G.O.P Election Reviews Creates a New Kind of Security Threat

Contractors from Cyber Ninjas examined ballots from the 2020 election in Phoenix in May. The firm, whose chief executive has promoted conspiracy theories about rigged voting machines, has no previous experience auditing elections. Credit…Courtney Pedroza/Getty Images

By Nick Corasaniti

Sept. 1, 2021

Late one night in May, after surveillance cameras had inexplicably been turned off, three people entered the secure area of a warehouse in Mesa County, Colo., where crucial election equipment was stored. They copied hard drives and election-management software from voting machines, the authorities said, and then fled.The identity of one of the people dismayed state election officials: It was Tina Peters, the Republican county clerk responsible for overseeing Mesa County’s elections.

How the incident came to public light was stranger still. Last month in South Dakota, Ms. Peters spoke at a disinformation-drenched gathering of people determined to show that the 2020 election had been stolen from Donald J. Trump. And another of the presenters, a leading proponent of QAnon conspiracy theories, projected a portion of the Colorado software — a tool meant to be restricted to election officials only — onto a big screen for all the attendees to see.The security of American elections has been the focus of enormous concern and scrutiny for several years, first over possible interference or mischief-making by foreign adversaries like Russia or Iran, and later, as Mr. Trump stoked baseless fears of fraud in last year’s election, over possible domestic attempts to tamper with the democratic process.

But as Republican state and county officials and their allies mount a relentless effort to discredit the result of the 2020 contest, the torrent of election falsehoods has led to unusual episodes like the one in Mesa County, as well as to a wave of G.O.P.-driven reviews of the vote count conducted by uncredentialed and partisan companies or people. Roughly half a dozen reviews are underway or completed, and more are being proposed.

These reviews — carried out under the banner of making elections more secure, and misleadingly labeled audits to lend an air of official sanction — have given rise to their own new set of threats to the integrity of the voting machines, software and other equipment that make up the nation’s election infrastructure.

Election officials and security experts say the reviews have created problems ranging from the expensive inconvenience of replacing equipment or software whose security has been compromised to what they describe as a graver risk: that previously unknown technical vulnerabilities could be discovered by partisan malefactors and exploited in future elections.

In Arizona, election officials have moved to replace voting machines in the state’s largest county, Maricopa, after conservative political operatives and other unaccredited people gained extensive access to them as they conducted a widely criticized review of the 2020 results. In Pennsylvania, the secretary of state decertified voting equipment in rural Fulton County after officials there allowed a private company to participate in a similar review.

And in Antrim County, Mich., a right-wing lawyer publicized a video showing a technical consultant with the same vote tabulator the county had used — alarming county officials who said that the consultant should not have had access to the device or its software.

When such machines fall into the wrong hands — those of unaccredited people lacking proper supervision — the chain of custody is broken, making it impossible for election officials to guarantee that the machines have not been tampered with, for example by having malware installed. The only solution, frequently, is to reprogram or replace them. At least three secretaries of state, in Arizona, Pennsylvania and Colorado, have had to decertify voting machines this year.Far from urging panic, experts caution that it would be extremely difficult if not impossible to meddle with voting results on a nationwide scale because of the decentralized nature of American elections.

But experts say that the chain of custody for election machines exists for good reason. Already this year, three federal agencies — the Justice Department, the Cybersecurity and Infrastructure Security Agency and the Election Assistance Commission — have issued updated guidance on how to handle election machines and preserve the chain of custody.“There are some serious security risks,” said J. Alex Halderman, a professor of computer science and engineering at the University of Michigan who studies election security. “Especially given the constellation of actors who are receiving such access.”

Republicans say they are simply looking for the answers their constituents are demanding about the 2020 election. “This has always been about election integrity,” Karen Fann, the Republican leader of the Arizona Senate, which authorized that state’s election review, said in an interview posted on the state party’s website last month. “Nothing else. Absolutely nothing else. This is about making sure that our votes are counted.”

Security experts say that election hardware and software should be subjected to transparency and rigorous testing, but only by credentialed professionals. Yet nearly all of the partisan reviews have flouted such protocols and focused on the 2020 results rather than hunting for security flaws.

In Arizona, the firm chosen by the Republican-led Legislature, Cyber Ninjas, had no previous experience auditing elections, and its chief executive has promoted conspiracy theories claiming that rigged voting machines cost Mr. Trump the state. The company also used Republican partisans to help conduct its review in Maricopa County, including one former lawmaker who was at the Jan. 6 protest in Washington that preceded the Capitol riot

In Wisconsin, the Republican Assembly speaker, Robin Vos, is pushing for a review of the 2020 results to be led by a former State Supreme Court justice who claimed in November that the election had been stolen. And in Pennsylvania, the Republican leader of the State Senate has announced hearings that he likened to a “forensic investigation” of the election, saying it could include issuing subpoenas to seize voting machines and ballots.

Christopher Krebs, the former head of the federal Cybersecurity and Infrastructure Security Agency, said such reviews could easily compromise voting machines. “The main concern is having someone unqualified come in and introduce risk, introduce something or some malware into a system,” he said. “You have someone that accesses these things, has no idea what to do, and once you’ve reached that point, it’s incredibly difficult to kind of roll back the certification of the machine.” Decertifying machines effectively means replacing them, often in a hurry and at great cost. Philadelphia’s elections board rejected an earlier G.O.P. request for access to the city’s election machines, saying it would cost more than $35 million to buy new ones.

In Arizona, Secretary of State Katie Hobbs, a Democrat, told Maricopa County in May that her office would decertify 385 machines and nine vote tabulators that had been handed over for the G.O.P.-led election review. “The issue with the equipment is that the chain of custody was lost,” Ms. Hobbs said in an interview. “The chain of custody ensures that only authorized people have access to it, so that that vulnerability can’t be exploited.” Pulling compromised machines out of service and replacing them is not a foolproof solution, however. The equipment could have as-yet-undiscovered security weaknesses, Mr. Halderman said. “And this is what really keeps me up at night,” he said. “That the knowledge that comes from direct access to it could be misused to attack the same equipment wherever else it’s used.”

As an example of his concerns, Mr. Halderman pointed to Antrim County in northern Michigan, where, months after a court-ordered forensic audit in the county, a lawyer involved with the case who has frequently shared election conspiracy theories still appeared to have access to a Dominion Voting Systems ballot-scanning device and its software.

A monthslong campaign. During his last days in office, President Donald J. Trump and his allies undertook an increasingly urgent effort to undermine the election results. That wide-ranging campaign included perpetuating false and thoroughly debunked claims of election fraud as well as pressing government officials for help. Baseless claims of voter fraud. Although Mr. Trump’s allegations of a stolen election have died in the courts and election officials of both parties from every state have said there is no evidence of fraud, Republicans across the country continued to spread conspiracy theories. Those include 147 House Republicans who voted against certifying the election. Intervention at the Justice Department. Rebuffed by ranking Republicans and cabinet officials like Attorney General William P. Barr, who stepped down weeks before his tenure was to end, Mr. Trump sought other avenues to peddle his unfounded claims. In a bid to advance his personal agenda, Mr. Trump plotted to oust the acting attorney general and pressed top officials to declare that the election was corrupt. His chief of staff pushed the department to investigate an array of outlandish and unfounded conspiracy theories that held that Mr. Trump had been the victor. Pressuring state officials to ‘find votes.’ As the president continued to refuse to concede the election, his most loyal backers proclaimed Jan. 6, when Congress convened to formalize Mr. Biden’s electoral victory, as a day of reckoning. On that day, Mr. Trump delivered an incendiary speech to thousands of his supporters hours before a mob of loyalists violently stormed the Capitol.

The lawyer, Michael DePerno, posted a video from a conservative news site featuring a technical consultant who went to elaborate and highly implausible lengths to try to show that votes in the county — which Mr. Trump carried by a wide margin — could have been switched. (County officials said this could not have happened.) The device and its software are only supposed to be in the possession of accredited officials or local governments. “I was shocked when I saw they had a tabulator in their video,” said Sheryl Guy, the county clerk, who is a Republican.

Neither Mr. DePerno nor Dominion Voting Systems responded to requests for comment. Easily the most bizarre breakdown of election security so far this year was the incident in Mesa County, Colo. The first sign of suspicious activity surfaced in early August, when a conservative news site, Gateway Pundit, posted passwords for the county’s election machines, the result of a separate breach in the county from the same month. A week later, the machines’ software showed up on large monitors at the South Dakota election symposium, organized by the conspiracy theorist Mike Lindell.

Jena Griswold, the Colorado secretary of state, said her office had concluded that the passwords leaked out when Ms. Peters, the Mesa County clerk, enlisted a staff member to accompany her to and surreptitiously record a routine voting-machine maintenance procedure. Gateway Pundit published the passwords a week before the gathering in South Dakota. Ms. Griswold’s office is investigating and has said that Ms. Peters will not be allowed to oversee elections in November. Ms. Peters, who has called the investigation politically motivated, did not respond to repeated requests for comment. In an online interview with Mr. Lindell, the chief executive of MyPillow, she admitted to copying the hard drives and software but insisted she had simply backed them up because of some perceived but unspecified threat to the data. She also cited unfounded conspiracy theories about Dominion equipment.

“I was concerned that vital statistics and information was being deleted from the system or could be deleted from the system, and I wanted to preserve that,” she said. But she flatly denied leaking the passwords or software. “I did not post, did not authorize anyone to post, any election data or software or passwords online,” she said. Even so, the secretary of state’s office said that Colorado counties had never been advised to make copies of their election machines’ hard drives.“It is a serious security breach,” Ms. Griswold said in an interview. “This is election officials, trusted to safeguard democracy, turning into an internal security breach.”The local district attorney has opened a separate inquiry into the episode and is being assisted by the F.B.I. and the Colorado attorney general’s office. Ms. Griswold, a Democrat, said she had also alerted the Cybersecurity and Infrastructure Security Agency.

But Ms. Griswold said she worried that with so many Republican leaders “leaning into the big lie,” the risks of what she called an “insider security issue” were growing.“I think it’s incredibly time-sensitive that elections are set up to guard both from external and internal threats,” she said.