Arizona election auditor: 'Critically important' investigators get access to Maricopa County routers

Systems are vulnerable to hacking, investigator claims.
Ballot counters at the Arizona audit, May 3

An auditor helping lead the 2020 election audit in Maricopa County, Arizona, said Thursday that it is "critically important" auditors gain access to a contested set of data machines that the county is refusing to hand over. 

Maricopa County has for months refused to hand over county-owned routers subpoenaed by the Arizona state Senate, despite a judge earlier this year ruling the subpoena valid, effectively ordering the county to comply. 

County officials have claimed that the routers, if surrendered, could constitute a security risk if sensitive data within them is leaked.

At the state Senate hearing on Thursday, one of the lead investigators of the Maricopa audit dismissed those claims and stressed what he said was the pressing importance of obtaining the routers. 

Obtaining the routers is "critically important," Ben Cotton, the founder of the cybersecurity group Cyfir, told Arizona state officials. 

Cotton said the routers will help clarify the specific vulnerabilities he claimed are present in the county's digital election systems. 

"The last time that the antivirus [software] was updated on these systems," Cotton claimed during his testimony, was in August 2019.

"There have been no operating system updates or patches since that same date," he also said.

Hackers, he claimed, would have "no difficulty at all" gaining "system-level access" to registration systems at the "current patch state and antivirus state of these systems."

Cotton dismissed the security concerns advanced by the county over the last few months, saying a forensic review of the systems would produce no "people-sensitive data" from county files. 

The county has claimed that its routers are shared jointly by multiple sensitive departments including law enforcement and local branches of federal agencies, and that surrendering the machines to auditors would constitute an undue risk for that data.