ATLANTA — An already tight governor’s race in Georgia devolved into new chaos Monday after the Republican candidate, who is also the state’s chief election official, alleged with little evidence that Democrats sought to hack a voter database that will be used in Tuesday’s elections.
Republican nominee Brian Kemp made the allegation just as reports emerged of a gaping vulnerability in a system that he controls as secretary of state.
An attorney for election-security advocates notified the FBI and Kemp’s office on Saturday that a private citizen alerted him to what could be a major flaw in the database used to check in voters at the polls.
Independent computer scientists told The Associated Press that it enables anyone with access to an individual voter’s personal information to alter that voter’s record.
In response, Kemp asked the FBI to investigate the Democratic Party for trying to hack the system.
Kemp’s office did not detail any Democratic acts, offering no evidence for beginning a probe of his partisan opposition days before an election.
Democrat Stacey Abrams told ABC’s “Good Morning America” on Monday that she believes her opponent “cooked up the charge, because he realizes, once again, he left the personal information of six million voters vulnerable. This has happened twice before.”
“We have nothing to do with this,” she added in an interview on CBS “This Morning.” “When he gets caught, he blames everyone else.”
Democratic Party of Georgia Chair DuBose Porter and Democratic State Election Board Member David Worley held a news conference after Brian Kemp office’s push for a probe into cybercrimes an “incompetent smear” against the state’s Democratic Party members. Video by PBS NewsHour
Both programs said they offered Kemp an opportunity to appear as well, but he declined.
Polls suggest Kemp and Abrams are locked in a tight race in a contest that has taken on historic significance because of the potential of Abrams becoming the nation’s first black female governor.
She’s accused Kemp of using his post as secretary of state to make it harder for certain voters to cast ballots. Kemp counters that he’s following state and federal law and that it’s Abrams and her affiliated voting advocacy groups trying to help people, including noncitizens, cast ballots illegally.
The state Democratic Party called Kemp’s accusation “a reckless and unethical ploy” and said he was using the FBI to support “false accusations.”
The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.
In the voting integrity case, a federal judge last month endorsed the plaintiff’s arguments that Kemp has been derelict in his management of the state election system and that it violates voters’ constitutional rights with its lack of verifiability and reliability.
The atmosphere has left partisans and good-government advocates alike worrying about the possibility that the losing side will not accept Tuesday’s results as legitimate.
According to AP interviews and records released by the Georgia Democratic Party, the lawyer for the election-security advocates, David Cross, notified both the FBI and Kemp’s counsel Saturday morning that a citizen had alerted him to the flaw. But the citizen had separately informed the Georgia Democratic Party, whose voter protection director then sent an email to two computer security officials.
“If this report is accurate, it is a massive vulnerability,” wrote the director, Sara Tindall Ghazal. Party officials provided the AP with the email, its recipients’ names redacted.
Neither Cross nor the state party went public.
But reporters for the online news outlet WhoWhatWhy obtained a copy of the Ghazal email and the email that Democratic Party officials received from the private citizen who discovered the flaw, Richard Wright.
They published a story Sunday just as Kemp’s office released its statement accusing Democrats of attempted hacking.
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cybercrimes,” said Candice Broce, who works for Kemp.
Rebecca DeHart, executive director at the state Democratic Party, said no one from Kemp’s office notified the Democratic Party or asked any question about the correspondence before issuing its public announcement of an investigation.
WhoWhatWhy’s story said five security experts had reviewed the Wright complaint and independently confirmed that the database is vulnerable to hacking.
One of those experts, University of Michigan computer scientist Matthew Bernhard, told the AP that anyone with access to an individual voter’s personal information could alter that voter’s record in the system.
Another computer security professional who reviewed the vulnerability — without attempting to probe it for fear of prosecution — is Kris Constable of PrivaSecTech in Vancouver, Canada. “Anyone with security chops would have detected this problem,” he said, “so (the system) clearly has never been audited by any computer security professional.”
The FBI declined to comment. A representative for the Department of Homeland Security confirmed the agency had been notified, but it deferred to Georgia officials for details.
Cross said Wright, a businessman with “some background in software,” doesn’t wish to speak publicly.
The Coalition for Good Governance, a plaintiff in the voting integrity lawsuit against Kemp, issued a statement decrying his outsourcing of the voter registration database and electronic poll book voter check-in system to a third party, PCC Technologies.
“There are still immediate steps that Secretary Kemp and the State Election Board can take to mitigate some, but not all, of the risk for Tuesday’s vote,” the group said.
Efforts to reach PCC for comment have not been successful.
The hacking accusation is not the first from Kemp accusing outsiders of trying to penetrate his office. Immediately after the 2016 general election, Kemp declared that DHS tried to hack his office’s network, an accusation dismissed as unfounded in mid-2017 by the DHS inspector general.
Georgia’s centrally managed elections system lacks a verifiable paper trail that can be audited in case of problems. The state is one of just five nationwide that continues to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don’t leave a paper trail.
In 2015, Kemp’s office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.
His office made headlines again last year after security experts disclosed a gaping security hole that wasn’t fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia voters — 6.7 million at the time — as were passwords used by county officials to access files.
Kemp’s office blamed that breach on Kennesaw State University, which managed the system on Kemp’s behalf.
Associated Press writers Michael Balsamo, Colleen Long and Jill Colvin in Washington and Ben Nadler in Atlanta contributed to this report.