Morrison Foerster attorney David Cross said he tried to warn Georgia Secretary of State Brian Kemp after a voter discovered an apparent flaw that exposed the state’s voter registration database to hackers.
After being tracked down through social media by that voter, Cross contacted Kemp’s outside counsel—John Salter Jr. of The Barnes Law Group in Marietta—on Saturday to pass the information along.
The Washington, D.C., lawyer said he also alerted the FBI on Saturday. Meanwhile, the same voter also contacted the state Democratic Party.
“We hoped that Kemp would take it seriously,” said Cross, who represents Georgia voters in an ongoing federal case that seeks a court-ordered return to paper ballots in Georgia.
Cross said he tried to handle the information confidentially. “If there was a vulnerability, we didn’t want it shared with the world to exploit. … We wanted it fixed,” he said.
Instead, Kemp—the Republican candidate for governor—released a statement early Sunday accusing the state Democratic Party of attempting to illegally hack the database.
The bombshell prompted Democratic gubernatorial candidate Stacey Abrams to accuse Kemp of abusing his power as the state’s chief elections officer by twisting a good faith warning into an alleged crime to bolster his campaign. Polls showed the two candidates in a dead heat on Election Day.
Cross wasn’t the only attorney to contact Salter about the potential database exposure.
When voter Richard Wright contacted the Democratic Party last week, its voter protection director alerted cybersecurity experts at Georgia Tech. One of those experts contacted Atlanta attorney Bruce Brown, who represents the nonprofit Coalition for Good Governance that initiated the paper ballot litigation. On Saturday, Brown also contacted Salter to warn him.
“When there is a security vulnerability, what you need to do is close it down before you publicize it,” Brown said. “We know the first thing that Secretary Kemp did is take political advantage of it without any facts, saying the Democrats hacked into the system, and therefore making a political, deliberate decision to advance his campaign at the expense of the security of the election system that he is duty-bound to protect.”
During the course of the paper ballot case, now pending in the U.S. Court of Appeals for the Eleventh Circuit in Atlanta, both attorneys said they became increasingly alarmed by warnings from cybersecurity experts that Georgia’s electronic voting system is obsolete, vulnerable to hackers, may have been penetrated by Russian intelligence operative and has no paper audit trail.
In September, District Judge Amy Totenberg concurred. Although Totenberg would not issue an injunction mandating that the state junk its antiquated electronic system in favor of a return to paper ballots by Election Day, she said the system “poses a concrete risk of alteration of ballot counts” that could affect the vote.”
She also said that Kemp and members of the state Board of Elections “had buried their heads in the sand” and were slow to address cybersecurity issues.
Cross said he became alarmed after Wright provided specifics on how the state’s online voter registration webpage—where registrants can download a registration card—was “leaking” personal information, including drivers’ license numbers, addresses, and the last four digits of voters’ Social Security numbers.
In an email to the FBI Saturday, Cross said Wright “didn’t do much digging because he was worried about accessing something he shouldn’t, and so it’s unclear what all is available and whether it’s actually not supposed to be.”
Cross said that, when Wright contacted him on Nov. 2, he first consulted with a cybersecurity firm, which quickly expressed similar concerns about apparent vulnerabilities.
“We felt obliged to alert you so that the appropriate federal authorities could investigate and determine whether there is an actual breach or vulnerability here and assess what, if anything, should be done to address this issue before the election,” the lawyer told the FBI.
“Given the ongoing litigation, we also plan to alert the state via their counsel and possibly the court.”
Cross alerted Salter by email on Saturday afternoon and included Wright’s contact information. Minutes later, Salter replied in an email, saying he would “pass along” the information. Salter has not responded to texts and calls from the Daily Report.
The FBI confirmed in an email to Cross on Saturday that agents alerted Kemp’s office and the U.S. Department of Homeland Security and offered to put the secretary of state in touch with Wright and Cross’s cybersecurity firm. By Monday, Cross said neither Wright nor the firm had been contacted by Kemp’s representatives.
Cross called Kemp’s allegations of Democratic hacking “unfounded.”
“This issue has absolutely nothing to do with the Democratic Party,” he said. “It was raised by a concerned voter who I understand is not affiliated with the Democratic Party, and we took it to the FBI and Kemp’s counsel. This is a nonpartisan issue that concerns all [Georgia] voters. The potential vulnerabilities need to be the focus here, not unsubstantiated allegations of a hack apparently intended to distract from the vulnerabilities.”
Wright’s additional contacts with a Democratic Party volunteer eventually made their way to Sara Ghazal, the party’s voter protection director. Ghazal, in turn, forwarded the information to two professors at Georgia Tech who are cybersecurity experts. One was Wenke Lee—a member of Kemp’s SAFE Commission, which was established to evaluate potential new voting systems for the state. The other was Richard DeMillo, whom Kemp’s staff consulted in 2007 on cybersecurity issues, according to DeMillo and emails a party spokesman shared with the Daily Report.
DeMillo said Ghazal asked him and Lee for advice, since she didn’t have the technical background to make a judgment as to whether the described vulnerability was real.
DeMillo said the information Ghazal forwarded “was indeed a vulnerability.” Because Kemp’s office relies on a third-party vendor which also services other states and because of the nature of the vulnerability, DeMillo said the matter “appeared to involve more than just Georgia.” He promptly notified his contacts in the national security community.
On Saturday, DeMillo also connected with Brown. DeMillo has submitted affidavits on the vulnerabilities of Georgia’s voting system in the paper ballot case. Like Cross, Brown quickly alerted Salter. He also included Salter’s law partner and father-in-law, former Gov. Roy Barnes.
In a news release issued Sunday, Kemp announced the investigation of the state Democratic Party, saying it was based on “information from our legal team” about “failed efforts to breach the online voter registration system.” He said he was also calling in the FBI.
On Monday, Kemp also referred the matter to the Georgia Bureau of Investigation, spokeswoman Candice Broce said. Broce declined to comment further on the record.