Next Story

‘Broadband deserts’ hinder growth in rural Georgia

Georgia’s voting machines face criticism, but state says they’re secure


Millions of voters have cast their ballots in Georgia using machines that offer a now-common experience: Press the touch screen, record your choice on anything from a local mayoral race to a presidential election.

It is a simple action that belies the complex system that supports it. And it is a system that is under increasing attack.

Georgia’s aging election system has flaws that could be exploited if a malicious hacker ever breached it, experts say. It’s a fear that has escalated with regular news reports about alleged attempts by Russian hackers to meddle in the 2016 presidential election, an issue raised again last week by the release of a leaked National Security Agency document.

There is no evidence Georgia’s more-than-a-decade-old system has been hacked, officials in Georgia and experts say. Georgia has employed an ongoing, multilayered effort to secure the system’s safety and integrity.

Officials here are well aware of the threats that loom on the cyber horizon. Voter confidence in the system is most important to them. But putting in a new, updated one — with its myriad components — would cost tens of millions of dollars.

That day may soon be approaching.

Georgia last overhauled its system in 2002, at a cost of at least $54 million, when it committed to the electronic voting machines that voters use today. They were state-of-the-art then, a nod to the booming use of technology. Still, a number of experts and advocates say the machines are missing an important check-and-balance: paper.

It’s a complaint some have made against the touch-screen system since it was installed.

“A paper ballot is verifiable, created in a secure environment,” said Marilyn Marks, the executive director of the Rocky Mountain Foundation.

She was one of the plaintiffs in a recent lawsuit that tried to force the state to switch to hand-counted paper ballots ahead of the nationally watched June 20 runoff election in Georgia’s 6th Congressional District.

A Fulton County judge dismissed that request Friday, as early voting over the past two weeks has soared to more than 93,000 ballots cast in the district in Atlanta’s northern suburbs in the contest pitting Republican Karen Handel against Democrat Jon Ossoff.

While the lawsuit was dismissed, concerns with the system remain.

“I think this is a serious issue,” Superior Court Judge Kimberly Esmond Adams said during the hearing on the case. “It seems to me the state of Georgia would be well-served to implement a paper ballot audit trail.”

If that happened, it would need buy-in from the the very top of Georgia’s government.

“If people want to change the law, change the system, we can certainly look at doing that,” said Georgia Secretary of State Brian Kemp, the state’s top election official. “I’m certainly open to that, but that’s going to take a lot of money, it’s going to take a big effort. You’ve got to have the governor on board, secretary of state, you’ve got to have the Legislature, and there’s a lot of work.”

“But I do know this,” Kemp added, “our system’s secure. There’s no evidence that our system is not working correctly. … They haven’t been hacked, they haven’t been infiltrated and that’s something that really over the last four years we’ve spent a lot of time working on.”

Cybersecurity/vulnerability

The news three months ago of a potential data breach at Kennesaw State University’s Center for Election Systems raised alarms that for critics of Georgia’s system is still ringing.

As many as 6.5 million voter records were potentially vulnerable in what the Federal Bureau of Investigation later said was a probing of the center’s system by a “security researcher” that broke no federal law. But critics said the incident raised serious questions.

According to top state officials, the center had received a warning before the presidential election that a server system used by its election center may be vulnerable to unauthorized access. The probing incident in early March, they said, was the second contact by the researcher about the problem, although they said it was only the first time they heard of a problem from university officials.

While the center itself is locked to the outside and requires badge access, an incident report about the breach cited concerns inside the center that included an unlocked IT closet and wires plugged into an internet port that had not been documented.

The more than 27,000 machines in Georgia are self-contained and never connected online — not during testing and not during an election. That means they can’t be directly accessed from the outside.

The state says all machines are tested at least five times around elections to show they are working properly and accurately. That’s important, since the operating software used to run the machines is Windows 2000 — software no longer supported by Microsoft.

Access to the machines is limited when they are not in use for voting. They are kept locked, with additional plastic seals affixed to the machines that would need to be broken to get into them.

For critics, however, that doesn’t make the system safe. They say, for instance, someone could indirectly get into the system through a rogue memory card or other device inserted in one of the voting machines.

Critics say, at the very least, the state should run a technical review of the entire system to check for cyber penetration and add preventive measures to protect against both malicious attacks and unintended problems.

State officials cited the consistent testing they do, including both before and after elections. Those audits and tests have to come back clean for the machines to stay in use.

Edward W. Felten, a cybersecurity expert from Princeton University who has studied electronic voting systems, said Georgia is overrelying on the machines’ reporting that everything is fine.

“You’re asking the machine itself whether it has honestly reported the results,” said Felten, who in lab settings has been able to corrupt similar machines with malware that he said would be almost undetectable during regular operation. “My opinion is that the system cannot be safely and accurately used.”

Neither Felten nor others, however, could say whether the system was actually infected. Felten knew of no examples of active attacks on these types of machines currently.

Certification

Merle King, the executive director of Kennesaw’s election systems center, said the system was certified to federal standards when it was adopted in 2002. Those standards were set under 1990 federal guidelines. Kemp, citing certifications the state has issued as recently as 2015, says the system also meets requirements under state law.

Felten said the state’s certification is too old and should be redone to account for updates. He said it is “not generally” common practice to do separate certifications and piece them together.

Paper trail

According to a Reuters analysis last year, about 44 million voters across the nation — or about 25 percent — rely on similar paperless systems, including in Pennsylvania and Virginia.

When Georgia committed to the machines, it eliminated a paper trail of recorded votes. Cybersecurity experts say one way Georgia could mitigate concerns about the machines is by having some sort of paper trail that voters could verify as being correct.

Esmond Adams, the judge, seemed to give credence to this view in her ruling, saying “plaintiffs’ concern that” the direct-recording electronic voting system lacks a way for a voter to verify his or her vote is “legitimate.”

Georgia tried to do that about a dozen years ago, attaching paper spools to the machines as part of a pilot program in three counties. It went poorly enough that the state dropped the idea. Auditing the spools from one precinct took almost six days, Cobb County Elections Director Janine Eveler said. It was, she said, “quite cumbersome.”

That doesn’t mean there aren’t paper ballots in use today, such as absentee ballots voters can request by mail ahead of an election.

But wholesale change in Georgia requires a new system and, as Kemp said, both sign-off from lawmakers and the governor as well as the money to pay for it.

Until then, voters overall appear comfortable casting their votes on the machines — even as some recognize why there are concerns.

“I think that is going to be the issue going forward for the next generations,” said Justina Moore, a stay-at-home mom from east Cobb County who voted Saturday. “That’s a whole new internet piracy thing. It’s going to be a future concern.”

Channel 2 Action News reporter Aaron Diamant contributed to this article.


Reader Comments ...

Next Up in Georgia Politics

The Right reacts to Graham-Cassidy
The Right reacts to Graham-Cassidy

A roundup of editorials Thursday takes a look at the Graham-Cassidy health care proposal. Will the bill strike the right balance between the federal government’s role in health care and what states will be expected to do? Here are some opinions from the Right. From Roll Call: The problem with the Graham-Cassidy plan is lack of momentum. A majority...
The Left slams Graham-Cassidy health care bill
The Left slams Graham-Cassidy health care bill

A roundup of editorials Thursday takes a look at the Graham-Cassidy health care proposal. Despite a heavy agenda, the bill is likely to come up on the Senate floor next week. Here are some opinions from the Left. 1. Cassidy-Graham is attractive in theory. But it has a giant flaw. From The Washington Post: An experiment in democracy is interesting...
Georgia AG gets 53 forms in probe of voter registration group
Georgia AG gets 53 forms in probe of voter registration group

Fifty-three allegedly forged voter applications are being referred to the state Attorney General’s Office for possible prosecution, a decision by the State Elections Board that effectively closes the Secretary of State Office’s 2014 fraud investigation involving an attention-grabbing registration drive by the New Georgia Project. The...
Battle over the fate of Dreamers flares in Georgia
Battle over the fate of Dreamers flares in Georgia

Jaime Rangel vividly recalls the day the letter arrived five years ago in his family’s mailbox in Chatsworth, an event that prompted his mother to burst into tears. A Mexican native who was brought to America as an infant, Rangel learned from the letter that he had been accepted into the Obama administration’s Deferred Action for Childhood...
Georgia AG gets 53 forms in fraud probe of Stacey Abrams' voter registration group
Georgia AG gets 53 forms in fraud probe of Stacey Abrams' voter registration group

The State Elections Board on Wednesday referred 53 allegedly forged voter applications to the Attorney General’s Office for possible prosecution, essentially closing a 2014 fraud investigation involving a massive registration drive by the upstart New Georgia Project.  The decision allows the office to decide whether to prosecute those involved...
More Stories