Chaos in Maricopa County: The election audit explained

Maricopa County, Ariz., continues to be the subject of election-related controversies six months after the final votes were cast. And this one involves multiple cybersecurity firms, millions of dollars of potentially wasted voting equipment and a number of unproven accusations.

The latest controversy involves a new election audit for Maricopa, a county narrowly won by President Joe Biden last November in a state even more narrowly won by Biden. The ongoing audit, which is the third of its kind, is being coordinated between Republican Arizona senators and multiple private sector firms. The handling of this audit has faced major scrutiny and criticism directed primarily at the Florida-based consultancy Cyber Ninjas.

The firm has no known prior experience auditing an election, and due to the circumstances surrounding their audit -- including potentially faulty counting and what the Maricopa County Board of Supervisors describes as "incompetence" -- election equipment and voting machines examined by Cyber Ninjas may no longer be usable.

That's according to a letter from Arizona Secretary of State Katie Hobbs to the Maricopa County Board of Supervisors sent last Thursday.

"I have grave concerns regarding the security and integrity of these machines, given that the chain of custody, a critical security tenet, has been compromised and election officials do not know what was done to the machines while under Cyber Ninjas' control," Hobbs wrote. "Indeed, such loss of custody constitutes a cyber incident to critical infrastructure -- an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems."

After her office consulted with election technology and security experts including the Cybersecurity and Infrastructure Security Agency (CISA), the unanimous advice was, according to the letter, that "once election officials lose custody and control over voting systems and components, those devices should not be reused in future elections. Rather, decommissioning and replacing those devices is the safest option as no methods exist to adequately ensure those machines are safe to use in future elections."

The equipment includes a portion obtained in a 2019 contract with Dominion Voting Systems, the voting machine vendor that faced numerous unproven claims about fraudulent activities during the 2020 election, for $6.1 million. Dominion has a full page on its website dedicated to responding to accusations and claims about its activities in Arizona.

Cyber Ninjas was given a $150,000 contract despite having no previous experience counting votes, and its CEO Doug Logan is reportedly sympathetic to both former President Donald Trump and unfounded allegations that the election was stolen from Trump through massive fraud and hacked election infrastructure.

CyFIR, another firm hired for the audit and led by founder Ben Cotton, became a center of attention following a claim from the audit's Twitter account that Maricopa County deleted a directory of election databases. Cotton walked back the claim during a Senate hearing last Tuesday when he said that the data had been found, but then gave an official statement through the audit's Twitter account the following day to clarify that the data was actually deleted and then recovered.

The accusations, which remain unproven, were echoed by Trump.

The Maricopa County Board of Supervisors, a mostly Republican governing body for the county, sent a letter to Senate President Karen Fann with severe criticism of the audit and the four firms hired to conduct it; the other two firms are Wake Technology Services and Digital Discovery.

The letter argues that the accusations of deleted databases are false, that the auditors themselves are incompetent and that ballots were being incorrectly counted. The board also referenced the auditors looking for bamboo fibers over accusations that 40,000 ballots were shipped to Arizona from Asia, before closing the letter requesting an end to the audit.

The hiring of the firms was announced via a March 31 press release from Arizona Senate Republicans with plans to announce results "in about 60 days," though the audit has no deadline and is reportedly behind schedule.

This audit is the third of its kind for the county. Maricopa hired firms Pro V&V and SLI Compliance for multilayered forensic audits that occurred in February. Both are certified by the National Institute for Standards and Technology as well as the U.S. Elections Assistance Commission, and the county passed all equipment and software tests from both firms.

Cyber Ninjas and CyFIR did not respond to SearchSecurity's requests for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.