Breaking News
More () »

'Oh God, no': Handing over computer equipment to GOP audit could expose county to cyber attacks, expert says

Sheriff Penzone concerned about risk to private public safety information. He says he'd go to court to block release of computer routers to audit team

PHOENIX — We're entering the third day of a legal standoff over Arizona Senate Republicans’ election audit, with cybersecurity experts warning that your personal information could be at stake.

Maricopa County has rejected an ultimatum that it hand over to the auditors the building blocks of its computer network.

But Senate Republicans have yet to follow through with the subpoenas they threatened to issue on Monday. 

The plan was to haul several county officials before a Senate committee to explain under oath their refusal to follow an earlier subpoena. 

"I find that to be reckless," Maricopa County Sheriff Paul Penzone said in an interview Tuesday.

Penzone was toning it down. "Mind-numbingly reckless" is how he described Senate Republicans' behavior on Friday when the ultimatum was issued. 

"If you're making decisions that affect law enforcement, have the courtesy to at least hear from us.”

If he has to go to court to protect the routers, Penzone said, he will.

The battle is over the computer routers used by the fourth-largest county in the country.

Auditors want the equipment to test a conspiracy theory. 

Penzone and the County Board warn that handing over the routers, which were sought in a Senate subpoena four months ago, would expose the personal information of countless people and put public safety at risk. 

There would also be a financial hit. County Board Chair Jack Sellers warned of a $6 million bill to replace the routers that the auditors would have.

RELATED: Arizona audit: Everything you need to know

'Big Security Risk'

"Ask any (information technology) professional if they would be willing to hand their router over to just anybody, and 10 times out of 10, they will tell you, 'Oh God, no,”' said Matt Bernhard, a research engineer at VotingWorks, a non-profit and non-partisan voting technology company. 

“It is a big security risk.”

Bernhard describes the work of routers using the analogy of a mail carrier’s route. 

Computers send envelopes with an address on the outside to the router. The router reads the address and knows where to send it. 

"Routers are very central. They see all of the communication that happens between computers on the networks," Bernhard said.

"If the sheriff's office is talking to the D.A.'s office over the network, these routers are going to see that traffic.”

RELATED: Bamboo ballots, death threats and an ultimatum: What's next for Arizona GOP's election audit?

Private Public Safety Information

Penzone is concerned that private information about cases, inmates and detention officers, for example, could fall into the wrong hands.

Other law-enforcement agencies might shy away from working with MCSO, he said. 

“Suddenly we're empowering (the auditors) to be responsible for critical information we need,” he said.

The greatest risk of handing over the routers and the computer network road map they contain, Bernhard said, is opening the door to hackers or ransomware attacks.

“Once that becomes public, it makes their job a lot easier," he said.

Testing a Conspiracy Theory

Senate Republicans subpoenaed the routers so auditors could test a conspiracy theory: whether the county's ballot-counting machines are connected to the internet.

"There are people that have always suspected something nefarious about elections being connected to the Internet," Senate audit liaison Ken Bennett said. 

An independent audit done for the county earlier this year found the tabulating machines had no connections to the internet.

"The general hypothesis is somebody broke into the election, they hacked the system,” Bernhard said.

“An attacker gets into the network somehow, maybe that's through the router, and from there can hop onto voting equipment.” 

Is that even plausible with election computers that aren’t networked?

"It is extremely rare,” Bernhard said, “and would require nation-state level resourcing and effort to do."

'Not Conventional Auditors'

Bernhard, like other election security experts interviewed about the audit, was wary of reading too much into what the Senate Republicans’ team might do with the equipment. 

“These are not conventional election auditors,” he said. ”I use auditors very loosely."

None of the members of the audit team hired by Senate President Karen Fann have experience auditing an election.

The Senate Republicans’ spokesman and attorney didn't respond to a request for comment about the status of the subpoenas for the routers. 

Late in the day Tuesday, Jeremy Duda of the Arizona Mirror reported that Senate Republicans might target Dominion Voting Systems with a subpoena. 

Dominion, which leases its ballot-counting machine to Maricopa County, has passwords the auditing team wants.

Maricopa County election audit

Keep track of the latest developments from the Maricopa County election audit on the 12 News YouTube channel.

Before You Leave, Check This Out