This report first appeared on CyberScoop.
The Department of Homeland Security told Georgia’s Office of Secretary of State that the IP address associated with an attempted breach of the state agency’s firewall was tracked to an office in U.S. Customs and Border Protection, a revelation that has DHS “deeply concerned.”
According to DHS, someone on the federal department’s security network was conducting legitimate business on the state office’s website, verifying a professional license administered by the state. The state office manages information about corporate licenses and certificates on its website.
The Wall Street Journal was the first to report on the federal department’s response.
A spokesperson for Georgia’s secretary of state office told CyberScoop on Monday that the agency was unaware of any correspondence and is “working with DHS” to resolve the matter.
Georgia Secretary of State Brian Kemp issued a letter to Homeland Security Secretary Jeh Johnson on Thursday after the state’s third-party cybersecurity provider detected an IP address from the agency’s Southwest D.C. office trying to penetrate the state’s firewall. According to the letter, the attempt was unsuccessful.
In a reply, a DHS official said the agency tracked the office to an address associated with CBP, which hosts a portion of DHS’s network. The agency, which is the largest law enforcement agency inside DHS, does not typically get involved in cybersecurity matters.
“DHS has not intentionally scanned the systems of the Georgia Secretary of State office. DHS has not tried to break into those systems,” Phil McNamara, DHS’s Assistant Secretary for Intergovernmental Affairs wrote in an email obtained by the Journal. “When DHS does scans of a customer, we do not do them through the CBP Internet Gateway. CBP is an entirely different organization. We are deeply concerned with this situation. We’ve had a team working throughout the day trying to determine what has happened.”
Georgia’s cybersecurity provider informed the Office of the Secretary of State that the breach attempt occurred Nov. 15, a few days after the presidential election. The office is responsible for overseeing elections in Georgia.
“At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network,” Kemp wrote in the letter, which was also sent to the state’s members of Congress. “Moreover, your department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created.”