Maricopa County election data is in a 'secure lab' in Montana, or maybe a log cabin in the woods?
A contractor hired by the Arizona Senate is reviewing Maricopa County's 2020 election data from an undisclosed location in Montana, with no oversight from state or county officials.
Ben Cotton, founder of tech firm CyFIR, a Senate subcontractor, made copies of the county's election server and other election data and then drove the copies to a "secure lab" in Montana, according to Senate liaison Ken Bennett. The Senate was given county voters' private information, but Bennett said he doesn't know if Cotton has copies of that in Montana.
It appears that the "secure lab" might be a home owned by Cotton in the northern Montana wilderness. Bennett said he didn't know, and Cotton and Cyber Ninjas, the Senate's main contractors, refuse to answer questions.
The fact that the county's election data is out of state isn't necessarily risky in itself, but if Cotton has copies of the underlying software in the county's vote-counting machines or voter data and hasn't officially agreed to terms that would keep it secure, that's where the risk comes in, said Alex Halderman, a University of Michigan computer science and engineering professor who specializes in election security.
"An important question to be asking in Arizona is what protections are in place to make sure the software doesn’t say fall into the wrong hands and that vulnerabilities that the team discovers are responsibly reported," Halderman said.
It's unclear whether CyFIR has promised the Senate or Cyber Ninjas, the company overseeing the audit, specific security measures for how the data will be stored and accessed.
Bennett said Cotton is keeping the data secure, but he said he does not have any details on how that is happening. He said he doesn't know whether CyFIR will keep the copies of the data, or who has access in Montana. He said no one representing the Senate is overseeing the review of data in Montana.
Where is this data?
Bennett said the only thing he knew for sure was that Cotton had taken the data to a "secure lab" in Montana.
Cotton is not just the founder of CyFIR, which is based in Virginia, but also CEO of CyTech Services, the original company from which CyFIR emerged in 2018. CyTech Services lists a Montana address on its website.
That address belongs to a log cabin in a remote area of northwest Montana, about 20 miles south of Bigfork, a tiny tourist village, and 40 miles south of Kalispell. Property records show the cabin is owned by Cotton.
Cotton did not answer a call or email asking whether that is where he is examining the election data. It's unclear whether he, or his company, own or lease space elsewhere in Montana.
What data does Cotton have in Montana?
Maricopa County received subpoenas from the state Senate, and after a court ruling, provided the Senate with 8 terabytes of data, including tabulator event logs, voter registration data, digital images of ballots and early ballot affidavit signatures and election results files, said Megan Gilbertson, the county Elections Department spokesperson. That's in addition to all of the 2.1 million ballots, servers and vote-counting machines.
"As we don’t have any insight into the Senate’s audit processes and do not know if any of that data was cloned or altered, we wouldn’t be able to provide you with information about what was on the hard drives sent to Montana," Gilbertson said.
Under the original work plan released by Cyber Ninjas, the analysis of the county's vote-counting machines would be done by Cyber Ninjas, CyFIR and “a number of additional analysts, the identities and qualifications of whom shall be made available to (the Senate) upon request.”
It's not clear how the contractors are examining the machines, or what exactly they are looking for beyond whether the machines were connected to the internet during the election, which a prior county audit showed was not the case.
Because the state Senate's contractors were given nearly unfettered and unmonitored access to the voting machines, Secretary of State Katie Hobbs has said her office may not allow the county to use them again.
CyFIR's work already was scrutinized after they, or other contractors, told Senate President Karen Fann, R-Prescott, that the county had deleted certain election directories from the server it provided.
Cotton told Senate Republican leaders later that he now has access to these files. He said he had initial trouble downloading the county's data because the county didn't provide directions to copying its multilayered hard drive.
Is there a risk to the county and its voters?
It's unclear what the state Senate's contractors have and don't have access to.
Fann has tried to get additional passwords and keys to the county's voting systems, while the county has said it does not have any additional passwords and the Senate would have to get anything further from the machine manufacturer, Dominion Voting Systems. These passwords may have provided easier access to the software components within the county's vote-counting machines, but that is not entirely clear.
The fact that the county's voting data is in Montana is only public knowledge because Ryan Macias, former acting director of testing and certification at the U.S. Election Assistance Commission who is observing the audit for the Arizona Secretary of State's Office, asked Bennett about it and the office posted his answer on its website.
Macias said he asked Bennett to confirm that data had been sent to Montana after hearing a rumor.
"He did not specify what security measures were in place," according to Macias' notes on the Secretary of State Office's website, "or what the lab in Montana will do with the data or how long it will be in possession of the copies."
Halderman said that if Cotton only has access to the county's election management software, that's not a huge risk. The risk comes in if the contractors have access to the firmware, share that information or share the vulnerabilities they find publicly.
"If it's shared inadvertently or stolen by people who want to attack election systems in the future, that could be a security risk," he said.
Halderman said there's no evidence that is happening here, but "that's a reason why you want the parties performing an audit to be trustworthy."
Bennett said CyFIR should be trusted because they do "top secret work for government agencies" and they would not be hired if they did not keep data secure.
The company received attention several years ago when it discovered a high-profile cyberattack on the U.S. government.
In 2015, the Wall Street Journal reported that Cotton’s affiliated company, CyTech Services, discovered that a federal database was breached while it was performing a demonstration for the U.S. Office of Personnel Management, or OPM, which maintains employee records and background checks for the government.
When Cotton detected the malware, CyFIR, upon the federal government’s request, began “providing significant incident response and forensic support to OPM related to the 2015 incident,” according to a subsequent report on the events from the House Oversight and Government Reform Committee.
In June 2018, CyTech Services spun out the CyFIR software and services business into its own entity, according to a company representative, who said CyTech Services remains fully operational and is a close partner with CyFIR.
When Maricopa County commissioned an independent audit of its election system in February, the county provided two private firms access to its vote-counting machines and underlying software. Some of the firms' work evaluating copies of the system was done off-site, Gilbertson said.
Those firms, though, Pro V&V and SLI Compliance, are accredited voting-system testing laboratories under the U.S. Election Assistance Commission.
"These firms are held to the highest ethical standards, which is why the county trusted them to independently audit the county’s tabulation software and hardware," Gilbertson said.
The companies also did not have access to the county's ballots, digital images of ballots or voter information.
That audit came back clean, showing that the county's election equipment had not been hacked or connected to the internet during the November election.
Dominion Voting Systems believe it's "critically important" that only accredited firms have access to voting equipment, according to a spokesperson.
"There are real concerns about what unaccredited firms do with secure voting equipment. Voting systems are deemed critical infrastructure by the U.S. government and should be utilized, maintained, and protected as such," according to Dominion.
Republic reporter Ryan Randazzo contributed to this article.