Documents suggest activity logs of incidents overwritten
(WASHINGTON, DC) – Judicial Watch announced today that it received 243 pages of records from the Department of Homeland Security (DHS) that show the Obama administration’s scanning the election systems of Georgia, Alaska, Oregon, Kentucky and West Virginia in 2016. This activity prompted a letter from then-Georgia Secretary of State (now Governor) Brian Kemp to then-DHS Secretary Jeh Johnson accusing DHS of, “an unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall.”
The records were produced in response to Judicial Watch’s Freedom of Information Act (FOIA) request, which asked for all records related to reported cyberattacks against the Georgia secretary of state’s information network involving DHS, including investigative reports, memoranda, correspondence and communications between October 1, 2016, and February 14, 2017.
The minutes of a DHS “Enterprise Security Operations Center” (ESOC) meeting indicate that on November 15, 2016, at 8:43 a.m. a “scanning event” occurred. The “‘scanning’ event was the result of a FLETC [Federal Law Enforcement Training Center] user’s Microsoft Office Discovery Protocol sending a packet with the OPTIONS flag to the Secretary of State of Georgia site.”
The minutes notes that the Enterprise Security Operations Center “has received requests from NCCIC [DHS’s The National Cybersecurity and Communications Integration Center] and MS-ISAC [Multi-State Information Sharing and Analysis Center] to investigate other states that have seen ‘suspicious’ activity.”
The minutes note that Kemp accused DHS of conducting illicit scans on at least February 2, February 28 and May 23, 2016, as well.
DHS notes in the minutes that they were working with Microsoft to determine what happened: “Microsoft and the ESOC with the assistance of FLETC, were able to confirm that the user non-maliciously copied and pasted elements of the website to an excel document, which triggered the HTTP ‘OPTIONS’ request.”
A “Microsoft E-Mail Statement (Unofficial Statement to ESOC)” was included with the minutes. The email stated, “After looking at the data I do not see requests that look malicious in nature or appear to be attempting to exploit a vulnerability.”
A chart of “Current Open Vulnerabilities” for the period November 30, 2016, through December 12, 2016, noted that DHS had identified a total of 1,227 cyber vulnerabilities within DHS components, including five “High” severity ones at FEMA.
In a “Shift Pass Down Report – Sunday Night Shift – December 18, 2016” describing one of the State of Georgia incidents, DHS identifies that it originated, “from a FLETC-based Physical Security Contract Manager.”
DHS identifies activity originating from them in Alaska, Oregon, Kentucky and West Virginia.
In a “State of Alaska update,” the report notes, “Confirmed this activity was a NPPD [DHS’s National Protection and Programs Directorate] employee investigating twitter reports of compromise on an AK Election System, as part of his normal duties.”
A “State of Oregon update,” indicated that “Oregon Secretary of State inquired why they observed the same DHS IP reported by GASOS visiting their website. After engaging with DHS, Oregon agreed there was nothing suspicious and closed the investigation.”
A “State of Kentucky update” said, “Normal web traffic from DHS.”
A “State of West Virginia update” also said “Normal web traffic from DHS.”
In a December, 16, 2016, email exchange between DHS officials regarding a “Preliminary update on GASOS [Georgia Secretary of State]” an official notes there were at least 10 other “timestamps” in which “we have identified different components who have caused the same traffic as the FLETC user.” The log lists incidents involving FEMA, ICE-CIS and FLETC occurring between Feb. 2, 2016 and Sept. 12, 2016.
The email sender adds, “At this time, we cannot validate users with ease for these past timestamps due to DHCP and the lack of Authentication logs.”
Acting Principal Deputy Chief Information Officer, Jeanne Etzel replies to him, “When this gets published in the 4:00, don’t say ‘lack of logs’ say something about logs are maintained for xx days and the events in question occurred xx days ago therefore our logs are overwritten per our standard retention policy.”
Another official, unidentified, then forwards the exchange to unknown officials saying, “FYI. Please use the lens of Press Release and senior leaders.”
In a December 9, 2016, email, Director of DHS Cybersecurity Operations, Boyden Rohmer emailed an unidentified Chief of the Justice Security Operations Center at the Justice Department about “some claims by the State of Georgia that we’ve been scanning their website,” noting that when he pulled their logs over a three hour period, “we see that we have about 1800 similar requests.”
In an email exchange on December 8, 2016, sent to a DHS official, from a CBP CSOC [Customs and Border Protection/Cyber Security Operations Center] official indicated that the same CBP IP address that scanned the Georgia Secretary of State election systems also “previously was reported to us by Princess Cruise Lines” but “ESOC [DHS’s Enterprise Security Operations Center] assesses that the CBP computer was just doing normal web browsing to Princess Cruise Lines.”
The email continues, “ESOC assesses that the CBP computer was just doing normal browsing to Georgia’s Secretary of State office on Nov 15 as well.”
The CBP cyber security official then asks the DHS ESOC official for clarification of certain questions, such as “In both instances, who made this assessment that all of this activity was just ‘normal browsing’?” and “Please define ‘normal browsing’ as it is referenced in the text highlighted above.”
“The Obama DHS was caught scanning the Georgia Secretary of State’s website in 2016 and these documents show that details about the controversy may have been ‘overwritten,’” stated Judicial Watch President Tom Fitton.
In January 2017, the DHS Inspector General wrote to Kemp, saying that an investigation into his allegations was in progress and asking for web and network logs, as well as any other evidence that indicated the DHS attempted to breach Georgia’s system.
In July 2017, the DHS Inspector General reported to the House Committee on Oversight and Government Reform “that DHS employee interactions with the Georgia systems were limited to routine searches for publicly available information on the state’s public website and that none of the web pages visited were related to elections or voters.” And stated: “The investigation was conducted by employees in OIG’s specially trained Digital Forensics and Analysis Unit.”
Judicial Watch is a national leader for cleaner elections.
In September 2020, Judicial Watch released a study revealing that 353 U.S. counties had 1.8 million more registered voters than eligible voting-age citizens. In other words, the registration rates of those counties exceeded 100% of eligible voters. The study found eight states showing state-wide registration rates exceeding 100%: Alaska, Colorado, Maine, Maryland, Michigan, New Jersey, Rhode Island, and Vermont. The study collected the most recent registration data posted online by the states themselves. This data was then compared to the Census Bureau’s most recent five-year population estimates, gathered by the American Community Survey (ACS) from 2014 through 2018. ACS surveys are sent to 3.5 million addresses each month, and its five-year estimates are considered to be the most reliable estimates outside of the decennial census.
In 2018, the Supreme Court upheld a voter-roll cleanup program that resulted from a Judicial Watch settlement of a federal lawsuit with Ohio. California settled a federal lawsuit with Judicial Watch and last year began the process of removing up to 1.6 million inactive names from Los Angeles County’s voter rolls. Kentucky also began a cleanup of hundreds of thousands of old registrations last year after it entered into a consent decree to end another Judicial Watch lawsuit.
In 2020, Judicial Watch sued North Carolina, Pennsylvania, and Colorado for failing to clean their voter rolls, and sued Illinois for refusing to disclose voter roll data in violation of federal law. Judicial Watch has several open records requests pending over the conduct of the 2020 election.
You can learn more about Judicial Watch’s clean election efforts here.