“[Georgia’s GOP Secretary of State] Brian Kemp issued a letter to [Department of Homeland Security Secretary Jeh] Johnson on Thursday after the state’s third-party cybersecurity provider detected an IP address from the agency’s Southwest D.C. office trying to penetrate the state’s firewall. According to the letter, the attempt was unsuccessful.
The attempt took place on Nov. 15, a few days after the presidential election. The office of the Georgia Secretary of State is responsible for overseeing the state’s elections.
‘At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network,’ Kemp wrote in the letter, which was also sent to the state’s federal representatives and senators. ‘Moreover, your department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created.'”
Secretary Kemp’s letter can be found here.
Penetration testing (or pen testing) is the deliberate act of attempting to find breaches in a computer system, network or application, typically as a means to determine how secure that system is. Such testing is considered deliberate because, under normal circumstances, a security specialist or company sets up a predetermined plan for how they’re going to test a client’s infrastructure.
In the Secretary’s letter, he states that since he’s already a part of DHS’s Election Infrastructure Cybersecurity Working Group, the incident should have been communicated to him, if it was a legitimate test.
As he further points out, unauthorized access is not permitted:
“…Under 18 U.S.C. Sec. 1030, attempting to gain access or exceeding authorized access to protected computer systems is illegal.”
He then goes on to raise specific questions of Secretary Johnson:
- Did your Department in fact conduct this unauthorized scan?
- If so, who on your staff authorized this scan?
- Did your Department conduct this type of scan against any other states’ systems without authorization?
- If so, which states were scanned by DHS without authorization?
The letter was copied to a number of US House and Senate members.