The Cybersecurity 202: Maricopa County is showing how not to audit an election

Arizona's top election official is urging the county to discard audited voting machines over security concerns. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Sign up for this newsletter Read online Your daily cybersecurity policy download.       By By Joseph Marks with Aaron Schaffer  Email Maricopa County is showing how not to audit an election A partisan election audit in Maricopa County, Ariz., is turning into a lesson in how not to manage cybersecurity and elections.  The review began under a cloud. The GOP-controlled state Senate launched it despite the objections of top county officials and hired Cyber Ninjas to conduct it — a company with no election audit experience and whose CEO Doug Logan has echoed false claims that the 2020 election was stolen.  Since then, the audit has been beset by unforced security errors including laptops with election information being left unattended and WiFi routers connecting to laptops that contain vital election information.  Ballots themselves were also left unattended in poorly secured storage facilities and ballot images are being taken with cameras that seemingly haven't undergone security vetting or been certified by a government body. "In more than a decade working on elections, audits and recounts across the country, I've never seen one this mismanaged," Jennifer Morrell, a partner at the Elections Group consulting firm and a former local election official in Colorado, wrote in a Post op-ed. Maricopa County ballots are examined and recounted by contractors working for the Florida-based company Cyber Ninjas. (Matt York/Pool/AP) The coup de grace came when Arizona Secretary of State Katie Hobbs (D) warned the county that it should replace nearly 400 ballot tabulators at a cost of millions of dollars because it couldn't verify that Cyber Ninjas hadn't tampered with them in a way that would make them more vulnerable to hacking — or left them unattended while someone else did so.  "The lack of physical security and transparency means we cannot be certain who accessed the voting equipment and what might have been done to them," Hobbs wrote to county leaders.  Maricopa County leaders, who are contemplating suing the state Senate and the auditors, said they will not use any equipment that isn't verified to be secure. The county board of supervisors is also majority Republican.  The slapdash approach to the audit stands in stark contrast to how nonpartisan election audits are typically conducted. "If post-election audits are performed and completed correctly, they are taken seriously; they are a big deal, and they must be done with great precision and public transparency — not 'flying by the seat of your pants,' " Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, wrote in a blog post.   He compared the Cyber Ninjas auditors to bankers who fail at the basic task of ensuring the security of all the currency in the bank.  Maricopa County ballots are examined by contractors working for Cyber Ninjas. (Matt York/Pool/AP) The rookie errors are especially egregious if you consider the last four years. There's been a nationwide effort to improve election cybersecurity protections following Russian interference in the 2016 contest.  Those efforts included buying new, more secure voting machines with auditable paper trails and fielding a massive network of Department of Homeland Security cybersecurity sensors in election offices across the nation. When all was said and done, top law enforcement and cybersecurity officials called the 2020 contest the most secure election in history. Despite those improvements, however, voter confidence in election security was battered in 2020 — largely because of false claims by former president Donald Trump and his supporters that the election was stolen.   The Maricopa audit could undermine voter confidence further — even if auditors don't find any evidence of fraud.  "A group with no expertise, improvising procedures as it goes, is sowing doubt about the result of a well-run election," Morrell wrote. "This is not an audit, and I don't see how this can have a good outcome." Maricopa County ballots are reviewed at Veterans Memorial Coliseum in Phoenix. (Matt York/Pool/AP) But the Maricopa model will probably be repeated elsewhere.  A Georgia state judge ordered heavily Democratic Fulton County to allow local voters to review all 147,000 mail-in ballots cast in the county in 2020 amid allegations counterfeit ballots were accepted, Amy Gardner reports.  The order came after two statewide audits and a hand recount found no evidence of widespread fraud in the state, which Joe Biden narrowly carried.  And Fulton County is just one of many communities where local voters and Trump supporters are pushing for additional audits. Such efforts are underway in Michigan and New Hampshire, among other states, Amy reports. "What's happening in Arizona is potentially a mortal attack on the firewall that protects impartial election administration from political influence and disinformation," Perez wrote. "This model could spread to other states, and it must not. When weaponized doubt undermines faith in elections forever, it will be 'game over' for representative democracy." Share The Cybersecurity 202    The keys An FBI analyst was indicted on charges of bringing home sensitive documents on cyberthreats and other dangers. The grand jury indictment charges Kingsbury with two counts of gathering, transmitting or losing defense information. (Jose Luis Magana/AP) Kendra Kingsbury took home the national security documents over the course of more than a decade, Derek Hawkins reports. Prosecutors did not indicate what Kingsbury's motive was. The documents she took home also included materials related to al-Qaeda and Osama bin Laden, they said. Kingsbury's arraignment is scheduled for June 1. A message left at a listed phone number was not immediately returned this weekend. "The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing," Alan E. Kohler Jr., the assistant director of the FBI's Counterintelligence Division, said in a statement. She is not accused of leaking the documents, which commonly accompanies mishandling classified information. The ransomware that bedeviled the Irish health-care system has hit more than a dozen U.S. health-care and first responder networks in the past year. More than 400 organizations worldwide have been hit by Conti ransomware, according to the FBI. (Chris Ratcliffe/Bloomberg News) They're among more than 400 organizations worldwide, including 290 in the United States, that have been hit by the vicious strain of ransomware, the FBI said in an industry alert. Ireland is still reeling from the attack, which has stalled many non-emergency medical services. The group behind that attack may release sensitive patient information today after Ireland refused to pay a $20 million ransom to the hackers, an Irish official warned. A decryption tool has helped with restoring medical systems, officials said. India's national airline said 10 years' worth of its passenger data was breached. The stolen data included passport and credit card details, the airline said. (Money Sharma/AFP/Getty Images) Information including passport and credit card details were stolen in the breach, which originated with airline IT company SITA Passenger Service System, the Associated Press reports. Air India said 4.5 million passengers globally were affected by the breach, though it did not say how many were its travelers. The airline said no customer passwords were stolen.  Hackers were in SITA's systems for 22 days, SITA global head of communications Edna Ayme-Yahil told the Times of India. The company initially said that other major airlines, including Singapore Airlines and Lufthansa, were affected.   Industry report US Chamber asks government to get more involved in ransomware defense By NextGov ●  Read more »   Amazon, Uber and America's biggest delivery companies all fell for basic 'fake driver' scam By Forbes ●  Read more »     Global cyberspace Defying US sanctions, Russian cybersecurity firm aims for 2022 IPO By Reuters ●  Read more »     Cyber insecurity Indonesia summons state health insurer over alleged data leak By Reuters ●  Read more »     Chat room The Russian federal government was breached by "cyber mercenaries" working for a foreign country, according to a new report partially written by an organization created by Russia's Federal Security Service spy agency. Silverado Policy Accelerator executive chairman Dmitri Alperovitch pointed out some issues with that attribution: Russia has used such claims to brush off allegations by U.S. government officials that its spy agencies hacked the SolarWinds software firm, the 2018 Tokyo Winter Olympics and other targets. FireEye's Alex Lanstein:   Daybook Retired Gen. Keith Alexander, the former commander of U.S. Cyber Command and director of the NSA, speaks at a cybersecurity conference hosted by the U.S. Chamber of Commerce at 9:15 a.m. on Tuesday. Ben Bernstein, senior special counsel at the Securities and Exchange Commission, discusses cyber governance at a Cyber Crossroads event at 11:35 a.m. on Tuesday. A House Science Committee panel holds a hearing on software supply chain security in the wake of the cyberattack on SolarWinds and other companies on Tuesday at 2 p.m. Former Undersecretary of Defense for Policy Michèle Flournoy, the co-founder of WestExec Advisors, speaks at the Institute for Security and Technology's Strat-Tech conference at 2:10 p.m. on Tuesday.    Amb. Tobias Feakin, Australia's cyber ambassador, and a White House official speak at a Center for a New American Security event on Tuesday at 6 p.m. Secretary of Homeland Security Alejandro Mayorkas testifies before House and Senate Appropriations Committee panels at 10 a.m. and 2 p.m. on Wednesday.  Former Director of National Intelligence Adm. Dennis Blair and former Homeland Security Secretary Michael Chertoff speak at a Center for Strategic and International Studies launch event for the Multilateral Cybersecurity Action Committee on May 26 at 2 p.m. The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security on Thursday at 10:15 a.m. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, and Jeffrey Greene, the National Security Council's acting senior director for cybersecurity, speak at a Center for Strategic and International Studies event on Thursday at 2 p.m.   Secure log off   We think you'll like this newsletter Check out The Optimist for a selection of inspiring stories to help you disconnect, hit refresh and start the week off right, delivered every Wednesday and Sunday. Sign up »

Manage my email newsletters and alerts | Unsubscribe from The Cybersecurity 202 | Privacy Policy | Help You received this email because you signed up for The Cybersecurity 202 or because it is included in your subscription. ©2021 The Washington Post | 1301 K St NW, Washington DC 20071