Misleading, inaccurate and false: Maricopa County says Cyber Ninjas election audit report was all wrong

Jen Fifield, Arizona Republic
·11 min read
Presenters of the report on the election audit, from left, Ben Cotton, the founder of CyFIR, Doug Logan, the CEO of Cyber Ninjas and Randy Pullen, the audit spokesman, look on before the start of the presentation to the Arizona State Senate in the Senate chambers of the Arizona Capitol in Phoenix on Sept. 24, 2021.

Every claim made by Cyber Ninjas and other Arizona Senate contractors who reviewed Maricopa County's 2020 presidential election was either misleading, inaccurate or false, according to a point-by-point response by county officials issued on Wednesday.

The 93-page report, months in the making, studied every question the contractors raised about the election and analyzed thousands of individual voter records. It explained that the contractors made faulty assumptions and false accusations, in part because of mistakes they made during their analysis but also because they were inexperienced and misunderstood how the county and state's elections work.

“At the heart of these inaccuracies is a basic misunderstanding or ignorance of election laws and procedures,” county officials wrote in the report.

While Cyber Ninjas raised questions about more than 50,000 ballots cast in the election, a wider margin than Biden won in the state, the county's analysis of those claims found fewer than 100 instances of potential voter fraud or double-counted ballots. That's far fewer than it would have taken to impact the outcome of any race, and within the expectations of an election with nearly 2.1 million voters.

After analyzing each claim, the county is referring 37 cases of potential voter fraud to the Arizona Attorney General, including 26 potential deceased voters, six voters who may have voted twice, and five voters who may have voted in more than one county.

The county's report, obtained early by The Arizona Republic, was to be presented at a 1:30 p.m. public meeting on Wednesday presided by the county's Board of Supervisors and including County Recorder Stephen Richer and several of the county's top election staff.

The response comes three months after Senate Republican contractors presented the Sept. 24 results of their monthslong election review, an unprecedented undertaking in the state fueled by Donald Trump's unsupported claims of election fraud. The review and results ultimately did little to instill confidence in the county's elections and did not identify any fraud, but did spread more misinformation and attempt to raise questions about the county's elections.

The county's response comes one day before the one-year anniversary of the deadly Jan. 6, 2021, riot at the U.S. Capitol, a reminder of the danger of election misinformation, and a week before the convening of the Arizona Legislature, in which lawmakers likely will introduce new voting and election laws, some encouraged by the claims the county says are false or misleading.

County officials say the timing of the report was not intentional. It just took time.

"In addition to administering the November 2021 jurisdictional election, the county thoroughly research and analyzed all of the claims made by the Senate’s contractors," said Megan Gilbertson, spokesperson for the county's Elections Department. "Today’s meeting is the culmination of that time."

The county hired Scottsdale-based cybersecurity firm PacketWatch to analyze and respond to some of the technical claims made about the county's election management system. Overall, the county and PacketWatch did not identify any systematic problems with the county's election.

Here's a summarized breakdown of the county's explanation to the contractor's claims.

5 stories we followed in 2021 on The Gaggle

Claims of potential fraudulent voters

Claim: 33,102 mail-in ballots were cast from old addresses. The claim was made as an attempt to show that the ballots may have been cast illegally.

Reviewing thousands of the voters listed in the dataset from the Cyber Ninjas, the county found five of the ballots may have been cast illegally.

The county explains that there are numerous reasons why mail-in ballots may be cast from old addresses, such as overseas voters or voters who moved shortly before an election, and they are all legal. Also, the county noted that Cyber Ninjas used commercial software to complete an insufficient soft match to find voter addresses, using first name, first initial and year of birth. That means they potentially identified different people as the same voter. In one case, the county said, Cyber Ninjas identified twins as the same voter.

The county spot-checked the Cyber Ninjas' dataset using far more criteria, such as full name, full date of birth, social security number, driver’s license or state ID, residential history and signature.

The five ballots that may have been cast illegally include instances where the voter potentially voted in more than one Arizona county. The county found the five after reviewing 1,815 of the 4,295 voters that Cyber Ninjas said may have cast two ballots. The county turned over the five cases to the Attorney General’s Office for further review.

The largest claim, by number, in the Cyber Ninjas report was that 23,344 ballots were voted from a prior address, either after the voter moved within the county, out of the state or within the state to another county. The county found these ballots represented either a legal vote or an incorrect voter match on the Cyber Ninjas part. Of these, none of the voters identified voted twice, according to the report.

Out of these 23,344 for example, 1,256 of the new addresses identified by Cyber Ninjas were P.O. boxes, which does not indicate a move. The company also included 1,331 Uniformed and Overseas Citizens and Absentee voters, who may legally vote from their prior address.

Claim: Information in the voter registration database allowed 1,370 ineligible voters to vote an official ballot, including voters with incomplete names, deceased voters, late registered voters with counted votes, voters with duplicate IDs and voters with multiple tracking numbers.

Reviewing each of these types of issues, the county found that 32 voters may have cast ballots illegally.

The Cyber Ninjas did not provide the county a list of the 282 voters it estimated had died before casting ballots in the election. The county conducted an independent analysis of voter records and recorded deaths and found 26 possible instances of a ballot being processed and potentially counted for a voter that passed away prior to the ballot being returned. These instances are being sent to the Arizona Attorney General’s Office for further review. The county is reviewing its current process to identify deceased voters for potential improvements.

The county identified six potential instances of double voting after the review, and those cases were referred to the Attorney General.

Claims of problems with county's election management system

Claim: The county deleted files on its election management system, including perhaps intentionally in February, the week before the county’s independent audit of voting machines took place.

A subcontractor of Cyber Ninjas, CyFIR, studied the county's voting machines and election management system. The county says the firm made several false claims about deleted files, including that the election management system database was purged, that election fields were deleted, that there was “election activity” on the system, and that there were corrupt or missing ballot images.

Regarding files that the contractor claimed were missing, the county said it archived the November 2020 General Election tabulation data, and the Senate didn’t request the backup hard drives that contain the archived files.

That includes on Feb. 2, when the county accessed the equipment to clone the server for a March 2021 jurisdictional election, and to prepare the machines for a Logic and Accuracy test being performed by an outside contractor the county hired to examine the machines. That type of machine audit requires resetting the vote totals.

Regarding the claim that some ballot images were missing or corrupt, the county said that on March 3, 2021, the county used the November 2020 General Election archives to restore ballot images onto the Election Management System to comply with the Senate’s subpoenas. After the claim was made, the county checked for corrupt files on a copy of what it provided CyFIR, and could open each one.

Claim: Employees logged into the election management system to run scripts that query the system. These actions were cast as something nefarious to hide older information on the system for the audit. One example given was an employee running a script in early March that queried the system thousands of times.

The county said that actions logged during the March timeframe were done to gather materials for the Senate’s subpoena and to conduct the March jurisdictional elections. But the county said there were not tens of thousands of logs, as claimed, as that amount would surpass the amount of space available.

Some of these logs were not done by actions of county employees, but produced as part of an automated and standard process that systematically connects from the election management system to the tabulation, adjudication, and administrative computers to ask if these devices have any data that can be passed back to the server. This happens at all times, not just during elections, the county said.

Claim: Anonymous user accessed the EMS server. This claim was made to seem nefarious, as if unauthorized users gained access to the system.

An analysis of the security logs by an independent cybersecurity firm, PacketWatch, concluded these logins were legitimate and was part of typical behavior for a Microsoft Server 2012 R2. It’s typical that the automated logins sometimes do not list a user or computer name.

Claim: Maricopa County’s election management system was connected to the internet.

In four of the six claims made on the topic, the county found that the connections between the machines were within the county’s air gapped election management system, and none of the connections spanned outside that network or to the internet. In the other two cases, the servers that CyFIR said were connected to the internet were simply the county’s web servers that host the Recorder’s Office website. Those servers are not connected to the air-gapped election management system.

The county points out that the instances in which machines within the air-gapped system attempted to reach outside networks were unsuccessful, as noted by error messages.

The county hired PacketWatch, the cybersecurity and incident response firm, in October 2021 and the company confirmed that the county’s air gapped network was not connected to the internet. That’s the second time the county’s independent auditors have found that to be the case.

Another claim, that a duel hard drive found on a machine could have indicated that one of the hard drives was connected to the internet, is false, the county said. An independent audit commissioned by the county in February 2021 found that neither of the hard drives had been connected to any networks outside the county’s election management system.

Claim: The county didn’t follow cybersecurity best practices, including for installing software, updating antivirus systems and password management.

The county says the practices cited in the report do not apply to air-gapped election management systems, and if done, could introduce vulnerabilities into the system.

The county can only use machines and software within its air-gapped system that are certified by the Election Assistance Commission, and so the county only made updates to its system based on what was certified.

The county listed the numerous security protocols in place for employees who access the ballot tabulation center in order to get access to the election management system. While the county was criticized for having employees share passwords, the county said that it can tell which employee accesses which machines by looking at paper tabulation operator logs and video time stamps.

Other claims about the county's election

Claim: There was a breach in the county’s voter registration database during the election.

The county says the voter registration database is protected by “multiple layers of authentication and security controls.” When an unauthorized person gained access to voter information on the county’s website in November 2020, an incident that the county investigated, they did not gain access to the database.

Claim: The Cyber Ninjas hand count produced similar results to county’s results

The county analyzed the Cyber Ninjas’ hand count reports and said that more than 28% of hand count batch totals produced by the company did not match a separate machine count of ballots conducted by the Senate, which closely tracked to the county’s results.

The county says the hand count was flawed because it didn’t follow the correct method to count ballots and tally votes under state law, and because the procedures changed constantly.

Claim: The county used questionable ballot paper and out-of-calibration printers.

These claims are false, the county said. The county hasn’t identified any use of other types of paper other than the one it prints ballots on. The bleed through of Sharpies may have happened but didn’t affect the results, since the voter selections are offset on either side of the paper – something that Cyber Ninjas noted in its report. There may be microscopic yellow dots on some of the papers, from some of the printers used to print ballots, but that doesn’t affect the vote tally.

Reach the reporter at jen.fifield@azcentral.com or at 602-444-8763. Follow her on Twitter @JenAFifield.

Support local journalism. Subscribe to azcentral.com today.

This article originally appeared on Arizona Republic: Maricopa County responds to each Cyber Ninjas' election claim