Georgia governor's race roiled by election security charges
Bill Barrow and Frank Bajak, The Associated Press
Published Monday, November 5, 2018 11:17AM EST
Last Updated Monday, November 5, 2018 5:58PM EST
ATLANTA -- The bruising race for governor of Georgia has been roiled by unsupported, eleventh-hour allegations from Republican candidate Brian Kemp, who is also the state's chief election official, that Democrats sought to hack the voter registration system.
His Democratic opponent, Stacey Abrams, said he is making a baseless accusation to deflect attention from an apparently severe security flaw in the system Kemp is responsible for overseeing.
Here's a look at the dispute, how it unfolded and what's at stake.
Kemp asked the FBI on Sunday to investigate the Democratic Party, accusing it of trying to hack the system he controls as secretary of state. He offered no evidence in support of his request for a probe of the opposition.
The FBI declined to comment.
Kemp levelled the allegation after an attorney for election-security advocates notified the FBI and Kemp's office on Saturday that a private citizen alerted him to what appeared to be a major flaw in the database used to check in voters at the polls.
Independent computer scientists told The Associated Press that the flaw would enable anyone with access to an individual voter's personal information to log on to Georgia's MyVoter registration portal and alter or delete any voter's record, potentially causing havoc.
THE DEMOCRATS' RESPONSE
Abrams on Monday called him a "bald-faced liar" who cooked up the allegation to deflect attention from his record of incompetence as secretary of state presiding over an antiquated, vulnerability-laced elections system.
"There was never a hack," she told a gathering at a Savannah union hall. "What was wrong is that he failed to do his job. He is abusing his power."
The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.
Polls suggest Kemp and Abrams are locked in a tight race in a contest that has taken on historic significance because Abrams could become the nation's first black female governor.
She has accused Kemp of using his post as secretary of state to make it harder for certain voters to cast ballots. Kemp has countered that he is following the law and that Abrams and advocacy groups are trying to help noncitizens and others cast ballots illegally.
Last month, a federal judge endorsed plaintiffs' arguments that Kemp has been derelict in his management of the state election system and that the setup is lacking in reliability.
The atmosphere has left partisans and good-government advocates alike worrying that the losing side will not accept Tuesday's results.
HOW THE LATEST ALLEGATION UNFOLDED
According to AP interviews and records released by the Georgia Democratic Party, a lawyer for election-security advocates, David Cross, notified both the FBI and Kemp's counsel Saturday that a citizen had alerted him to the flaw.
The citizen also separately informed the Georgia Democratic Party, whose voter protection director then sent an email to two Georgia Tech computer security experts, one of whom sits on a commission created by Kemp.
"If this report is accurate, it is a massive vulnerability," wrote the director, Sara Tindall Ghazal.
The online news outlet WhoWhatWhy obtained copies of some of the correspondence and published a story about the system flaw on Sunday -- just as Kemp's office issued the first of two statements accusing Democrats of a "failed cyberattack."
That statement -- bereft of specifics -- remained prominent on his office's main web page late Monday afternoon.
Four security experts independently confirmed to the AP that the voter registration site is highly vulnerable to hacking.
They said they could not duplicate the worst vulnerability identified by the "private citizen" because that would require illegal tampering. But they said the flaw would let any user logging onto the system to access and alter the records of anyone in the system.
The experts were also able to identify additional flaws. One would allow an attacker to inject malicious code into the voter registration site that could spy on visitors or steal or alter data. Another flaw: The site lacks "URL sanitizing," standard code for preventing infections from visitors.
"This is the easiest part of an assignment that we give to undergrad students in a security class. It's unbelievable how they didn't do this," University of Michigan computer scientist Matthew Bernhard told the AP.
Another computer expert who reviewed the vulnerability, Kris Constable of PrivaSecTech in Vancouver, Canada, said the system "clearly has never been audited by any computer security professional."
During a campaign stop Monday, Kemp acknowledged "a potential vulnerability that we found about" but insisted without offering details that the state's election systems are secure.
GEORGIA'S PAST PROBLEMS
The state is one of just five that continue to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don't leave a paper trail that can be audited in case of problems.
In 2015, Kemp's office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.
His office made headlines again last year after security experts disclosed a gaping security hole that wasn't fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia voters -- 6.7 million at the time -- as were passwords used by county officials to access files.
Kemp's office blamed that breach on Kennesaw State University, which managed the system on Kemp's behalf.
Associated Press writers Michael Balsamo, Colleen Long and Jill Colvin in Washington;Russ Bynum in Savannah, Georgia; and Ben Nadler in Atlanta contributed to this report. Bajak reported from Boston.