Earlier this week, The Department of Homeland Security (DHS) concluded its investigation into claims DHS engaged in a prolonged cyberattack against the state of Georgia. Upon completion, Inspector General John Roth stated the interference with Georgia cybersecurity was triggered my Microsoft programs.
Roth wrote in a letter to House Oversight Committee Chairman Trey Gowdy (R-SC) Monday that, "We have recently completed our investigation into these allegations and have determined that the activity Georgia noted on its computer networks was the result of normal and automatic computer message exchanges generated by the Microsoft applications involved.”
Allegations were made by Georgia Secretary of State Brian Kemp in December after he sent aletter to former Secretary of Homeland Security Jeh Johnson. In his statement he accused DHS of 10 cyberattacks throughout the 2016 presidential election, which he said he believed were correlated to Georgia turning down DHS’s recommendations to help secure the state’s election systems.
Kemp said in his letter that, "On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall. I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall."
Roth reported DHS’s internal investigation into the reported incident discovered the "attempt to penetrate the Georgia Secretary of State’s firewall" was simply traffic from a Federal Law Enforcement Training Center employee who was checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility. That traffic was caused by the employee cutting and pasting data from the database to Microsoft Excel, which caused light traffic to the Georgia server.
Roth noted in his letter that the DHS internet addresses that contacted the Georgia systems could not be used to attack those systems in the way Kemp described.
Roth said, "DHS’s web proxies are configured to ensure its users appropriately access the internet consistent with DHS’s acceptable-use policies, and would not allow users to conduct port scanning or similar attacks on Georgia’s systems. In other words, it simply would not have been possible for the DHS users to attack Georgia’s systems from these DHS IP addresses."
The DHS inspector general conducted a follow up investigation and validated the first report’s results, and also reported other states had made similar claims to DHS after Georgia filed its complaint. Roth’s final assessment said the agency’s explanation of events was backed up by server logs and a consultation with Microsoft.