The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Voting machines are a casualty of unnecessary election audits

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! We're starting the week off strong because Sagittarius season starts today!

Below: The FBI is investigating a possible election office security breach, and Iranian hackers compromised a major newspaper chain before the 2020 election.

Some counties must replace voting machines after needless audits

Paying auditors isn’t the only cost stemming from partisan election reviews being conducted in several GOP-led states that Trump lost. 

Such audits can also require replacing expensive election equipment.

Earlier this year, Arizona’s Republican-led state Senate hired Cyber Ninjas — a cybersecurity firm with no prior election experience and whose CEO had parroted election conspiracy theories — to review the 2020 election results. Cyber Ninjas spent more than five months on a post-election review that delivered disappointing results for Trump backers — along with a hefty bill.

$2.8 million

That’s the total amount Maricopa — Arizona’s most populous county — will need to pay to transition to new election equipment. Since the county had leased the equipment from Dominion Voting Systems, it must purchase the equipment to destroy the machines that can no longer be used, along with leasing new machines. 

“​​Those were perfectly good machines which passed all of our accuracy tests from the time we first got them in 2019,” Maricopa County Board of Supervisors Chairman Jack Sellers told The Arizona Republic, referring to the equipment that wouldn’t have been up for renewal until 2023. “The taxpayer paid good money for them.”

How it started

Republican leaders in Maricopa County opposed the Cyber Ninjas audit. They insisted the election was secure and the results in their county were trustworthy. Further, the results had already been affirmed by a traditional audit conducted by Maricopa County Recorder Clay Thompson (R). But Republicans in the state Senate insisted on moving forward and now the county must bear the cost of replacing all of its voting machines

The big problem: Cyber Ninjas auditors broke a slew of rules that traditional auditors follow, including violating what’s known as the “chain of custody.” That’s a complex system by which election machines are always locked up, under video surveillance or attended by multiple election officials to ensure there’s no opportunity to tamper with the machines or their software. When Cyber Ninjas couldn’t verify the chain of custody, Arizona Secretary of State Katie Hobbs, a Democrat, decertified the equipment.

Funding fight

Hiring a firm like Cyber Ninjas to audit Arizona’s results was already controversial. But the audit has also prompted a confusing and protracted battle over who must pay to replace the election equipment.

Here’s how the fight began:

  • Earlier this year, state Senate President Karen Fann issued a subpoena to Maricopa County, demanding the county hand over voting machines, routers and machine-generated data known as logs.
  • The county handed over the voting machines with an agreement that it wouldn’t be on the hook for paying for replacements if that became necessary.
  • But the county refused to turn over the routers and logs, citing security concerns. “Providing physical routers that run the county network would have … crippled operations and posed well-documented security risks,” a communications representative from Maricopa County said.
  • In response, the state threatened to strip Maricopa of $700 million in yearly state funding.
How it's going

But in September, the state Senate and the county struck a deal. 

  • The county agreed to pay the $2.8 million cost of replacing the election equipment.
  • The Senate removed its defunding threat.
  • The Senate also agreed to instate John Shadegg, a former Republican congressman from Arizona, to serve as a “special master.”
  • Shadegg will hire a team of technical experts to take over the chain of custody for the routers and logs and answer Senate questions on what they find. That way, the election review can continue but the chain of custody will not be broken.

The four Republicans on the Maricopa County Board of Supervisors all voted for the deal. The only “no” vote came from Steve Gallardo, the panel’s sole Democrat, who told NBC News that “we’re dealing with bullies.”

Fann dubbed the outcome a “win” for taxpayers in Maricopa County, since they evaded the threat of losing $700 million for challenging the Senate further.

Election machine lifespan

Generally speaking, election equipment should be replaced every 10 years, assuming there haven’t been any security breaches, said John Sebes from the OSET Institute, a research group that develops publicly available election software.

Maricopa County’s new machines are identical to their old model. They will be leased through the 2022 election cycle, according to the Maricopa County communications team.

In Pennsylvania

Pennsylvania could face similar high-cost equipment replacements. 

The state started the process of conducting a similar partisan post-election assessment in September 2021 under pressure from Trump supporters. Pennsylvania state Sen. Judy Ward, a Republican, said her constituents are “outraged” at the 2020 election results.

The Pennsylvania Department of State warned in July it would have to decertify election equipment in all of the state’s 67 counties if the chain of custody is broken to comply with proposed audits. That could cost up to $40 million, the department said.

Trained election officials routinely conduct audits that don’t require any election equipment to be replaced. But once a Cyber Ninjas-style audit begins, there’s no telling how much equipment might need to be replaced. The replacement costs can also vary widely depending on how much vendors charge. 

“It's like sailing a fleet into a hurricane, knowing the ships will be lost and have to be replaced,” Sebes said. “And knowing that there are no funds set aside for the replacement.”

That’s an unsettling prospect for county officials, who are typically operating on tight budgets.

“What county elections office has any such money to spare?” OSET’s Gregory Miller said. “In our estimation, this will be a disaster.”

The keys

The FBI is investigating another possible election office breach fueled by conspiracy theories

Somebody connected a private laptop to the Lake County, Ohio computer network in the office of Board of Commissioners Chairman John Hamercheck (R), allowing them to capture routine network traffic, Amy Gardner, Emma Brown and Devlin Barrett report. The incident has striking similarities to a case in Colorado where officials helped an outsider access a county voting system. 

Data obtained in both of the incidents was distributed at MyPillow executive Mike Lindell’s August “cyber symposium” on alleged election fraud.

“Together, the incidents in Ohio and Colorado point to an escalation in attacks on the nation’s voting systems by those who have embraced Trump’s false claims that the 2020 election was riddled with fraud,” Amy, Emma and Devlin write. “Now, some Trump loyalists pushing for legal challenges and partisan audits are also targeting local officials in a bid to gain access to election systems — moves that themselves could undermine election security.”

At the center of both cases is Douglas Frank, an Ohio-based scientist who has claimed to have discovered secret algorithms that were used to rig the 2020 election. Frank has crisscrossed the county in recent months, visiting “over 30 states” and meeting with around 100 election administrators, he told The Post. 

Frank met with Tina Peters, the clerk in Mesa County, Colo., before she shared sensitive information from the county’s election systems with Lindell. Frank told the Post he doesn’t specifically remember meeting with Hamercheck but said he’s met with so many people in recent months he can’t recall them all. He said a meeting sounded “plausible” because it was “exactly the model that we did with Tina.”

Frank has done work for Lindell, who said he doesn’t fund Frank’s speaking engagements.

Iranian hackers breached a major U.S. newspaper chain ahead of the 2020 election

The hackers used their access to Lee Enterprises’ computers to test modifying and creating content in the chain’s newspaper websites, the Wall Street Journal’s Dustin Volz reports, citing people familiar with the matter. Justice Department prosecutors described the breach in indictments Thursday but did not name the newspaper chain. The hackers weren’t able to access the system after the election because the company received a warning from the FBI, prosecutors say.

Lee Enterprises owns dozens of newspapers across the United States. The company owns the Buffalo News, the Omaha World-Herald, the Richmond Times-Dispatch and others. The company did not respond to requests for comment from the Journal. The Justice Department declined to comment to the outlet.

Iranian hackers Seyyed Kazemi and Sajjad Kashian were behind the incident, prosecutors said last week. The Treasury Department called them “state-sponsored,” though prosecutors didn’t directly accuse them of working for Iran’s government in their indictments.

Facebook and Instagram owner Meta is delaying the rollout of end-to-end encryption by default on its platforms

The company won’t add end-to-end encryption as the worldwide default on all of its messaging apps until 2023, Meta global head of safety Antigone Davis wrote in the Telegraph. The delay comes after months of criticism by high-profile officials in the United Kingdom over the tech giant’s encryption plans. Lawmakers there are considering new legislation to combat harmful online content. 

U.K. Home Secretary Priti Patel has blasted the company’s encryption rollout, arguing that it would enable sexual abuse of children. U.S. officials have also argued that encryption would shield criminals online. Cybersecurity and privacy advocates have pushed back on that argument, saying the increased protection against hacking and privacy invasions outweigh any drawbacks.

Hill happenings

The House passed a massive spending package that has $500 million tucked away for cybersecurity

The roughly $2 trillion bill’s cybersecurity money would mostly go to the Cybersecurity and Infrastructure Security Agency for things like cybersecurity risk and workforce issues, the Hill’s Maggie Miller writes. The bill now goes to the Senate, where the Biden administration has to get the support of key moderate Democrats.

National security watch

'What's at stake is obviously the security of our nation,' NSA chief says of defending US from cyberattacks (ABC News)

Securing the ballot

Americans chasing down Trump’s wild election conspiracy snuck into a Mafia prison in Italy (The Daily Beast)

How the "big lie" about the 2020 election spread (Axios)

Global cyberspace

North Korean Hackers Caught Snooping on China’s Cyber Squad (The Daily Beast)

Indonesia probe police hack in latest cyber breach (Reuters)

Iranian private airline Mahan Air 'foils cyber attack' (The National)

Cyber insecurity

Vestas hit by cyber security incident, shuts some IT systems (Reuters)

Conti ransomware gang suffers security breach (The Record)

Hackers Circle as Individual Investors Pour Cash Into Crypto (Wall Street Journal)

Secure log off

Thanks for reading. See you tomorrow.