MoFo Lawyer Led Push to Warn Georgia of Exposed Voter Data
David Cross, of the firm's Washington, D.C., office, and Atlanta attorney Bruce Brown separately flagged the online flaw for Secretary of State Brian Kemp and the FBI.
November 06, 2018 at 06:21 PM
6 minute read
Morrison Foerster attorney David Cross said he tried to warn Georgia Secretary of State Brian Kemp after a voter discovered an apparent flaw that exposed the state's voter registration database to hackers.
After being tracked down through social media by that voter, Cross contacted Kemp's outside counsel—John Salter Jr. of The Barnes Law Group in Marietta—on Saturday to pass the information along.
The Washington, D.C., lawyer said he also alerted the FBI on Saturday. Meanwhile, the same voter also contacted the state Democratic Party.
“We hoped that Kemp would take it seriously,” said Cross, who represents Georgia voters in an ongoing federal case that seeks a court-ordered return to paper ballots in Georgia.
Cross said he tried to handle the information confidentially. “If there was a vulnerability, we didn't want it shared with the world to exploit. … We wanted it fixed,” he said.
Instead, Kemp—the Republican candidate for governor—released a statement early Sunday accusing the state Democratic Party of attempting to illegally hack the database.
The bombshell prompted Democratic gubernatorial candidate Stacey Abrams to accuse Kemp of abusing his power as the state's chief elections officer by twisting a good faith warning into an alleged crime to bolster his campaign. Polls showed the two candidates in a dead heat on Election Day.
Cross wasn't the only attorney to contact Salter about the potential database exposure.
When voter Richard Wright contacted the Democratic Party last week, its voter protection director alerted cybersecurity experts at Georgia Tech. One of those experts contacted Atlanta attorney Bruce Brown, who represents the nonprofit Coalition for Good Governance that initiated the paper ballot litigation. On Saturday, Brown also contacted Salter to warn him.
“When there is a security vulnerability, what you need to do is close it down before you publicize it,” Brown said. “We know the first thing that Secretary Kemp did is take political advantage of it without any facts, saying the Democrats hacked into the system, and therefore making a political, deliberate decision to advance his campaign at the expense of the security of the election system that he is duty-bound to protect.”
During the course of the paper ballot case, now pending in the U.S. Court of Appeals for the Eleventh Circuit in Atlanta, both attorneys said they became increasingly alarmed by warnings from cybersecurity experts that Georgia's electronic voting system is obsolete, vulnerable to hackers, may have been penetrated by Russian intelligence operative and has no paper audit trail.
In September, District Judge Amy Totenberg concurred. Although Totenberg would not issue an injunction mandating that the state junk its antiquated electronic system in favor of a return to paper ballots by Election Day, she said the system “poses a concrete risk of alteration of ballot counts” that could affect the vote.”
She also said that Kemp and members of the state Board of Elections “had buried their heads in the sand” and were slow to address cybersecurity issues.
Cross said he became alarmed after Wright provided specifics on how the state's online voter registration webpage—where registrants can download a registration card—was “leaking” personal information, including drivers' license numbers, addresses, and the last four digits of voters' Social Security numbers.
In an email to the FBI Saturday, Cross said Wright “didn't do much digging because he was worried about accessing something he shouldn't, and so it's unclear what all is available and whether it's actually not supposed to be.”
Cross said that, when Wright contacted him on Nov. 2, he first consulted with a cybersecurity firm, which quickly expressed similar concerns about apparent vulnerabilities.
“We felt obliged to alert you so that the appropriate federal authorities could investigate and determine whether there is an actual breach or vulnerability here and assess what, if anything, should be done to address this issue before the election,” the lawyer told the FBI.
“Given the ongoing litigation, we also plan to alert the state via their counsel and possibly the court.”
Cross alerted Salter by email on Saturday afternoon and included Wright's contact information. Minutes later, Salter replied in an email, saying he would “pass along” the information. Salter has not responded to texts and calls from the Daily Report.
The FBI confirmed in an email to Cross on Saturday that agents alerted Kemp's office and the U.S. Department of Homeland Security and offered to put the secretary of state in touch with Wright and Cross's cybersecurity firm. By Monday, Cross said neither Wright nor the firm had been contacted by Kemp's representatives.
Cross called Kemp's allegations of Democratic hacking “unfounded.”
“This issue has absolutely nothing to do with the Democratic Party,” he said. “It was raised by a concerned voter who I understand is not affiliated with the Democratic Party, and we took it to the FBI and Kemp's counsel. This is a nonpartisan issue that concerns all [Georgia] voters. The potential vulnerabilities need to be the focus here, not unsubstantiated allegations of a hack apparently intended to distract from the vulnerabilities.”
Wright's additional contacts with a Democratic Party volunteer eventually made their way to Sara Ghazal, the party's voter protection director. Ghazal, in turn, forwarded the information to two professors at Georgia Tech who are cybersecurity experts. One was Wenke Lee—a member of Kemp's SAFE Commission, which was established to evaluate potential new voting systems for the state. The other was Richard DeMillo, whom Kemp's staff consulted in 2007 on cybersecurity issues, according to DeMillo and emails a party spokesman shared with the Daily Report.
DeMillo said Ghazal asked him and Lee for advice, since she didn't have the technical background to make a judgment as to whether the described vulnerability was real.
DeMillo said the information Ghazal forwarded “was indeed a vulnerability.” Because Kemp's office relies on a third-party vendor which also services other states and because of the nature of the vulnerability, DeMillo said the matter “appeared to involve more than just Georgia.” He promptly notified his contacts in the national security community.
On Saturday, DeMillo also connected with Brown. DeMillo has submitted affidavits on the vulnerabilities of Georgia's voting system in the paper ballot case. Like Cross, Brown quickly alerted Salter. He also included Salter's law partner and father-in-law, former Gov. Roy Barnes.
In a news release issued Sunday, Kemp announced the investigation of the state Democratic Party, saying it was based on “information from our legal team” about “failed efforts to breach the online voter registration system.” He said he was also calling in the FBI.
On Monday, Kemp also referred the matter to the Georgia Bureau of Investigation, spokeswoman Candice Broce said. Broce declined to comment further on the record.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Paragraph V Displaced Lathrop': High Court Mulls Sovereign Immunity Waiver Disputes
7 minute readBig Law Practice Leaders 'Bullish' That Second Trump Presidency Will Be Good for Business
3 minute readWhere May Vacancies for Trump Arise? These GOP-Appointed Circuit Judges Qualify for Senior Status
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250