LULU GARCIA-NAVARRO, HOST:
There are new developments in a legal fight over the security of Georgia's election server. This past week, an election security expert said he found evidence the server was tampered with in 2014. The allegation was contained in an affidavit filed as part of a lawsuit brought by election integrity activists seeking to bar Georgia from using its paperless voting machines.
Marilyn Marks is the executive director of the Coalition for Good Governance, one of the nonprofit groups behind the lawsuit. We talked about the implications of a breach of the election server.
MARILYN MARKS: The reason this is so concerning is because while it appears that the malicious attacker got in in 2014, they could have clearly stayed in quite a long time. This server was not shut down until the end of 2017. But the records that were on that server - and these would be millions of records. This would have been the hub for all of Georgia's elections. Those millions of records could have been, certainly, infiltrated. And then as copies of those records were removed from the server to put on new applications, they could have carried with them malicious code. There is still quite a lot we don't know. But there is no reason to believe that anything that an attacker did in 2014 and beyond is not still present in the system.
GARCIA-NAVARRO: Could these malicious actors have actually changed people's votes?
MARKS: Unfortunately, yes. The reason is that on this central server, it was the mothership. It was the hub of all things elections in Georgia. And every single one of the 30,000 voting machines that are used in Georgia was programmed from that central server. So yes, they could've changed votes. Do we have any evidence of that? Not at this point. We will certainly be wanting to find out.
GARCIA-NAVARRO: This sounds like an enormously problematic breach. Who was responsible for the server's security?
MARKS: The secretary of state's office has run that particular operation. It's called Center for Election Systems. At the time of the breach, it was located at Kennesaw State University. It was operated as a little satellite organization that was really under the control of the secretary of state's office. After the breach and then after an explosive event when we sued them and then they deleted all of their files, then there was such a public outcry that that contract was canceled, and all of the work was moved back to the secretary of state's office but under the direction of the same managers.
GARCIA-NAVARRO: What does this mean for the 2020 presidential election? How can Georgia audit its vote if it needs to?
MARKS: Lulu, it cannot. And it's not just the presidential election that's at risk because Georgia programs every single machine centrally. It is the U.S. senatorial elections - and as you know, Georgia has two senators up in the election this year - mayors, county commissioners and then all the way up to the presidential office. None of those elections will be able to be audited.
The secretary of state has chosen a new system. They've spent over a hundred million dollars on it. It is absolutely as vulnerable, if not more vulnerable, according to many experts, than the old system that we're talking about. So not only could the old malware have been transferred into the new system in various places, but the fact that it cannot be audited is really troublesome.
GARCIA-NAVARRO: So you're saying, bottom line is that Georgians can't be confident about their vote in 2020 unless some things change. What are those things?
MARKS: What needs to change is really simple, Lulu. What needs to change is that paper ballots marked by hand by all those who are able have them counted using a optical scanner and then have audits done. The state should not be putting an electronic screen between the voter and the ballot. And then with an audit, they could be virtually 100% sure that the vote was what reflected the will of the people.
GARCIA-NAVARRO: That's Marilyn Marks, executive director of the Coalition for Good Governance. Thank you so much.
MARKS: Thank you, Lulu.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.