Georgia Secretary of State Brian Kemp set off a political firestorm when his office, two days before an election in which he is a candidate, announced on Sunday morning that it had opened an investigation into the Georgia Democratic Party in connection with what it described as an attempted hack of the state’s voter registration system.
But that initial advisory lacked key details about how Kemp’s office was made aware of potential security vulnerabilities in the state’s electronic voter information page, which the secretary of state oversees. A series of email chains obtained by CNN indicate that, rather than taking part in any alleged “hack,” the Georgia Democrats had simply passed along information regarding security concerns from a concerned voter to a private cybersecurity firm, which in turn shared its concerns with Kemp’s office.
Democrats in the state have vehemently denied the allegations from Kemp’s office, which also raised fresh criticism of Kemp’s dual role as both the Republican nominee for governor and the state’s chief election official.
“It’s wrong to call it an investigation,” Democratic gubernatorial nominee Stacey Abrams told CNN on Monday. “It’s a witch hunt that was created by someone who is abusing his power.”
Kemp will face off against Abrams on Tuesday in the state’s high-profile and close race for governor. Democrats and advocacy groups have previously argued that Kemp has a conflict of interest in overseeing an election he is also running in, and some have called on him to resign.
The latest controversy began with an early morning announcement from Kemp’s office claiming there had been a “failed attempt to hack the state’s voter registration system” and that the secretary of state’s office has opened an investigation “into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018.”
The bulletin provided no evidence for the claims.
Later Sunday, however, CNN obtained a series of emails the Secretary of State’s office said led it to level the accusations of hacking into its voter registration system by the Georgia Democratic Party. The emails refer to findings by a voter who said he had discovered potential vulnerabilities in the state’s voter information page and its online registration system.
That voter, Richard Wright, took his concerns to the Georgia Democratic Party’s voter protection hotline to alert authorities, according to his lawyer, David Cross. Cross told CNN Wright is not affiliated with any political party and does not want to speak to any media right now. He also said that Wright has some software background, but is not a hacker.
According to Cross, Wright – the voter whose findings prompted accusations of attempted hacking – was looking up his own registration information on the state’s My Voter Page when he discovered he could access other people’s information too. The system, he found, doesn’t verify who’s making the query and, for that reason, it appeared to him that voters’ private information could be accessed and that voter registrations could even be edited by anyone on the site.
Wright went over his concerns with Cross, who has battled with Kemp over similar issues before, including a 2016 lawsuit that alleged cyber security vulnerabilities in Georgia’s voting system, at 3 p.m. on Friday. Unclear on the implications of what Wright had found, Cross brought in a cyber security firm to look at the website. While that firm couldn’t verify the vulnerability either, they too saw a potential for concern, Cross told CNN.
“If Richard Wright had never contacted the Democratic Party on Saturday morning,” his lawyer, David Cross, told CNN, “no one would be talking about the Democratic Party. It’s only because Wright alerted them that Kemp draws it back to them.”
Candice Broce, the spokeswoman for the Secretary of State’s office told CNN on Sunday night that there were no vulnerabilities in the system, said the system is secure and that representatives from Kemp’s office were meeting on Monday with authorities of the Georgia Bureau of Investigation, FBI and Department of Homeland Security. The federal agencies, she said earlier, had been immediately alerted of her office’s concerns.
“The State of Georgia has notified us of this issue. We defer to the State for further details,” a DHS official said in a statement to CNN. The FBI declined to comment.
Abrams told CNN on Sunday night that she believed Kemp had lied to voters over the seriousness of what had been discovered.
“Brian Kemp once again is trying to cover up for his failures in cybersecurity by blaming someone else,” she said. “We have nothing to do with this and I’m sad that instead of owning up to his responsibility, he’s once again misleading Georgia.”
Her remarks echoed what the state party had said earlier in the day, when it called the allegations “another example of abuse of power” by Kemp.
“This political stunt from Kemp just days before the election is yet another example of why he cannot be trusted and should not be overseeing an election in which he is also a candidate for governor,” the state party’s executive director, Rebecca DeHart, said in a statement.
In the emails obtained by CNN, there is an exchange between a volunteer in the party’s voter protection program and its director in which they refer to findings by a voter – Wright – who said he had discovered potential vulnerabilities in the state’s voter information page and its online registration system.
The emails refer to an attachment that Kemp’s office said was computer programming code. Kemp’s office received the chain of emails from a representative of a cybersecurity expert who the Georgia Democratic Party asked to evaluate the potential vulnerabilities. The expert noted the computer programming code was possibly tantamount to “a massive vulnerability.”
CNN has not viewed the code.
As his office’s accusations began to circulate, Kemp’s campaign lashed out at Democrats for “trying to expose vulnerabilities in Georgia’s voter registration system.”
Before the details of how Kemp’s office became aware of the specific concerns were made public, Abrams, the state’s former House minority leader, told CNN’s Jake Tapper on Sunday morning that any investigation now was an attempt to distract voters two days before the election.
“I’ve heard nothing about it, and my reaction would be that this is a desperate attempt on the part of my opponent to distract people from the fact that two different federal judges found him derelict in his duties and have forced him to accept absentee ballots to be counted and those who are being held captive by the exact match system to be allowed to vote,” Abrams said Sunday on “State of the Union.”
“He is desperate to turn the conversation away from his failures, from his refusal to honor his commitments and from the fact that he’s part of a nationwide system of voter suppression that will not work in this election because we’re going to outwork him, we’re going to out vote him and we’re going to win,” she said.
Democrats and advocacy groups, including the American Civil Liberties Union, have accused Kemp of using his position to suppress the minority vote through purges of the voting rolls and what they have described as an overzealous enforcement of already strict laws.
A federal court issued an injunction barring the state from rejecting absentee ballots whose signatures don’t directly match those on voters’ registration. An appeals court declined Kemp’s request to end the injunction late last week.
Kemp has denied those allegations and, when asked during a debate last month, said he would not recuse himself in case of a recount. Recent polling finds the candidates in a dead heat. If neither wins an outright majority, there will be a runoff on December 4.
Concerns over Georgia voters’ information security are not new. Kemp has been accused in a federal lawsuit of failing to safeguard his state’s voting system as secretary of state and allowing a massive breach in 2015 that exposed 6 million registered Georgia voters’ records and other sensitive election information.
Marilyn Marks, executive director of the Coalition for Good Governance and a plaintiff in the suit, said in August that it remained unclear if Georgia’s election system was infected with malware or potentially breached by foreign hackers.
The coalition’s lawsuit sought to force the state to implement paper ballot-based voting so results could be audited. Georgia is one of only a handful of states that currently use voting machines statewide without paper trails.
Kemp responded by assuring that Georgia’s voting equipment “remains accurate and secure” and that the “hysteria” behind pressuring Georgia to switch to a paper ballot system is based on “misinformation.”
CNN’s Adam Levy, Jason Hoffman, Alex Marquardt and Drew Griffin contributed to this report.