The Cybersecurity 202: Election officials are pushing back against partisan audits launched by Trump allies

By: Joseph Marks

Anchor of The Cybersecurity 202 newsletter Today at 7:28 a.m. EDT44 with Aaron Schaffer

The battle lines are hardening between the vast majority of election officials who’ve spent months validating and defending the results of the 2020 election and former president Donald Trump’s supporters, who are still challenging those results without evidence and demanding new reviews.

One such partisan and poorly run review started months ago in Maricopa County, Ariz., but it has not yet produced any results. Partisans are pushing other audits in Wisconsin and elsewhere. 

The coalition of top state election officials is pushing back by endorsing a how-to guide for post-election audits that criticizes reviews like Arizona’s that are run on a partisan basis and by private companies without ample experience in the field. 

Election officials fear the drumbeat of baseless allegations about election hacking and fraud from Trump allies will dampen faith in future election results and maybe in the democratic process itself. Ironically, the assault comes after a four-year election security surge that made 2020 by far the most secure against hacking in decades. 

“I’m terribly distressed about what this has done to the public’s perception of elections,” Ann S. Jacobs (D), chair of the state Elections Commission in Wisconsin, told me. “It erodes the faith of the electorate in their elected leaders. It justifies violence and threats of violence against election workers. America has always prided itself on its orderly transition of power and these fake accusations are undermining that.”

Rep. Janel Brandtjen (R), leader of the state Assembly’s elections committee, issued subpoenas to two of the state’s largest counties, Milwaukee and Brown, demanding they turn over their voting machines to the legislature for review. 

It’s not clear how much force those subpoenas have because they lack support so far from Assembly Speaker Robin Vos (R). Milwaukee County Clerk George Christenson (D) told me in a statement that he’s “reviewing the subpoena we received with regard to its validity,” but he declined to comment further. Brandtjen didn’t respond to a request for comment. 

Gov. Tony Evers (D) has called the Maricopa audit a “clown show” and said Wisconsin county officials’ response to the audits should be “hell no.”

But the effort is nevertheless fueling partisan rancor and doubts about the Wisconsin results. 

Trump sent a note to reporters praising the audit and poking at Vos. “Hopefully Republican Speaker Robin Vos has the integrity and strength Wisconsin needs to support Rep. Brandtjen’s efforts. Our Country is counting on it!” he wrote. 

Wisconsin Election Commissioner Robert F. Spindell Jr. (R), a supporter of the audit, told me public concerns about the election’s legitimacy mean more reviews are necessary. He pointed to a Marquette Law School poll that found 71 percent of Wisconsin Republicans aren’t confident the state’s election results were accurate. 

The question is more than is this concern legitimate or not. The issue is a huge number of people think there’s a problem with the election,” he said. “It seems to me we should try to do something to solve that rather than say, ‘You don’t know what you’re talking about. You’re all idiots. Believe us, everything was great.’ ”

Wisconsin’s results, however, have already been validated by a machine review and hand recounts in Milwaukee County and Dane County, home to Madison. They’re also in the midst of two other reviews – one led by the state’s Legislative Audit Bureau and another by former state Supreme Court Justice Michael Gableman.

Spindell recently attended the cyber symposium hosted by MyPillow CEO Mike Lindell, who has spun a broad and baseless conspiracy theory that China changed votes to steal the election from Trump. Spindell said he wasn’t necessarily convinced by Lindell’s full theory but came back convinced that “anything can be hacked.”

There’s lying, cheating and stealing in every aspect of life and now all of a sudden in voting there’s not? It’s hard for me to believe,” he told me. 

Election security experts generally argue that election hacking isn’t impossible but that it’s extremely difficult – and almost always requires hands-on access to every voting machines that’s successfully hacked. 

That means it’s exceedingly unlikely that anyone could alter enough votes to flip even a small election. If that happened it would almost certainly be caught by auditors, who could determine the true result by counting paper records of votes, which are available for about 95 percent of voting districts.  

State election officials are banding together to push back against the partisan reviews. 

The National Association of Secretaries of State voted to approve a slate of recommendations for post-election audits during its meeting this week. The recommendations were first reported by Politico.

They include:

  • Laying out strict timelines and procedures for how audits will be triggered and conducted before an election
  • Running audits through government bodies whenever possible rather than private companies
  • Being fully transparent about audit procedures

Another recommendation: Don’t let voting machines out of the custody of government officials where they could be infected with malicious software that could disrupt future elections. That’s the sort of hands-on access to voting machines that security experts genuinely worry about. 

The private firm conducting the Maricopa audit, Cyber Ninjas, violated that principle and the state is on the hook for $9 million to replace the machines the company inspected. 

Spindell told me he’d oppose any audit in Wisconsin that necessitated replacing voting machines. He said he’d urge a compromise such as having a county’s sheriff’s office supervise machines while they were reviewed by a private company.  

The keys

Israeli phone-cracking firm Cellebrite will set up an ethics committee and stop selling its technology to Bangladesh after human rights criticisms.

The decisions were probably caused by Cellebrite’s plans to sell its stock publicly in the United States, Haaretz’s Omer Benjakob and Oded Yaron report. The firm sells devices that extract data from locked phones to law enforcement. In Bangladesh, Cellebrite hardware was reportedly used by a paramilitary unit accused of torture.

Digital rights groups in July asked regulators and investors to pause Cellebrite’s plans to go public until it made progress on human rights. The company stopped selling its technology to Hong Kong and China last year and ended its sales to Russia and Belarus this year, according to the Thomson Reuters Foundation.

BlackBerry held off for months announcing vulnerabilities in industrial software used in 200 million cars and other critical equipment.

BlackBerry first argued to government officials that the vulnerability didn’t infect its products. Later, the company said it could notify customers privately rather than making a public announcement, Politico’s Betsy Woodruff Swan and Eric Geller report

The story highlights the often-lengthy process before companies go public with detailed information about bugs in their products — delays that sometimes make customers more vulnerable. 

Part of the difficulty is that BlackBerry didn’t know who many of its end-users were. The Cybersecurity and Infrastructure Security Agency argued that privately notifying just the company’s known customers would leave many others in the dark, according to a CISA presentation reviewed by Politico. Blackberry ultimately made the announcement publicly. 

A Russia-linked influence operation targeted far-right 4chan users.

The long-running campaign called Secondary Infektion tried to stir outrage about the coronavirus on the unmoderated platform, CyberScoop’s Tonya Riley reports. The campaign also tried to increase anti-Muslim sentiments, according to Recorded Future.

The campaign is concerning because it utilized 4chan, a hotbed of domestic extremism, and calls for violence, according to Recorded Future’s Brian Liston. “Whether or not they help motivate or drive that behavior in other cases that we have not identified … remains to be seen,” he said.