Sunday morning, Georgia Secretary of State Brian Kemp announced that his office is investigating the Democratic Party of Georgia over a “failed cyber attack” that attempted to “breach the online voter registration system” and had formally asked the FBI to investigate.
This announcement is particularly notable not just because it came two days before the election and includes no evidence or details whatsoever, but because, besides being responsible for election security, Kemp is also the Republican nominee for governor and is currently in a tight race against Democrat Stacey Abrams.
Kemp’s office has not given any specifics about what happened, but media reports suggest that a voter identified a software bug on the state’s voter information page that allowed him to see other voters’ information and alerted the Democratic Party of Georgia’s voter protection hotline. The Democratic Party then asked a private firm to evaluate the bug, and that firm alerted the Secretary of State. The “cyber attack” aspect of this is either completely made up or a willful misunderstanding by Kemp about how standard security research works, repurposed to attack Abrams and the Democrats.
The idea that a politician should have the authority to formally investigate his opponent two days before an election is absurd, and has been called an “abuse of power” by Georgia Democrats. That’s an understatement: It’s brazenly authoritarian.
“To turn something like election security, which is a critical, front-burner issue into something that feels skeezy and partisan is unacceptable when the Secretary of State has a constitutional responsibility to protect elections,” Adam Levin, founder of identity protection firm CyberScout and former Director of the New Jersey Division of Consumer Affairs, told me on the phone. “It’s very disconcerting, and he’s basically trying to create the acceptable scenario that if something goes right, well, ‘I prevailed against all the odds,’ and if something goes wrong, ‘They stole it from me.’ He’s putting this false flag out there.”
The most charitable reading of Kemp’s statement is that he believes that the voter should not have contacted the Democratic Party and should have instead reached out directly to the Secretary of State or law enforcement; and that the Democrats should not have had the bug evaluated by a private firm. The Secretary of State’s office did not return a call from Motherboard requesting comment, and neither did the Georgia Democratic Party.
Researchers, normal citizens, and white-hat hackers discover bugs and vulnerabilities every single day, which is why an entire industry has evolved around penetration testing and bug bounties. Cybersecurity, broadly speaking, relies heavily on people finding and reporting bugs to the people who coded them in the first place. Ultimately, this is how we keep technology as safe as possible.
And yet, this shoot-the-messenger tactic is standard for people whose own bad security practices have been laid bare.
“When people discover vulnerabilities there are lots of people who say how it should’ve been handled. I mean seriously, how would you contact law enforcement for this issue? Call 911?,” Rob Graham, a cybersecurity researcher and Georgia voter, told Motherboard in an online chat. “The consensus in cybersecurity industry is that it matters less how you disclose a bug. Our concern is how the embarrassed party will pretend it’s not legitimate because you failed to follow some imaginary standard of behavior.”
Graham, a libertarian, wrote a blog over the weekend explaining the many ways in which Kemp and the State of Georgia have failed on cybersecurity.
Earlier this year, the state legislature passed a bill that would have criminalized good-faith cybersecurity research and white hat hacking; the sitting governor vetoed the bill. In August, the Secretary of State’s office exposed 6 million voter records, and Georgia has notoriously had one of the least-secure voting systems in the country. Kemp refused assistance from the Department of Homeland Security ahead of the 2016 election that would have helped it secure its election systems, and the state is named in one of Robert Mueller’s indictments as having been targeted by the Russian government during that election cycle.
What we have here, then, is a man who is weaponizing his own failings as a public servant and using his power to attack his political opponent mere days before an election
“In most industries around the world, white hat security researching is something that’s embraced,” Levin said. “This is not something that should be villainized.”