Investigation shows DHS did not hack Georgia computers

Investigation shows DHS did not hack Georgia computers
© Getty

The Department of Homeland Security did not engage in a prolonged cyberattack against the state of Georgia, the DHS inspector general has determined. 

"We have recently completed our investigation into these allegations and have determined that the activity Georgia noted on its computer networks was the result of normal and automatic computer message exchanges generated by the Microsoft applications involved," Inspector General John Roth wrote in a letter to House Oversight Committee Chairman Trey GowdyHarold (Trey) Watson GowdyFBI chief: I'm trying to bring 'normalcy' in 'turbulent times' Jim Carrey targets McCarthy, Nunes ahead of midterms House GOP prepares to grill DOJ official linked to Steele dossier MORE (R-S.C.) on Monday. 

In December, Georgia Secretary of State Brian Kemp sent a letter to then-Secretary of Homeland Security Jeh Johnson accusing the DHS of 10 cyberattacks of varying sizes around the time of the 2016 presidential election, implying that the alleged attacks were related to the state turning down DHS help to secure election systems. 

"On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State's firewall. I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall," he wrote.  

An earlier, internal DHS investigation into the reported incident showed that the "attempt to penetrate the Georgia Secretary of State's firewall" was actually residual traffic from a Federal Law Enforcement Training Center employee checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility. 

That traffic, the first report determined, was caused by the employee cutting and pasting data from the database to Microsoft Excel, which sent light traffic to the Georgia server while parsing the data. That traffic would have been in no way abnormal. 

The DHS inspector general, which operates independently from the DHS chain of command, conducted a second investigation. It validated the first report's results, finding that other states that made similar claims following the Georgia accusation appeared to also have drawn nonmalicious traffic. 

Roth noted in his letter that the DHS internet addresses that contacted the Georgia systems could not be used to attack those systems in the way Kemp described.

"DHS’s web proxies are configured to ensure its users appropriately access the internet consistent with DHS’s acceptable-use policies, and would not allow users to conduct port scanning or similar attacks on Georgia’s systems. In other words, it simply would not have been possible for the DHS users to attack Georgia’s systems from these DHS IP addresses," he wrote. 

Roth said the agency's explanation of events was backed up by server logs and a consultation with Microsoft.