As lawyers for Georgia's secretary of state argued vehemently last fall that the state's obsolete electronic voting infrastructure was secure from hackers, they failed to mention a warning from the U.S. Department of Homeland Security that Georgia might already be a cyber target. 

“Foreign governments may engage in cyber operations targeting the election infrastructure and political organizations in Georgia and engage in influence operations that aim to interfere with the 2018 U.S. elections,” according to a memo by the U.S. Department of Homeland Security Southeast region addressing “a Georgia Perspective on Threats to the 2018 U.S. Elections.”

The Oct. 2, 2018, memo warned Georgia that “cyber actors and foreign influencers … may intend to disrupt political processes, sway public opinion, or to support or undermine certain political organizations.”

DHS also warned that department analysts had already observed “multiple tactics targeting election-related infrastructure at the local and state level,” including spearphishing, or targeted strikes, and attempted denial-of-service attacks.

But attorneys for state Secretary of State Brian Kemp—then running what would be his successful campaign for governor against Democratic challenger Stacey Abrams—argued in court papers in a pending federal case challenging the state's ballot security that plaintiff voters seeking a return to paper ballots raised “only spectral fears” that the state's electronic voting apparatus “will be hacked and votes miscounted.” The case was brought by the non-profit Coalition for Good Governance and several Georgia voters.

Kemp's counsel—former Georgia Governor Roy Barnes and law partner John Salter—also dismissed hacking alarms raised by academic cybersecurity experts as no more than “a theoretical possibility that a voting machine somewhere might be susceptible to tampering.” Barnes and Salter have stepped down from the case and been replaced by Joshua Belinfante and Vincent Russo of The Robbins Firm and Bryan Tyson of Taylor English Duma. 

The DHS memo warned Georgia election officials that the agency's  Office of Intelligence and Analysis was particularly concerned that foreign actors would employ at least 10 different methods in efforts to interfere with the 2018 election in Georgia. They included:

• Unauthorized entry to polling places or long-term facilities used to store election and voting system infrastructure;
• Attempts to hack voter registration systems, including the state Department of Motor Vehicles and other organizations that registered voters; 
• Attempts to access information technology infrastructure used to manage elections, display results, or for counting or certifying votes; 
• Hacking or spearphishing attempts against the emails or social media accounts of election officials, staff or volunteers; 
• Attempts to hack political party headquarters or candidates' IT systems or websites; 
• Attempts to hack, alter or disrupt infrastructure used to process absentee ballots or attempts to interfere with votes sent through the U.S. Postal Service; 
• Efforts to compromise networks or election-related systems; 
• Disruptions at polling places or training locations that blocked or limited voter turnout, including social media messages and robocalls falsely reporting changed or closed polling locations;
• Disinformation efforts to shut down government websites intended to reduce voter turnout or foment political unrest; 
• Power outages, including internet, cellphone and traffic control outages that would limit access to polling places. 

By the time DHS issued the Georgia warning last October, at least one phishing attempt—an email that purported to have been sent by Moscogee County's election director offering a Walmart shopping opportunity—had been flagged by the secretary of state's office, according to an Aug. 17, 2018, memo to county election officials from the secretary of state elections division director, Chris Harvey. The suspicious email was reported to DHS. Harvey also notified county election officials, warning them it was “imperative” that they remain vigilant and train their staffs to “exercise great care” when opening email, embedded links and attachments.

The state also added a second electronic verification for county election officials accessing ElectioNet, a suite of software programs created and maintained by Connecticut contractor PCC Technology Inc. that undergirds Georgia's online voter registration, election night reporting, poll location data and ballot tabulation software.

That additional security step was added last July—two weeks after a federal indictment secured by special counsel Robert Mueller was handed down accusing 12 Russian military officers of multiple attempts to interfere with the 2016  presidential election. That indictment identified three states, including Georgia, where an indicted Russian intelligence officer and his operatives visited websites. Harvey notified county election officials about “suspected Russian operative activity” in a July 26, 2018, bulletin that the Russians had visited the websites “to identify vulnerabilities.”

The indictment alleged that the Russians accessed websites in two Georgia counties—which were later identified by the secretary of state's office as Fulton County, the state's most populous and most Democratic county, and Cobb County, where until December 2017 the secretary of state housed election registration, ballot building and election management and training programs at Kennesaw State University.

In the July 26 bulletin, Harvey assured election officials, “There is no evidence that either of the county web pages were compromises as a result of this activity.”

“Both web pages showed general, public information about elections.” And, he added, “The federal government does not have information as to what actions the operative took in order to 'identify vulnerabilities,' but they assume that the operative was conducting research designed to assist future potential operations—for example, looking for email addresses to conduct spear phishing campaigns or attempting to understand what specific technology or processes are used in our election system.”

Harvey concluded: “Georgia's election systems remain secure.”

By then, information had surfaced in court papers that before the secretary of state's contract with KSU was terminated in 2017, a cybersecurity expert discovered in August 2016 that confidential voter and election information housed at the university's Center for Election Services was publicly accessible via the internet.

In an order issued last September, U.S. District Judge Amy Totenberg took note of cybersecurity expert Logan Lamb's testimony that he “was able to access key election system files, including multiple gigabytes of data and thousands of files with private elector information.”

That information included voter driver's license numbers, birth dates, home addresses, and the last four digits of their Social Security numbers.

Lamb also accessed at least 15 counties' election management databases to create ballots, program individual electronic voting machine memory cards, tally, store and report all votes, Totenberg's order said. She also noted that Lamb discovered he could access passwords polling place supervisors used to program and operate the individual voting machines.

Lamb immediately alerted the center's executive director. Six months later, following the 2016 election, Lamb discovered that the state apparently had taken no remedial action and the databases he had accessed the previous summer were still publicly accessible online, Totenberg's order said.

Despite those alarms, Kemp and Raffensperger have repeatedly dismissed alarms about foreign hackers. The DHS warning was never publicly circulated. But warnings it contained are reflected in complaints about significant flaws in the 2018 election that caused Democratic gubernatorial candidate Stacey Abrams to refuse to concede the race to Kemp, whom she said used his post to engage in massive voter suppression to benefit his own campaign—something Kemp has repeatedly denied.

Following the election, Abrams founded a nonprofit organization that has filed its own federal lawsuit seeking sweeping changes in Georgia elections and called for a return to preclearance of any electoral changes that were formerly required by the Voting Rights Act of 1965 but eliminated by the U.S. Supreme Court in 2013.

The suit by Fair Fight Action and multiple predominantly African American churches claimed that the 2018 election was marred by many of the alleged practices that DHS warned that Russian hackers might undertake. They included:

• Georgia voters who had registered to vote but were informed when they arrived at the polls that their names were not on precinct lists of registered voters included in electronic pollbooks, including those who had voted at the same polling place for years; 
• Family members who lived in the same house and used the same address when registering to vote were told at the polls they would have to vote in different precincts; 
• Georgia residents who registered to vote when applying for or renewing their state driver's licenses who were told they were not registered;
• Malfunctioning voting machines in some busy precincts that led to long lines where voters sometimes were forced to wait as long as four hours; 
• Absentee ballots that were sent out late, arrived late or returned as undeliverable even though the ballots were mailed in envelopes supplied by county election officials; 
• An “exact match” law requiring that all information contained on a registrant's voter registration form must exactly match a registrant's personal information on the state's driver's license database and federal Social Security database or registrations were rejected which resulted in rejections based, at times, on typographical errors, misplaced spaces and punctuation of voter names.
• Ballots that were cast for Abrams registered as votes for Kemp;
• An as yet unexplained dropoff in the number of votes for the Democratic candidate in the lieutenant governor's race that was reflected only on electronic votes cast but not on hundreds of thousands of absentee ballots cast in the race.