers have been at risk of intrusion for so long that election officials must assume they've been compromised. And while federal authorities have said there's overwhelming evidence that Russian hackers attempted to meddle in last year's presidential election, the plaintiffs in the Georgia lawsuit aren't suggesting their concerns include the Russians, although they maintain last year's events should raise awareness that there are bad guys out there.
The lawsuit names Georgia Secretary of State Brian Kemp and state and county election officials as defendants, along with the state's Center for Election Systems at Kennesaw State University and its director, Merle King.
Curling was among the plaintiffs who unsuccessfully sued many of the same officials in May asking that Georgia use paper ballots in the 6th District runoff election, alleging security vulnerabilities in election equipment. A judge threw out that lawsuit on a technicality — the individuals named as defendants were shielded by the state's doctrine of sovereign immunity, she ruled — and also noted that early voting had already started.
Kemp cheered that ruling, saying the judge had found "what we already know: Our voting machines in Georgia are safe and accurate."
Critics, however, contend the judge concluded nothing of the sort, ruling only that the plaintiffs hadn't demonstrated the machines "had widely malfunctioned or skewed results." A sophisticated hacker, computer security experts say, could erase tracks, requiring an equally sophisticated investigation to uncover evidence of an intrusion. That's why, plaintiffs told Colorado Politics, they're also asking the court to order a forensic analysis of the state's voting system and its components.
Polling places in Georgia use Diebold AccuVote TS touchscreen voting machines first purchased in 2002 and run on a modified version of Windows last updated by Microsoft 14 years ago, King told the Brennan Center for Justice two years ago as part of a study on voting security. (The company changed its name to Premier Election Solutions about a decade ago, and most of its assets were later purchased by Dominion Voting Systems.) The election center King operates at Kennesaw State has been responsible for overseeing and securing the state's electronic election equipment and infrastructure since the state installed the system.
"It's quite clear that the center at Kennesaw State has very lax security procedures," said Barbara Simons, chairwoman of the nonpartisan Verified Voting advocacy organization. "But even if they have perfect security, those machines should not be used. They're paperless machines — you cannot check the results, and the voter cannot verify that the voter's selections has been accurately recorded inside the machine's memory."
Although the nonprofit isn't involved in the Georgia litigation, it has been working nationwide to eliminate paperless voting. Every single study of the machines Georgia uses, she added, "has shown them to be insecure. Georgia should have stopped using these machines a long time ago."
California ditched the system Georgia uses a decade ago after a software bug caused a machine to erase more than 100 votes, and Maryland switched from the system to paper ballots at about the same time over concerns about security, glitches and the ability to conduct a recount.
In Monday's lawsuit, Curling and her fellow plaintiffs cited news that broke in mid June about an Atlanta cybersecurity researcher's discovery of a trove of Georgia election data — including 7.5 million confidential voter records, passwords for operating voting equipment and the software used to create ballots and tell touchscreen machines how to tabulate votes — that had been left open for months to anyone with an Internet connection.
While officials alerted the public in March that a state election database had been accessed by an outsider, it was less than a week before the June 20 runoff election that details emerged, including the extent of the breach, the existence of a vulnerability in the server's computer code and how long officials had left the system exposed after they were initially told last August that it was at risk.
"What's important is there are always going to be bad actors, no matter what kind of system we have, so the most important thing is to make sure that whatever system you have is secure and is verifiable," Curling said.
Georgia officials insist the state's election system is safe and secure.
While a spokeswoman for Kemp said he couldn't comment on Monday's lawsuit because he hadn't yet seen it, he swung back hard at critics Sunday in an opinion article published by USA Today. The Republican, a candidate for governor in next year's election, mocked as "fake news" stories about "Russian hacking and potential vulnerabilities in the system."
"State voting systems," Kemp wrote, "are diverse, highly scrutinized and not connected to the Internet."
The plaintiffs suing Kemp, however, point out that Georgia conducts elections on a uniform system and Kennesaw State officials admitted to a "[p]oor understanding" of the security risks involved in a recent incident report about the data breach.
As for connections to the Internet, a computer security expert at Georgia Institute of Technology called Kemp's assessment "factually inaccurate."
"They claim their systems are never connected to the internet, which is just not true," Rich DeMillo, a Georgia Tech computer science professor and executive director of the school's Center for 21st Century Universities, told Colorado Politics.
"There are many, many pathways from the Internet to the systems that go out into the field on election day — the most obvious one is the memory cards inserted into every (touchscreen) machine. It's like you're sharing needles. What you're doing is picking up whatever happened to be in the machine the memory card last touched, and you're spreading it."
It's easy to spread a virus from machine to machine "even though the machines were never connected to any network," said Edward Felton, a Princeton University computer science professor, in a sworn affidavit filed with Monday's lawsuit. This can be accomplished, he said, by infecting a memory card, which is how election workers load ballots onto the machines and store results. All it takes is touching one computer that's been connected to the Internet, and then every other machine it touches is equally exposed. "[T]he memory cards acted as carriers for the virus, much as mosquitos act as carriers for some human diseases," he said.
Felton, who served until January as deputy chief technology officer at the White House, was part of a team of researchers studying Diebold AccuVote TS machines — the same touchscreen machines used across Georgia — and they were able to create a computer virus that modified the results reported by the machines without leaving a trace.
"This already vulnerable equipment has had the opportunity to be infected over the many years of lax security," said Marks. "What Georgia's recent experience tells us is that the entire state's system is indirectly connected to any bad actor on the Internet and has been for a long time."
Despite claims to the contrary from Georgia officials, she added, the state's election machines are connected to the Internet every time they come in contact with an electronic device that's been inserted into a computer that's connected online.
"They are basing this assurance on a hyper-literal interpretation because we don't see a network cable coming out of the back of the machine," she said. "But as a practical matter, in terms of the danger they face, they actually are connected to the Internet because the components are connected to the Internet, even if only briefly."
State election workers have been instructed to download files from a central server — over the Internet — and put them on memory cards, according to training videos found online last summer by Logan Lamb, the cybersecurity specialist who uncovered the security hole at the center of Georgia's election infrastructure.
Lamb, a 29-year-old researcher at a startup firm in Atlanta, said in an affidavit filed with Monday's lawsuit that he took a look at Kennesaw State University's election center's public website last August ahead of a meeting he'd set to talk with King, its director, about general security topics involving voting machines.
What he found stunned him, he told Colorado Politics.
After discovering what looked like voter files, Lamb said he used a simple command to download what amounted to 15 gigabytes of data — including the voter database, an election management system database and memos that included passwords for election supervisors, in addition to the training videos.
"Besides leaking information," Lamb said, he discovered the server was running an old version of Drupal content-management software susceptible to malware known as "drupageddon," and it appeared that the server's software hadn't been updated since a patch had become available two years earlier. "Had an attacker actually launched an attack," Lamb added, "then they would have had full access to the server."
Alarmed, Lamb said he notified King about the "serious vulnerabilities" he had stumbled across and then spoke with him the next day, adding that he was "assured that the issues would be remediated." In late February, however, Lamb said he mentioned what had transpired to a colleague, Chris Grayson, who discovered that the data was still accessible on the election center's public website. Lamb verified the security hole by downloading the same files he had six months earlier, along with what looked like new files that reflected last fall's election.
This time, Grayson alerted IT officials at the school, and soon federal authorities were involved. Word leaked out to the media in March that the election center had suffered a massive security breach. The details, however, weren't public until Lamb discussed what had happened with Politico reporter Kim Zetter, who published a bombshell article about the events on June 14, just days after a court ruling tossed Curling's initial lawsuit asking for paper ballots in the 6th District runoff election.
"I want to provide as many facts as I can," Lamb told Colorado Politics. "I'm going to have faith in the judicial system at this point. If the facts of what my colleague and I found change he outcome, then so be it."
He said emerging news about Russian attempts to hack the presidential election has only heightened his alarm over the security vulnerabilities he discovered.
"Knowing that the Russians did have an interest in swaying the election only makes it more important that we resolve the known issues with these systems," Lamb said. "My biggest hope with all of this is, in the end, our voting systems become more secure. That's what it's all about. I think that's all any of us want."
Information security officials with the Colorado secretary of state's office told Colorado Politics last month that their system is subject to hundreds of attempted intrusions daily, likely including both the malicious and the curious.
Curling said she felt physically ill when she read what Lamb had discovered.
"The details were really alarming, and at that point we decided, wow, something's got to be done," she said. That led to Monday's lawsuit. "At that point, we're no longer talking about imagination. The system was left exposed."
She recalled that something King had said during testimony on the earlier lawsuit sparked her concern.
"Any time a voting system component leaves the jurisdiction for repair or if it just falls out of custody, it has to be retested before it can be reentered," he said, according to a transcript of the June 7 hearing.
"I contend that during this months-long period that this information sat exposed on the Internet, that that's falling out of custody," Curling said. "They have no idea what was taking place behind the scenes there. We don't know if any kind of malicious software or codes were put in the voting systems during the time it was open."
In his opinion article published Sunday, Kemp dismissed that kind of speculation and argued it harms public confidence in elections.
"Misinformation from the media or disgruntled partisans not only fuels conspiracy theorists but also erodes the first safeguard we have in our elections — the public's trust," he wrote.
Georgia was one of only two states to reject an offer of assistance from the Department of Homeland Security to help secure election systems last year after federal authorities determined Russian hackers had penetrated servers in Arizona and Illinois and had targeted those in at least 20 other states. At the time, Kemp said the offer was an attempt to "subvert the Constitution to achieve the goal of federalizing elections under the guise of security."
Kemp later charged DHS with conducting a series of cyberattacks against the secretary of state's computers at around the time of the November election, but a report issued last week by the DHS inspector general determined Kemp had mistaken routine traffic from a Federal Law Enforcement Training Center staffer for a hacker's attempts.
A group of Georgia electors organized by Marks' foundation in May called on authorities to reexamine the voting system after word emerged that four electronic pollbooks — resembling vintage tablet computers, they're used to check in voters at polling places — had gone missing in April, only to turn up two days later in a Dumpster. Concerned that thieves might have gained access to confidential voter rolls and could create fraudulent cards to activate voting machines, the group asked Kemp to determine whether the equipment was still secure.
Eventually, after several requests, Kemp's office replied that the reexamination would take six months to conduct and would cost the dozen electors $10,000. In addition, Kemp turned over documents showing that Georgia's election system had been fully certified most recently in 2007.
DeMillo recalled that he was asked to lead a security review of Georgia's election system a decade ago by Handel, who had just been elected to a term she served as secretary of state.
"She wanted some software engineers from Georgia Tech to take a look at security," he said. "Our report presented her with some concerns. But when we did that review, we were asked to focus on the election process itself, not on the technology or the Kennesaw State center. That was an interesting restriction to the project, because the technology itself had been widely criticized by computer scientists for five years or so."
The report, he said, noted "very carefully" that the state election center "was a single point of vulnerability for the system, but we were told it was outside of the scope of the report."
"There were some things in the system then that persist, that are vulnerabilities today," DeMillo added. "Things we thought were problematic in 2008 turned out to be problematic in 2017."
While he was subpoenaed to testify in the May lawsuit, DeMillo stressed that he isn't taking sides in the legal action. He does, however, have strong thoughts on the matter.
He's been puzzled, for instance, by the way state election officials continue to maintain — in the face of overwhelming evidence — that the system is safe and secure. The topic came up with his students in a spring class he taught on cyber ethics.
"One thing we talked about was the extent to which the Georgia system has been almost designed to not include the safeguards that you would from a common sense standpoint include in any system," DeMillo said. "They have this idea that the system is absolutely secure — there's no reason to have a verified backup, for example, of the ballots, because the election officials believe the system is not going to fail in that way. But engineers think of this as a Titanic effect. If you believe the ship is never going to sink, you don't bother putting lifeboats on the ship."
"The fact those safeguards are not only not present in the system but they're dismissed out of hand by the secretary of state's office should give you pause," he added. "When you hear the secretary of state, who's responsible for securely conducting elections on the part of the state, say with definiteness that the systems have not been compromised, that the systems are secure — and yet you see, month after month, ad hoc explanations for why what any expert would view as a breach is not a breach — you have to ask yourself, do they really have a handle on the system, on the underlying security."
He said the whole situation reminded him of the mayor of Amity Island in the movie "Jaws," who ordered the beaches open for the busy Fourth of July weekend despite warnings there was a great white shark lurking offshore.
"My take on the Georgia situation is, the elected officials here have not made much of an attempt to figure out how to keep these systems safe," DeMillo said. "Ignoring demonstrated risks doesn't seem to me very good public policy."
This story first appeared on Colorado Springs Gazette.