WASHINGTON — The U.S. Homeland Security Department moved closer Friday to solving the mystery about why the state of Georgia believed the federal government was trying to hack its election systems.
An employee in the department who worked far removed from cybersecurity operations visited the Georgia secretary of state's website for his work, an official told The Associated Press. The employee's system was configured in a way that caused Georgia's outside security vendor to misinterpret the visit as a scan of its systems. The official spoke on condition of anonymity because this person was not authorized to publicly discuss preliminary findings.
In a letter Thursday sent to Homeland Security Secretary Jeh Johnson, Georgia Secretary of State Brian P. Kemp said a computer traced back to the federal agency in Washington tried unsuccessfully to penetrate the state office's firewall one week after the presidential election.
The letter speculated that what it described as "a large unblocked scan event" might have been a security test.
A Homeland Security Department technical team was working Friday to coordinate with the state's office to uncover what happened.
The computer address Georgia provided to U.S. officials traced back an internet gateway that funnels traffic for thousands of computers across the 22-agency department. By Friday afternoon, they had followed the trail back to a specific computer.
The employee told investigators that he was checking the state website to determine whether an individual had a certain type of professional license issued by the state. Due to the way the employee's computer was configured, it appeared his computer was scanning the state system, which can be interpreted as a prelude to a hacking attempt, the official said.
The department expected its team would be working through the weekend to confirm what happened, and the identified computer has been taken offline as a precaution, the official said.
The agency also preserved all its activity logs for Nov. 15, after it received the secretary of state's letter, the official said.
The department did not have an agreement to scan Georgia's system. Such a scan would typically have been conducted by the National Cybersecurity and Communications Integration Center, the agency's cyber hub. But no such scan was done from there, the official said.
Georgia's secretary of state sought details about the activity, including whether the agency conducted an unauthorized scan, who might have authorized it and whether other states might have been similarly probed. Kemp cited the federal law against knowingly accessing a computer without authorization or exceeding authorized access, which is a felony.
Kemp said this was "especially odd and concerning" given that he is a member of the U.S. Election Infrastructure Cybersecurity Working Group run by the federal agency.
Forty-eight states accepted offers by the Homeland Security Department to scan their networks ahead of the presidential elections. The scans looked for vulnerabilities that hackers could exploit by hackers. The U.S. also described how states could patch their networks to make it more difficult to penetrate them.
Georgia was among two states that did not accept the department's offer. It said it had contracted with an outside agency and already implemented protective measures.
Georgia's system holds personal information on more than 6.5 million residents, more than 800,000 corporate entities and more than 500,000 licensed or registered professionals. The office registers voters, tracks annual corporate filings, grants professional licenses and oversees the state's securities market.