|
April 29, 2024
A serious cyberattack on Coffee County was detected this month. The news broke over the weekend with Cyberscoop and CNN reports on Friday night that malicious actors attacked Coffee County’s countywide information system. No one can yet realistically assess the damage and risks, although officials have issued their usual overly-optimistic “all is well” assurances.
Several days ago, we heard rumblings from CGG members in Coffee about malfunctioning websites and sketchy answers from the Election Office about the operation of the voter registration system. We poked into inoperable Coffee County websites. We filed public records requests with Coffee County, only to get misleading responses from the county attorney that records storage was indefinitely “down for maintenance.”
We alerted reporters, and enough pressure was exerted to extract a few facts from Coffee County and Secretary Raffensperger’s office that a cyberattack had occurred, and the Department of Homeland Security and its Cybersecurity Infrastructure and Security Agency (CISA) had notified Coffee officials on April 15. It apparently took days before the county officials would acknowledge the breach to Georgia state officials, leaving the state without the basis to contain, mitigate, or remediate damage and escalating risk in the meantime.
How could that be? Ask the State Election Board, which has declined to make mandatory cyber incident reporting requirements over the last year, although CGG has formally requested such Election Code rules since April 2023.
Given the complex nature of Georgia’s voting system and election infrastructure, once attacked, there is no realistic way for experts to timely assess the potential damage or whether malware has been deployed. The longer malicious attacks are concealed, the more the risk of election subversion escalates. It is imperative to have commonsense mandatory security incident reporting and mitigation requirements. Almost every business or organization of any size has mandatory security incident procedures for reporting and response. Yet, even today, the massive voting system breaches in Coffee County in 2021 could be repeated with no reporting requirements, detection or accountability.
Over the weekend we submitted yet another request for immediate rule-making. You may read it here. We urge you to write the election board here, and ask them to adopt mandatory rules for reporting and mitigating security incidents. Simply ask them to promptly adopt rules to require security incidents be timely reported and mitigated. They need to hear from voters and political leaders.
CGG undertakes unique and difficult work to protect elections from subversions. No other non-profit takes on the important non-partisan battles we do to expose and address fundamental election operation problems. Please help us continue our work to fight the risks of election subversion.
| 
