Malicious Life Podcast: Election Hacking Part 1

Election Hacking, Part 1 Transcript

[Ran] Hi, listeners. We’ve got a somewhat unusual episode for you today. Usually, you only hear me on the podcast, while Nate Nelson, our Sr. producer, does most of the heavy lifting behind the scenes. But this episode is going to be a bit different. Since this episode is about the upcoming US elections in November, and it’s pretty obvious that these are going to be important elections – we figured it’d be a good idea to have someone in this episode who’s got a vested interest in the results of these elections. I mean, i’m pretty interested in what’s going on in US politics – but as an Israeli, these elections will probably have a limited impact on my day to day life. That’s why we brought in someone for whom the election’s results will have a real impact on their future.

And one disclaimer before we get started: This episode was published by people of varying political beliefs, and is intended to be non-partisan. If you’re offended by anything we say in the show, please direct all hate mail to Nate Nelson, that’s N-A-T-E N-E…

[Nate] Uhh…

[Ran] His address is 14 East-…

[Nate] …Alright, thanks Ran! I think I’ll take it from here. Hello and welcome to the Malicious Life podcast, in collaboration with Cybereason. I’m Ran Levi.

[Ran] And I’m Nate Nelson. Wait a second…

DECENTRALIZATION
[Nate] To the question of whether the 2020 presidential election could be hacked, there is both good news and bad news. Let’s start with the good news. There is no way to hack an entire U.S. election, in the way one would, say, a corporation. Hacking Yahoo, or Target, or NASA is not necessarily easy, but it is, at least, straightforward. You’re attacking a centralized organization. If you breach their user database, hack their point-of-sale network, or a God account, you’ve done the job.

U.S. elections are decentralized. The federal government helps out, but it happens on the state level. Often, it’s individual districts that choose what voting machines to use. And then you have tiny precincts actually setting up those machines, hosting long lines of voters and counting ballots. These smaller jurisdictions then report up to the state–not Congress, or the White House.

[Ran] So there is no computer network or database you could identify and say “if I take this, I can choose the president.”

[Nate] Right, that’s the good news. Now for the bad news. The president is chosen state by state according to the electoral college. In 2016, for example, Hillary Clinton won a full three million more votes nationwide than did Donald Trump. But she ended up losing the race, because of how those votes were geographically distributed. So if you took just a modest number of votes she received in, say, California, and magically moved them to Ohio and Pennsylvania, or Florida and Wisconsin, or Texas alone, she would’ve won. Do you see where I’m going with this?

[Ran] Not quite.

[Nate] The electoral college opens up an absolutely massive opportunity for hackers. If states choose the president, and they handle their own cybersecurity, you don’t actually have to hack the whole country to sway the whole election–you only need to hack one or two of the right states.

And that brings us to the subject of this episode. Today we’re talking about just one state. One which, depending on which way it leans, might bring the entire electoral college with it. One which, as of this writing, is absolutely, positively, neck and neck. Dead heat. A few votes one way or the other could swing it. In other words: this is the kind of state that cannot afford to be hacked. But might be.

KAREN HANDEL, 2006
[Ran] To understand the root cause of Georgia’s election security problem, we’re going to start in the year 2006, with a woman named Karen Handel.

[Nate] Karen Handel is notable for a few reasons. Firstly, she’s very right-wing. She once claimed to model her politics after Ted Cruz–one of the most far-right members of the Senate. And there was that time she called on Mitch McConnell to step down as Minority Leader of the Senate, because he was too ineffective at pushing the Republicans’ agenda. (For context, Mitch McConnell may be the single most effective Republican Senator in the history of the country.)

[Ran] The second reason Handel is notable is that she cares about cybersecurity, in a way most politicians don’t. When she ran for Georgia Secretary of State in 2006, she made election security one of her campaign issues. Experts had, for years already, been demonstrating that American voting machines were vulnerable. But, like today, most people weren’t paying those warnings much notice. Handel, in making it a talking point, was ahead of her time. And after she won her election, she followed through on her promises, hiring a team of experts to conduct a review of Georgia’s election systems.

INTRO TO KSU
[Ran] It shouldn’t have been too difficult a job. The entire state’s election infrastructure was managed from a single location: at 3205 Campus Loop Road–a pretty, wooded area of a college campus in the northwest suburbs of Atlanta.

The “Center for Election Systems at Kennesaw State University” hardly looked like a powerhouse government center, though. Heck, it hardly looked like a “center.” It was just one building, two stories tall, made of chestnut-brown brick, with a steep shingle roof, tall windows, a backyard, a few single-car garages, and no particular barriers to entry aside from a hotel-style key card reader on the front door.

[Nate] If you were to happen on the place by accident, you’d probably think it’s somebody’s house. Not the epicenter of democracy for one of the most important swing states in the country.

In 2002, the Election Center at KSU was founded in this building. Initially, their task was simple voting machine testing. In 2003, they began designing ballots. In 2005, they took on voter registration. By the time Karen Handel became Secretary of State, there wasn’t an election in Georgia that wasn’t run by the folks working at this place. Therefore, any investigation she made into election security had also to go through them.

[Ran] So the two parties–Handel’s investigative team, and the Election Center–got together at the Secretary of State’s office to go over terms. Quickly, the investigators would be dispossessed of any notion that this was a friendly, homely operation they were dealing with.

Against the wishes of the Secretary of State, the representatives from KSU flatly denied access to any of their machines, their networks or their data. Everything was completely off-limits, for even the least bit of scrutiny. The investigative team’s leader later recounted the feeling in that room to Politico, saying, quote: “It was kind of a contentious meeting. The Kennesaw people just stamped their foot and said ‘Over our dead body.’”

Karen Handel decided not to press the issue. In their final report, her team outlined in great detail all the vulnerabilities in the touch-screen voting machines supplied to the state. But, regarding election management and oversight, there were just two sentences. Quote:

The Election Center at Kennesaw State University fills a key role in Georgia’s statewide election procedures, which makes it a potential target of a systematic attack. We did not have sufficient information to evaluate the security safeguards protecting against a centralized compromise at the state level.

What were they hiding at Kennesaw? A lot, actually. But it would take an entire decade for anyone on the outside to find out.

RUSSIA, 2016
[Nate] Election cybersecurity really only entered the broader American consciousness in 2016, as Russia tampered with the presidential election.

[Ran] In June of that year, two hacker groups–codename “Fancy Bear” and “Cozy Bear”–breached Democratic National Committee servers. In August, the FBI disclosed that these same Russian hackers were actively probing voter registration databases in at least a dozen different states. Later, Bloomberg reported that it was, in fact, happening in 39 states. Then the NSA disclosed that state election officials across the country were being actively phished. Basically, Russia was doing to the entire United States what any diligent hacker does to the system they’re about to breach.

A few months later, in March of 2017, news broke that a hacker had breached Kennesaw State University’s Election Center databases. According to reports, the hacker had stolen millions of voter records.

[Nate] And it couldn’t have come at a much worse time, for Georgia at least. In March, 2017, they just happened to be host to the most important political race in the entire country.

OSSOFF VS. HANDEL, 2017
[Nate] The race was for a congressional seat, representing Georgia’s 6th district–an area encompassing Northwest Atlanta, including KSU itself. Now, typically, congressional races don’t make monthslong, national headline news–there are, after all, 435 congresspeople in the United States, each of whom serve terms of only two years. But this race was different.

The Democrat running for the seat was a young man by the name of Jon Ossoff. The reason he got so much attention had to do, largely, with the fact that Donald Trump had been elected president just a few months prior. Ossoff was young, exciting, and had a chance of winning in a Republican stronghold. So, by virtue of circumstance, he became a symbol of the anti-Trump movement. Whether accurate or not, his win would be interpreted in the media as America’s first rebuke of the Trump presidency. His loss, the first endorsement.

And there was one other reason the narrative was being spun in this way: Trump himself had enthusiastically endorsed Ossoff’s opponent–an ultra-conservative named Karen Handel.

So, in summary, we have a tight race, in a swing state, between a new-generation Democrat, and a Ted Cruz Republican, to somehow determine whether America likes Donald Trump. If you’re confused, I don’t blame you. What’s important is that lots of people–even outside of Georgia–really cared about this race. 50 million dollars was funnelled into the campaigns, 40 million in television and radio ads alone. To give you a sense of just how much money that is: the previous all-time record for ad spending in a U.S. congressional race was just 20 million dollars. Half of what we’ve got here.

Now that you understand all this you can appreciate why, when news broke that a hacker had breached the KSU Election Center’s databases, right in the middle of a congressional race, it was very…

[Ran] Unfortunate? Inconvenient?

[Nate] Sure…very inconvenient…for everyone.

INTRO TO LOGAN LAMB
[Ran] Logan Lamb has blonde, wavy hair, and bright blue eyes. Pretty skinny. At 29 years-old, Logan moved from a federal cybersecurity lab in Tennessee to a private security firm in Georgia. Right around that time–2016/17–election security was becoming a foremost issue for the country, so he decided to take a look into his new home state’s infrastructure. So, as with any investigation into Georgia election security, he found his way to Kennesaw State University.

He started on the Election Center’s website, poking around for anything interesting. Maybe a nice PDF or two. Soon he came across a password-protected firewall for employee logins. But it was pretty clear that the server hosting the site had been badly misconfigured. Logan recalled, quote: “You could just go to the root of where they were hosting all the files and just download everything without logging in.” End quote.

Logan went around the firewall, expecting to find some inside information about the Center and what it did. But he got a little too lucky.

Kim Zetter–a journalist we had on this show some years back, in an episode about North Korea–recounted Logan’s story in an article for Politico. Quote:

[…] his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.

LAMB’S FINDINGS
When Logan began sifting through his loot, he discovered that the Election Center website was running an old version of Drupal–a content management software. This was a bad sign. In 2014, in a case known as “Drupageddon,” a German security company published a critical vulnerability in Drupal. It was a SQL injection zero-day, which could allow anyone to take control of any website running the CMS. This could mean everything from stealing or tampering with files, to uploading malware. Drupal was later patched, of course. But even though the zero-day, and the patch, had already been publicly available for two years, clearly KSU hadn’t updated. In two years!

And this was just the beginning. Elsewhere in his downloaded files, Logan found the software used to register Georgia voters. He found the software used in preparing ballots and tallying votes, which ran on long-defunct Windows 2000. He found registration records for all 6.7 million voters in the state. And he found the PDFs given to poll workers on election day, to help them sign into KSU’s central server. The PDFs contained not only instructions on how to sign in as a poll worker, but passwords too.

[Nate] Let’s pause there for a moment. Usually, hackers have to concoct elaborate, believable phishing emails in order to steal the permissions which allow them to mask themselves as a legitimate user in a network. Kennesaw State University’s Election Center, by contrast, published all of that information in PDFs, behind a firewall as intimidating as a picket fence.

[Ran] We could go on listing all the other security holes Logan discovered that summer. Suffice it to say that when, in March, 2017, news broke that a hacker had breached the state’s databases, Georgians were massively lucky that it was no Russian but, in fact, a skinny 29-year-old who’d done it while he was out for lunch.

COVER-UP
Once it became clear that he had, in his hands, the material necessary to hack any Georgia election, Logan went directly to Merle King, the executive director of the KSU Election Center. King–who, for those of you following along, looks a bit like Colonel Sanders–thanked Logan through his scruffy white beard and promised to immediately isolate and fix the misconfigured server. But he added one more thing. As Logan recalled, quote:

“He said, it would be best if you were to drop this now.”

King was also kind enough to inform Logan what would happen if he didn’t keep quiet. Quote:

“The people downtown, the politicians…would crush [you].”

CENTRALIZATION
Would the politicians really crush Logan Lamb? Or was Merle King threatening him? Either way, no matter who’s doing the cover-up, we end up with a transparency problem. This was especially problematic for Georgia voters because, as Zetter points out in her article, quote:

Unlike other states, which use a patchwork of voting machine brands and models throughout their election districts—making it more difficult to affect a national election outcome—Georgia uses a uniform system statewide

And unlike most other states that have a decentralized structure for managing elections—machines and ballots are prepared and managed by individual counties—Georgia’s reliance on the center to manage those responsibilities for counties makes it a bull’s-eye for someone wanting to disrupt elections in the state.

In Georgia, everything goes through KSU. That means you need to be really confident in who’s running things there.

[Nate] But what about these people should have inspired any confidence? In 2006, they blocked an honest, state-sponsored investigation meant to assist their security posture. Then in 2007, an independent security expert published a video where he took apart the model of voting machines used across Georgia. In response, Merle King called the expert, and security experts in general, quote, “theoretical scientists.” One of his colleagues called that same researcher a, quote, “idiot.” Now, Merle King was threatening a 29-year-old into shutting up.

There’s a pattern here–a systemic lack of transparency. You’d expect these guys to be fired, or somehow reprimanded for all this, but instead they were heralded nationwide, as a model for other states looking to improve their election systems. Quote:

[…] the center is held up by the federal Election Assistance Commission as a model for election management and implementation of touch-screen voting systems. King and his staff train county election workers in Georgia and are often asked to speak to officials in other states and other countries.

COVER-UP FOILED
[Nate] In the end, Logan Lamb decided not to cross the “downtown politicians,” and kept KSU’s secret. Merle King agreed to fix his janky server, quietly, and everybody–including the state government–would be better off for not knowing the dirty details.

[Ran] And he almost got away with it too. But seven months later, one of Logan’s colleagues visited the hacked website, and found that the Drupal fix had been improperly implemented. Another expert was brought in to take a look, and before long, FBI agents were knocking on the door at 3205 Campus Loop Road.

Over the weeks and months of Spring, 2017, researchers and authorities picked apart KSU’s IT systems. Merle King’s team, it turned out, was running a network completely divested from both the larger university network, and the Secretary of State’s office–put simply, they could do whatever they wished, and their bosses wouldn’t see any of it. They did have the diligence to maintain an offline network, in addition to their online network, in order to deal with sensitive data. But in the very closet where that private network’s equipment was kept, investigators found an internet jack.

[Nate] That’s a bit like finding someone else’s underwear in your spouse’s car–it’s probably there for the reasons you think it’s there.

[Ran] By the end of the summer, at least 40 “critical” vulnerabilities were discovered. 40 critical vulnerabilities. It’s almost counterintuitive–like saying that somebody was shot 40 times in the back. You really only needed 1 or 2 to have a problem.

[Nate] Basically, what this meant, is that for the past 15 years, all of Georgia’s elections had been run on a system about as hackable as a gas station website.

LAWSUIT
[Ran] In the summer of 2017, the Coalition for Good Governance–a non-profit organization–filed a lawsuit in Georgia’s Northern District court. It named the Secretary of State Brian Kemp, the Election Center at KSU, and its Director, Merle King, for having created an unacceptably unsecure, and, crucially, opaque voting system. A voting system which could have easily been hacked, with no way for anyone to tell if it actually was. Quote:

This uncertainty, which violates the rights of those who cast their ballots, was caused by the Defendants’ misconduct, negligence, abuse of discretion, and noncompliance with the federal Constitution, federal law, the Georgia Constitution and Georgia law.

According to the plaintiffs in Curling v. Kemp, the consequences of such uncertainty were not at all uncertain. They were very real, and threatened democracy in the state.

6TH DISTRICT ELECTION
[Nate] Right around this time, Georgia was experiencing that congressional race we talked about. Leading up to election day, the Democrat–Jon Ossoff–was leading in 13 out of 18 polls. His opponent–Karen Handel–was winning in just three polls. They were tied in two. Polls can be off, of course, but the final result was outside most margins of error. On June 20th, 2017, Handel won nearly 10,000 more votes than Ossoff, beating him by a full three and a half percentage points. So yeah, the polls got it wrong. Or maybe, quote:

the Defendants allowed the Special Election to be run on a compromised system [. . .] Because of the insecurity of Georgia’s voting system and the lack of voter-verifiable paper ballots, the precise outcome of the June 20, 2017 Runoff Election between Karen Handel and Jon Ossoff for Georgia’s 6th Congressional District cannot be known.

The plaintiffs were not the only ones questioning the legitimacy of the 6th district race. Hank Johnson, a congressman from Georgia’s 4th district, told reporters, quote:

“I think it’s quite possible that Jon Ossoff won that election and the election was stolen from him.”

It’s important to clarify here: nobody was saying the final vote count wasn’t accurate. They were saying it easily could have been wrong, for one reason or another, and that that was sufficient for taking a closer look.

[Ran] It may sound like a stretch but, to understand where they’re coming from, think of Equifax. Many of you out there had your name, birthday, social security number and more stolen in the Equifax data breach. We don’t have evidence that any of that stolen data has actually been acted upon for malicious purposes. But after you found out about the breach, didn’t you put a freeze on your credit? It was the uncertainty, the prospect that somebody could have manipulated your information, that was enough for you to say: I’m not okay with the risk.

If the 6th district congressional election was run on a broken system, and the results disagreed with almost all the preliminary data leading up to that point, people were inevitably going to have their doubts.

[Nate] Normally, in a case like this, you could do some kind of audit, or recount. But Georgia was one of the few states in the country which didn’t use any form of paper backups–meaning the truth, as deemed by those insecure election machines, was the only truth there was to go by. There was no data to do a recount against. Democrats had tried to fix this months earlier–petitioning the Secretary of State, Brian Kemp, to investigate all the state’s election systems in preparation for the 6th district election. He told them there wasn’t enough time.

So with a broken voting system, a government which had been less than helpful in fixing it, and a statistically improbable election result, the prosecution in Curling v. Kemp decided to make a bold move. They requested that the judge reverse the 6th district election entirely, and do it all over again using paper voting.

[Ran] This was an extreme request. Cancelling an election on the suspicion of possible foul play would be tough to argue.

[Nate] Agreed. But you know what didn’t inspire confidence that everything was actually fine, and extreme measures weren’t necessary? What happened next.

SERVERS WIPED
[Nate] Four days after being named in a lawsuit over their voting systems, on July 7th, 2017, a technician at KSU’s Center for Elections took the server at the heart of the case–the server that had been breached by Logan Lamb, the one needed to analyze the 6th district election results–and wiped it clean.

[Ran] Whoops! According to the Assistant VP of Communications at KSU, this wasn’t what it looked like. The server had merely been, quote, “repurposed,” for “alternative uses.” An order to wipe it had been made months prior. The notion, quote, “that the data was nefariously deleted and is no longer available is completely false and without merit.”

Did prior plans to erase the server justify doing so, once it became primary evidence in a lawsuit?

[Nate] Probably not. But if there was ever any chance of making that argument work, what happened next didn’t help.

About four weeks after wiping the main server, they destroyed the backups. In an internal email, one Election Center employee wrote to another, quote:

“I’m happy to report that the remaining [. . .] hard drives were degaussed three times.”

[Ran] Degaussing, for background, makes “erasing” data seem like child’s play. It is the process of randomizing the very magnetic fields which encode the binary bits on the drive. It is to hard drives what a power washer is for a dirty pavement.

THE END OF KSU
[Nate] Even the Secretary of State, Brian Kemp–the very person whom the lawsuit was directed against–couldn’t stand by any longer. Quote:

The Secretary of State’s office had no involvement in this decision, and we would never direct someone to take such action. [. . .] We will not stand for this kind of inexcusable conduct or gross incompetence. Earlier today, we opened an internal investigation on this new incident at KSU. Those responsible at KSU should be held accountable for their actions.

The plaintiffs in Curling v. Kemp wouldn’t end up getting their re-do election, but they did achieve one, massive victory for voters across the state. From Kemp’s statement, quote:

“We were not asking KSU officials to move mountains, but we would have appreciated some notice that these servers [. . .] would be wiped clean. [. . .] This pattern of reckless behavior is exactly why we are ending our relationship with KSU.”

The Kennesaw State University Election Center, which had lorded over Georgia’s bad elections for 15 years, was finally done for. Its director, Merle King, retired.

TRANSPARENCY
[Ran] Sometimes, secrecy is useful in cybersecurity. Nation-state spies mask their operations in a coat of darkness, to retain an information edge over foreign adversaries. Corporations closely guard their source code, to make would-be hackers’ jobs more difficult.

[Nate] But transparency is absolutely essential to a democratic election system. It is what gives citizens the confidence that their votes count, and are counted correctly.

Georgia is a perfect example of why secrecy and democracy don’t mix. KSU blocked an independent security review in 2006, threatened a young analyst in 2016, and tampered with evidence in a lawsuit in 2017. At every turn, they ensured that the Georgia public would not get to see how their elections were being run. By doing so, they introduced uncertainty. Maybe Logan Lamb was the only person to ever hack their systems in 15 years of operating, but we can’t say. The 6th district congressional election, in all likelihood, wasn’t tampered with, but we just don’t know. If you’re a Georgia voter, your votes over the past two decades have probably counted. But we can’t be certain, because there’s no way to tell.

Closing the Election Center at KSU was the first step towards a more secure, more transparent election system for the voters of Georgia–one they could actually trust to count their votes, and do so correctly.

[Ran] But then one, little twist changed everything.

KEMP MOVES KSU IN-HOUSE
[Ran] Instead of revitalizing and decentralizing Georgia’s elections, Brian Kemp, as Secretary of State, simply moved election oversight from Kennesaw State University into his own office building in the capital. Now the state would be running their own elections. No middle man.

[Nate] And maybe there was some merit to the idea, in a vacuum. But Georgia’s next major race was for governor, and one of the leading candidates was none other than…Brian Kemp. Now, instead of a third party overseeing the elections–however imperfect they may be–Brian Kemp was overseeing his own race–in his own offices, behind closed doors, with no outside auditing whatsoever.

[Ran] What could possibly go wrong?