In December 2016, Georgia secretary of state Brian Kemp accused the Department of Homeland Security of attempting to hack his office’s systems, which include the Georgia voter registration database. Six months later, the DHS inspector general concluded that the allegations were unfounded; someone on a DHS computer had simply visited Georgia Secretary of State website. Now, two days before an election in which Kemp himself is the Republican candidate for governor, he has levied similarly unsupported charges—this time against his democratic opponents.
The Georgia Secretary of State’s office released a short statement on Sunday morning that it had opened an investigation into the Democratic Party the previous evening, “after a failed attempt to hack the state’s voter registration system.”
The Democratic Party of Georgia sharply denied the accusations in a statement to reporters. “Brian Kemp’s scurrilous claims are 100 percent false, and this so-called investigation was unknown to the Democratic Party of Georgia until a campaign operative in Kemp’s official office released a statement this morning,” wrote Rebecca DeHart, executive director of the state’s Democratic Party. “This is yet another example of abuse of power by an unethical Secretary of State.”
Kemp’s office said it has alerted DHS and the FBI. A DHS official told WIRED in a statement that, “The State of Georgia has notified us of this issue. We defer to the State for further details.” The National Association of Secretaries of State declined to comment on state-specific investigations.
While anything is possible, Kemp’s claims seem unlikely on their face, especially when you parse what little information his team has provided. “We opened an investigation into the Democratic Party of Georgia after receiving information from our legal team about failed efforts to breach the online voter registration system and My Voter Page,” his office said in a statement. “We are working with our private sector vendors and investigators to review data logs.”
A legal team seems like a surprising source for the discovery of a hacking attempt, and the fact that security teams then began reviewing the logs makes whether any suspicious activity was actually seen an open question. Kemp’s office did not provide any information about the alleged attack, or when it purportedly occurred.
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” Georgia secretary of state press secretary Candice Broce wrote in a statement. Not sharing details of an investigation is a common practice, but that supposed restraint apparently did not apply to the direct, vocal accusation of Kemp’s Democratic opposition.
In his dual role as Georgia secretary of state and gubernatorial candidate, Kemp wields tremendous influence and faces monumental conflicts of interest. Over the past year, for instance, Kemp purged more than a million voters from Georgia’s rolls and has backed restrictive voter ID laws. On Friday, a federal judge determined that Kemp’s “exact match” policy, which required that a voter’s name on the roles perfectly mirror that on their identification, was likely to infringe on voting rights, and issued a preliminary injunction allowing impacted people to simply show proof of citizenship to a poll worker before voting.
Under Kemp’s watch, Georgia is also one of only five states that still uses electronic voting machines that do not generate a voter-verified paper backup—meaning there is no auditable alternative accounting of votes aside from the digital record. Kemp has resisted finding the funding to replace the machines, and was one of only about 11 top election officials who declined assistance from DHS to secure election infrastructure in the wake of the 2016 presidential election. Georgia’s digital election infrastructure has had numerous vulnerabilities and data exposures while Kemp has been in charge.
“There are already allegations that the Georgia voter registration page is vulnerable to attack and data is vulnerable to modification,” says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. “Instead of dealing with the potential fallout of that, Kemp is redirecting his administration’s failure to secure state infrastructure to his opponents.”
In his own preliminary evaluation of Georgia’s voter registration system, Williams says he found numerous signs that the system is badly coded and may be poorly secured. He did not download or alter data or probe the site, and simply reviewed publicly accessible information.
Indeed, it seems within the realm of possibility that Kemp has conflated concerns about vulnerabilities with actual hacking. A report from WhoWhatWhy on Sunday detailed a memo from the Democratic Party of Georgia that outlined flaws in the state’s voter registration system. If Democrats had actually tested those flaws without permission, they would have run afoul of the Computer Fraud and Abuse Act. But plenty of third-party security researchers have identified issues with Georgia’s voter registration system without actively testing them.
Kemp’s opponent in the Georgia gubernatorial race, Democrat Stacey Abrams, told CNN’s State Of The Union on Sunday that Kemp’s office’s hacking accusations are “a desperate attempt…to distract people from the fact that two different federal judges found him derelict in his duties and forced him to allow absentee ballots to be counted and those who are being held captive by the exact match system be allowed to vote.”
Meanwhile, Kemp has plastered the accusations on the front of the Georgia Secretary of State website, where state residents also go to find voting information. And the Kemp for Governor campaign issued a parallel statement about the accusations of voter registration service hacking. “In an act of desperation, the Democrats tried to expose vulnerabilities in Georgia’s voter registration system,” the campaign wrote. “Thanks to the systems and protocols established by Secretary of State Brian Kemp, no personal information was breached.”
The Georgia Secretary of State’s office did not specifically accuse Democrats of attempting to penetration test the voter registration system to reveal flaws. It is also unclear why the party would attempt to steal voters’ personal information in the first place, given that the Georgia Secretary of State’s office will send it—minus Social Security numbers and driver’s licenses—to any member of the public who requests it. It costs $250.