Election hacking suit over Georgia race could be sign of what's to come

SAN FRANCISCO — First elections, then probes into hacking. Now, the lawsuits over election hacking.

A group of Democrat and Republican voters in Georgia is suing the state to overturn its fiercely fought June special election, saying evidence the state's voter database was exposed to potential hackers for at least eight months invalidates the results. The lawsuit, which went to pre-trial conferences this week, could be a sign of disputes to come as revelations mount about the vulnerability of the U.S. election system and Russian attempts to infiltrate it. 

"As public attention finally starts to focus on the cybersecurity of election systems, we will see more suits like this one, and eventually, a woke judge will invalidate an election," said Bruce McConnell, vice president of the EastWest Institute and former Department of Homeland Security deputy undersecretary for cybersecurity during the Obama administration.

Georgia's June special election to fill a Congressional seat vacated by Tom Price, who left to become President Trump's health and human services secretary, was the most expensive House race ever. Democrats nationwide pumped $23 million to back candidate Jon Ossoff while President Trump stumped for Republican Karen Handel, pointing to her win as proof of his campaign's popularity.

Plaintiffs argue the disclosure in August 2016 by Logan Lamb, a Georgia-based computer security expert, that much of Georgia’s voting system was inadvertently left out in the open on the Internet without password protection from August 2016 to March 2017 should make the results moot.

What's more, Georgia's use of what the plaintiffs say are insecure touch-screen voting computers, which they claim don't comply with Georgia state requirements for security testing, means the election results couldn't legally be certified, they say.

“We hope that this case serves to vindicate the Constitutional rights of the voters in Georgia and sheds a light on the very serious national issue of the vulnerability of electronic voting systems to manipulation and mischief,” Edward Schwartz, a partner with Steptoe & Johnson, a Washington, D.C. law firm that joined plaintiffs on a pro bono basis this week, told USA TODAY.

The suit comes at a highly charged time for election officials nationwide due to heightened awareness over the vulnerabilities of the U.S. election system after Russia attempted to influence to the 2016 election. According to the FBI, as many as 39 states had their election systems scanned or targeted by Russia. Whether Georgia was one of them isn't known, but Georgia did decline an offer the Department of Homeland Security made to all states to help secure election systems prior to the 2016 presidential election. 

At the time, Georgia Secretary of State Brian Kemp told the news site NextGov, "The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security."

Nationwide, election officials are just getting a grasp of how, via malicious acts or inadvertent mistakes, parts of the voting apparatus are vulnerable to interference. Last week  the Chicago Board of Election Commissions said that the names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was left publicly available online by a third-party election company  for an unknown period of time.

The Georgia special election suit is the second time the Charlotte, N.C.-based Coalition for Good Governance, a nonpartisan non-profit that is organizing the Georgia suit, has attempted to have the state's voting system declared vulnerable. The first suit, filed in June, was dismissed when a judge found that there was no evidence that the machines had malfunctioned or produced incorrect results. 

Georgia's election officials say results of the House race are valid and will hold up in court. 

“This issue has already been litigated. This group’s last lawsuit was tossed out and their claims found to be meritless,” said Candice Broce, spokeswoman for Georgia Secretary of State Brian Kemp.

Voting system exposed

The exposure of Georgia's election system came about when Lamb, an engineer at security company Bastille Networks, was concerned about news reports on Russian probes of the U.S. state election system and so decided to look into the work of the Center for Election Systems at Kennesaw State University in Georgia, which oversees the state's electronic election infrastructure.

More:Sen. Mark Warner: More state election systems were targeted by Russians

More:Timeline: Key moments in the FBI probe of Russia's efforts to influence the 2016 election

More:Hackers plan to break into 30 voting machines to put election meddling to the test

When Lamb went to the center's website, he found that much of Georgia's election management system was accessible, not even requiring a password, due to a misconfiguration of the server. That included instructions and passwords for election workers to sign in to the state's Global Election Management Systems database, a database that contained information about all the state's registered voters as well as information about how to update county voting systems using memory cards.

Despite his and others' warnings, the system was not properly protected off until March 1, 2017. Two days later, the FBI took possession of the Center's computer servers for analysis. The agency declined to comment on whether that analysis was complete or what it found, it told USA TODAY.

Older voting machines

Then there's the matter of the voting machines. The suit's plaintiffs want the state — besides overturning the election — to switch to a paper ballots-based voting system that can be audited. They argue Georgia's use of touch-screen voting machines (known as direct-recording electronic machine or DREs) does not meet the requirements of state law, which requires that they can be certified as safe and accurate, because of their age and insecurity.

In 2006, computer security researchers at Princeton University showed they were able to hack into the AccuVote TS, the primary voting machine used in Georgia today, in just four minutes, infecting a single machine with malicious software that could spread to machines across the voting network. Since that research, California, Maryland and North Carolina have all ceased using these machines and the software that runs them.

“Every single independent study that’s been done on the machines found significant vulnerabilties. These are not well-engineered machines, and their design is bad because there’s no way to check on results — there’s no way to know if what the computer thinks the voter chose is what the voter actually chose,” said Barbara Simons, president of the board of Verified Voting, a non-partisan, non-profit organization that advocates for elections accuracy.

Georgia officials are adamant that their election system is not vulnerable to hacking. "With millions and millions of votes accurately cast and tabulated, Georgia’s battle-tested voting equipment has earned voters’ confidence, said the state's Broce. 

But they face a new challenge for the November election. 

The suit's organizers plans to file a motion for a preliminary injunction against the use of the voting computers scheduled to be used statewide in Georgia’s upcoming municipal elections, said Marilyn Marks, executive director of the Coalition for Good Governance.

Bellwether election hacking suit

If the Georgia special election suit is successful, it would be what election experts believe is only the second time an election was overturned due to voting computer issues. The first such case came in 2011 in Fairfield Township, NJ., where a computer programming error gave votes for one set of candidates to their opponents. In that case a superior court judge ordered a new election.

The idea that someone might hack into or otherwise access election equipment in order to sway the outcome of an election has always been hypothetical, something academics and civil libertarians discussed but not something that the general public, or courts, particularly worried about. That’s now changed and this case signals a shift in attitude, said Joel Reidenberg, a law professor and expert on election law at Fordham University.

“In the light of the news we’ve seen in the past few months of the Russian attempt to hack our election, courts are going to be a little more sympathetic to concerns over the security over our voting mechanism. In the past it’s been hypothetical — now we have some real life examples,” he said.

Whatever the outcome of the Coalition for Good Government case, Georgia is beginning to consider alternatives.

While replacing the state's voting machines would be an expensive process and would require buy-in from the state’s General Assembly and its governor, the state is conducting a pilot project in Rockdale County for November’s municipal elections, said Broce. It will use voting equipment that created a verifiable and auditable paper trail, she said.

More:Info on 1.8 million Chicago voters exposed on Amazon server

More:Hackers plan to break into 30 voting machines to put election meddling to the test

More:Congress hears sinister tale of Russia election meddling