Kennesaw State Embroiled in Controversy over Security of Election DataNovember 12, 2017 |
Judging strictly by how the Center for Election Systems at Kennesaw State University is described on its official website, everything is peachy when it comes to the fact that the center is charged by the Secretary of State with ensuring the integrity voting systems throughout Georgia.
“The Center maintains an arms-length working relationship with the Secretary of State and the vendor, ensuring both independence and objectivity in its work,” the center states on its website.
But if you ask Marilyn R. Marks, executive director of the Coalition for Good Governance, a university has no business playing such a critical role in the oversight of a state’s election infrastructure.
It’s an argument that Marks says is underscored by the fact that voter data in Georgia was exposed on the Internet for a significant period of time leading up to key elections in Georgia — a fact uncovered by a cybersecurity expert named Logan Lamb, who reported it to the center.
KSU only took action when a second cybersecurity expert — Chris Grayson — found the same security gaps and reported them to Andrew Green, a colleague and KSU faculty member who lectures on information security and assurance, according to lawsuit filed by Marks’ coalition.
Just days after Marks’ coalition filed the lawsuit against the Center for Election Systems at KSU and other parties accused the center of “misconduct, negligence, abuse of discretion,” technicians at the center wiped the election server clean.
“For me, the issue that comes up about the rightful role or not of the university is here we have a university — employees and officials — who are suddenly faced with the knowledge that a very political thing is happening, the presidential election and, of course, all the down-ballot races,” Marks said.
“They know the system is compromised and they’re put in the position of trying to cover it up,” Marks said. “That is no role for a school administration to be in.”
KSU officials say there was no cover-up.
Tammy DeMel, assistant vice president of communications at KSU, provided a statement that downplayed the significance of the fact that technicians at KSU wiped the election server clean. Rather, the statement said, the server had been “repurposed” for “alternative uses.”
DeMel also cited an investigative report from the Secretary of State that indicated KSU “acted in accordance with standard IT procedures without any oversight, permission, or direction from the Secretary of State’s office” when it wiped the server clean.
“The concern that the data was lost is unfounded,” the report states. “Current indication is that the FBI retained an image of the data on those servers as part of their investigation and that it will be available for use in the ongoing litigation.”
The report further states that the media assertion “that the data was nefariously deleted and is no longer available is completely false and without merit.”
The situation at KSU comes at a time when the security of U.S. voting systems are under increased scrutiny. It also comes as investigations continue into Russian interference with the U.S. presidential election of 2016.
The Republican-led U.S. House Committee on Oversight and Government Reform was supposed to conduct a hearing on the cybersecurity of voting machines last week but the hearing was canceled.
The witness list had not been disclosed, and Democratic lawmakers Mark DeSaulnier, D-Calif., and Val Demings, D-Fla., had called on the committee to make sure that the invited witnesses included vendors.
“As vendors of these machines are likely to have the most in-depth knowledge of their strengths, vulnerabilities, and technological developments to harden the critical infrastructure of our elections, we respectfully request that the vendors be invited to testify,” the two Democratic lawmakers wrote to U.S. Rep. Gary J. Palmer, R-Ala., chairman of the House oversight committee.
The situation at KSU seems to be enveloped in politics as well.
Marks raises questions about the fact that KSU is headed by Georgia’s former state attorney general, Sam Olens, a Republican. Olens was the sole candidate for the presidency at KSU when a vacancy was created after his predecessor — Dan Papp — resigned just before University System of Georgia auditors released a report that cited Papp for committing financial policy violations.
“A strange pick is parachuted in,” Marks said of Olens. “Sam Olens, the only person they interviewed, suddenly becomes the head of the university. He doesn’t have any academic training. He’s not an educator.”
DeMel, of KSU, did not respond to the portion of a request from Diverse to give Olens an opportunity to speak.
Cybersecurity experts differ on whether Marks’ arguments against KSU’s role in Georgia’s elections have any merit.
Herbert Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation at Stanford University, says there does not appear to be anything wrong with the agreement between KSU and the Secretary of State.
“I do not think there’s anything suspicious or wrong with the arrangement on its face,” Lin said of the contract, which calls for the Secretary of State to pay some $815,000 to the Center for Election Systems at KSU for its services.
Because KSU is a state institution, Lin said, “You could make the argument that this was just transferring money from one part of state government to another.”
As for the fact that voter data was exposed under the center’s watch, Lin said, “Just because there was a hole in security doesn’t mean that you know somebody exploited it. The fact that there are holes in security means I don’t know if somebody exploited them.”
But therein lies the problem, according to the lawsuit that Marks’ organization brought against the Center for Election Systems. In addition to voter data being exposed on the Internet, the lawsuit argues that Georgia should be using paper ballots — not Direct Electronic Voting machines, or DREs — in case the results of an election need to be audited.
“Because of the insecurity of Georgia’s voting system and the lack of voter-verifiable paper ballots, the precise outcome of the June 20, 2017 runoff election between Karen Handel and Jon Ossoff for Georgia’s 6th Congressional District . . .cannot be known,” the lawsuit states of the contest in which Handel, a Republican, curiously defeated Ossoff, a Democrat, by nearly four percentage points, despite the fact that polls had shown Ossoff narrowly ahead of Handel.
“This uncertainty, which violates the rights of those who cast their ballots, was caused by the Defendants’ misconduct, negligence, abuse of discretion, and noncompliance with the federal Constitution, federal law, the Georgia Constitution and Georgia law,” the lawsuit states.
“It is presently unknown if any party interfered with Georgia’s elections in 2016 or 2017,” the lawsuit continues. But it states that according to then FBI Director James Comey, hackers were “scanning” election systems in the lead-up to the election in the fall of 2016. Subsequent reporting has suggested that as many as 39 states were targeted.
Comey — now the 2017-2018 Gwendolyn S. and Colbert I. King Endowed Chair in Public Policy at Howard University — did not respond to an e-mail request for comment on the case.
Susan Greenhalgh, vice president of programs Verified Voting — a nonprofit that advocates for “accuracy, transparency and verifiability of elections” — said Georgia should have relied on paper ballots instead of DRE machines that have long ago been scrapped in other jurisdictions because of their vulnerabilities.
Edward Felten, director of the Center for Information Technology Policy at Princeton University, wrote in an affidavit filed in the case that DRE voting machines are vulnerable to software manipulation.
Those vulnerabilities — coupled with attempts by cyber attackers to affect elections in the U.S. — mean stringent precautions would be required to protect the machines used in Georgia, Felten argues.
“In the absence of stringent precautions to find and expel potential intruders in the CES systems, the ability of voting-related systems that have been in the CES facility to function correctly and securely should be viewed with greater skepticism,” Felten stated in his affidavit.
Felten stated further that it did not matter if the machines were connected to the Internet or not. He said the machines could be infected with a virus that would then spread to other machines through memory cards used to transport election and ballot information between machines and central tabulation offices.
“A malicious modification to a DRE’s software would likely cause the DRE to modify ballots silently,” Felten stated. “The modified software could be designed to report on the machine’s display screen, to voters and election officials, that all was well.
“It could also be designed to falsify all of the logs and records kept by the voting machine.”
Greenhalgh said it was also wrongheaded to concentrate so much election data on a server at KSU.
“If you have a security problem at Kennesaw State, that could potentially impact machines all across the state,” Greenhalgh said. The lawsuit also alleges that election equipment stored by the Center for Election Systems was not properly secured.
Several KSU faculty or officials involved with KSU’s agreement with the state — including Donald McGarey, interim vice president for research at KSU, who signed the contract between KSU and the Secretary of State — did not return requests for comment.
Among other things, the lawsuit filed by the Coalition for Good Governance asks a federal judge to void the results of the runoff in which Handel defeated Ossoff and to order a new election.