Georgia Secretary of State Brian Kemp is not at all satisfied with the answers from the Department of Homeland Security to his questions on why a DHS internet address was behind a potential attack on his office’s network infrastructure.
“Quite honestly, I don’t know that they know what happened,” Kemp said in a phone interview. “They’re asking Microsoft for more information on this incident.”
Kemp gave a scathing response to DHS Assistant Secretary Philip McNamara’s response to his letter sent last week to Secretary Jeh Johnson asking if DHS conducted an unauthorized network scan against Georgia’s network, and for details on who conducted it, and what other states were included.
“It kind of gave me the impression of, they think we don’t know what we’re talking about, and they’re moving on,” Kemp said, referring to McNamara as a “political appointee” and “former DNC guy.”
He added, “That’s not satisfactory for me at this point in time.”
Kemp is right: McNamara spent 11 years as a political hack with the DNC before moving to various administrative positions within DHS, including a stint as acting Chief of Staff. His knowledge of IT infrastructure, or even what an IP address is, is certainly open for suspicion.
Getting anything useful at this point from DHS, when all the top office holders are busy packing their offices to get out by Jan. 20, is almost certainly a fantasy. Kemp has reached out to the incoming Trump administration, including Gen. John Kelly, the president-elect’s nominee to head DHS, to get a better handle on exactly what happened.
“Their story has kept changing the whole time, which is the reason I’m asking the Trump administration to look into this,” Kemp said.
With over 2,000 “low-level” events hitting Georgia’s Secretary of State’s system every week, only a few are elevated to “tier 2” for closer examination, according to Kemp. They were not looking for any kind of scans or penetration testing from DHS, which had been offered to states but declined by Georgia. The event came to light because it raised enough flags to the IT staff that they investigated further, tracing the internet address (IP address) back to a DHS network.
“Our ask of the Trump administration is: When Gen. Kelly gets confirmed, and gets in there, that he’ll have a new team that looks at this,” Kemp said. “And be able to explain that to myself and my IT guys where we actually buy into that explanation. And if they do that, I will be satisfied.”
“But right now, we’re not getting that, so I have to keep the option open that maybe something else was going on.” That “something else” could be some bad actor “spoofing” the DHS network and using it to conduct attacks on other systems.
That possibility would not be idle speculation. Back in April 2015, CNN reported that hackers were able to obtain unpublished elements of President Obama’s schedule, by using State Department computers to launch a phishing attack against the Executive Office of the President.
The White House intrusion is said to have been possible, because the same group of actors had previously compromised the email systems at the U.S. State Department. Around the same time that officials in the White House noticed suspicious activity, the State Department was also investigating a similar incident.
Investigators told CNN that the actors had “owned” the State Department for months, and it isn’t clear if their access has been completely removed. Given the access, investigators believe that someone at the White House fell for a Phishing attack, which resulted in the additional breach.
Although Kemp is not aware of any other states that have similar network scans from DHS. “I know if I were another secretary of state and I read about this, I would be checking to see if this happened to myself,” he said.
Kemp said that nobody with the Trump transition team, or Gen. Kelly has gotten in touch with him at this time. He has also not turned any materials over to the Georgia Bureau of Investigation for criminal investigation or forwarding to the FBI, although his letter to Secretary Johnson cited 18 U.S.C. § 1030 as a prosecutable offense.
What’s clear is that something happened. Someone behind a keyboard, with access to the DHS’s federal government IP address tried to conduct a scan against the infrastructure of a state-owned network, for the office responsible for elections in Georgia. That someone conducted enough of a sophisticated scan that it triggered network intrusion detection and response systems. The triggered event was deemed by the intrusion detection system to be severe enough to elevate for IT staff to further investigate.
This is troubling, and DHS’s shrug of a response, first blaming one Microsoft product and then changing the story to another, is not acceptable to the state’s IT people, or to Kemp.
When claims of election-rigging, Russian hacking, and invalid results are being thrown around, we cannot afford to ignore what happened in Georgia just days after the election. If the Obama administration refuses to answer or investigate, then the Trump administration must get to the bottom of it.
We have not heard the last of this story.