What Happens in Maricopa Won’t Stay in Maricopa

How a little-known cybersecurity consulting company is controlling one of the most significant events related to the 2020 presidential election and plans to spread its tactics to other states.

What Happens in Maricopa Won’t Stay in Maricopa
Livestream video feeds of the Maricopa County audit in Arizona where a small cybersecurity firm is leading the proceedings, despite having no experience conducting ballot audits. (Screenshot/Zetter)

By now you’ve heard about the unprecedented democracy experiment in Maricopa County, Arizona, where Republicans in the state Senate have compelled the county to hand over 2.1 million ballots cast in the 2020 presidential election to conduct a manual recount and provide them with unfettered access to critical voting equipment and software and voter registration records.

The Senate has hired a small cybersecurity firm with no training in conducting hand-counted election audits — but with a committed belief that the 2020 election was marred by fraud — to oversee the operation. The audit, which Arizona Democrats have dubbed a “fraudit,” has so far been marked by irregularities, security issues and potential violations of federal and state voting laws.

The contractor — a Florida-based security consulting company called Cyber Ninjas — initially refused to publicly reveal its procedures for the audit, until a judge ordered it to do so. Concerns about the company’s competence have only grown since the audit began April 23. The first day a reporter spotted blue pens laid out at tables where workers planned to count ballots. But Arizona’s state election manual prohibits blue and black pens in auditing areas because they can be used to tamper with ballots or spoil them if workers aren’t careful and leave stray marks on them. To guard against this, only red pens are allowed in auditing areas. Doug Logan, Cyber Ninjas CEO reportedly wasn’t aware of the prohibition when he designed the protocol for the audit.

The Brennan Center for Justice at New York University, sent a letter to the Justice Department last week describing lax security practices at the facility where the ballots will remain for weeks while volunteers slowly peruse them. This puts the ballots “in danger of being stolen, defaced, or irretrievably damaged.” The letter also expressed alarm that teams assigned to investigate voter registration records plan to visit voters at their homes to verify they were eligible to vote in the election and didn’t commit fraud.

In response, the head of DoJ's civil rights division wrote GOP Senate President Karen Fann warning that giving ballots to private contractors potentially violated a federal law that requires ballots cast in federal elections remain in the custody of election officials for 22 months after an election. The letter also took issue with the visits to voter homes.

“Past experience with similar investigative efforts around the country has raised concerns that they can be directed at minority voters, which potentially can implicate the anti-intimidation prohibitions of the Voting Rights Act,” the letter said. “Such investigative efforts can have a significant intimidating effect on qualified voters that can deter them from seeking to vote in the future.”

Why is the Maricopa audit important? Biden's win in Arizona was particularly painful for Republicans, who only lost the state to a democratic presidential candidate one other time in the last 72 years. Tensions mounted last year over the unfounded Sharpie-gate rumor, which falsely claimed thousands of ballots for Trump went uncounted because voters filled them out with Sharpie felt-tip markers instead of ink pens. Protesters converged on vote-counting centers shouting “Stop the Count!” While police escorted election workers to their cars.

Six months later, Senate Republicans, spurred on by QAnon conspiracy theorists and Stop the Steal activists, want to examine the ballots. They won’t be able to alter the outcome of the election, but critics say they’re looking for evidence to support the Stop the Steal claims and are concerned Republicans lawmakers are looking for reasons to pass more restrictive voting laws.

But what happens in Maricopa won't stay in Maricopa. During a Thursday call with reporters, Arizona Secretary of State Katie Hobbs (D) and election observers said Maricopa is being used as a rehearsal for an audit show that will eventually hit the road to Georgia, Pennsylvania, Wisconsin and other states, setting precedent for how elections in the future will be challenged.

The following is a summary of events around the audit to bring you up to speed.

Doug Logan, CEO of Cyber Ninjas, which has been hired by GOP senators in Arizona to oversee the Maricopa audit. (screenshot of Cyber Ninjas Twitter post / Kim Zetter)

The Basics

When it became clear that President Trump lost Arizona last year, his campaign sued Arizona election officials and accused election workers in Maricopa County of incorrectly rejecting ballots. The suit was dismissed, but Trump, who won Arizona in 2016 but lost in 2020 by just 10,457 votes, believes the audit will uncover “thousands and thousands and thousands” of votes for him that went uncounted.

In Maricopa County, the largest in the state, President Joe Biden won with just 50.3 percent of the vote. After the election, the county’s Republican-dominated board of supervisors hired two accredited voting-system testing labs — Pro V&V and SLI Compliance — to conduct a forensic audit of the voting equipment; they determined that the machines had not been hacked and had tallied the votes accurately. A hand recount of a statistically significant sample of ballots supported this.

But the Republican-controlled state Senate wasn’t convinced and issued a subpoena for the ballots to conduct its own recount. They claim their aim isn’t to prove the election was stolen but to uncover election problems that need to be fixed.

The Arizona Democratic Party sued the state Senate and Cyber Ninjas to halt the recount, on grounds that it violates state election laws and audit procedures, but have so far failed.

(Screenshot from https://azaudit.org/ livestream / Kim Zetter)

What is the Timeframe for the Audit?

The recount began April 23. County officials, including Republicans, refused to lend the Senate county facilities to count the ballots, so the Senate has leased the Arizona Veterans Memorial Coliseum, located on state fairgrounds, until May 14. After that, high school graduations take over the facility for several days.

But the Senate and Cyber Ninjas miscalculated how long the recount would take, and only about 10 percent of the 2.1 million ballots were tallied as of last week, raising questions about what will happen to the ballots when the auditors have to vacate the Coliseum on Friday.

Have Arizona Senators subpoenaed ballots before?

Yes. In 2004 Anton Orlich, a fringe conservative, won a GOP state House primary by four votes against John McComish, an establishment Republican. A recount put McComish in the lead by 13 votes. It also uncovered 489 votes that the optical-scan machines had previously missed. The Senate hired a voting machine expert who believed the machines were poorly calibrated, but he wanted to review the paper ballots to rule out fraud. The Senate moved to issue a subpoena for the ballots, but the FBI intervened and grabbed them from the county. No one saw the ballots again. The local U.S. attorney announced 10 months later that his office had examined the ballots and found no evidence of fraud.

Who is Behind the Audit?

The Republican-led state legislator is behind the audit on its face. But most of the funding is coming from private donors. Patrick Byrne, former head of Overstock.com, has donated $1 million so far. Former Arizona Secretary of State Ken Bennett who is acting as liaison between the Senate and Cyber Ninjas, has refused to say if Trump contributed.

(Screenshot of Cyber Ninjas’ web site / Kim Zetter)

Who is conducting the audit?

There are four private firms involved. Cyber Ninjas is project manager overseeing the work of subcontractors and responsible for the final report that will be submitted to the Senate. CyFIR and Digital Discovery compose the forensics team responsible for imaging the voting machines and the electronic poll books used to check in voters at the polls and examine them for manipulation. Wake Technology Services is conducting the hand recount with teams of volunteers who have undergone criminal background checks. A fifth shadow player is Jovan Hutton Pulitzer, who created UV scanners being used to inspect the ballots for signs of fraud (see below).

Arizona Senate President Karen Fann called Cyber Ninjas “well qualified, well experienced” to oversee the audit. But the company has no discernible election auditing experience or training and critics say it shows.

Roopali Desai, a lawyer for the Democratic Party, told a judge that the Senate has abdicated its duty “to rogue actors who are making a mockery” of election laws and procedures. “[T]here are no safeguards in place. There's no proper training. No procedures. No rules.”

What does the audit involve?

Counting teams, dressed in blue, green, yellow or pink shirts to keep teams separate, sit at round tables while the ballots are placed one at a time on a lazy Susan the team members rotate. Three people review each ballot and hand tally the votes. Once a batch is completed, a team member verifies that the tallies match. The ballots are then taken to a workstation to be imaged and scanned by a UV device. Auditors are also reportedly scrutinizing the ballots for bamboo fibers in the paper, which, according to QAnon conspiracy theorists, would prove they were fraudulent ballots produced in China to subvert the election.

Initially reporters couldn’t determine the reason for the UV scanning, but after a court ordered Cyber Ninjas to disclose its auditing protocols, it became clear the scan is intended to reveal if a ballot is legitimate or fraudulent. According to QAnon conspiracies, the Trump administration placed a watermark on “official ballots” and the ultraviolet light will reveal it on the ballots — a theory that has been debunked since Maricopa ballots don’t have a watermark.

Pulitzer, an election fraud conspiracy theorist who happens to be infamous for inventing the failed CueCat barcode reader years ago, claims the UV scanners can distinguish legitimate ballots by examining the ink and folds in the paper. He says the technology, which he designed, has been tested on more than 2 million ballots but has declined to tell reporters where the tests were done — purportedly due to non-disclosure agreements. Ron Watkins, a prominent QAnon conspiracy theorist, has said the UV light can detect oil from fingerprints. If there is no oil on a ballot then it means a machine must have marked the ballot instead of a human, suggesting fraud.

In addition to the ballot recount, the subcontractors working under Cyber Ninjas are taking mirror images of voting machines, electronic poll books, and the election-management systems that tallied final results in Maricopa, to determine if any of the systems were connected to the internet or if their software was manipulated or votes changed.

“The analysis of those will require several weeks to complete,” Logan said in a statement last Wednesday.

Finally, the auditors will examine voter registration records to determine if voters who weren’t eligible to cast ballots voted in the election.

Screenshot of a now-deleted tweet from Logan’s Twitter account.

Who are the CyberNinjas?

Cyber Ninjas is based in Sarasota, Florida, and works with companies and organizations to evaluate their cybersecurity risks, establish security policies and procedures, and develop secure software-development lifecycles. In addition to being CEO, Logan is principal consultant and also volunteers as a senior instructor and chief technologist for US Cyber Challenge. The USCC, overseen by the Center for Internet Security, holds week-long camps aimed at finding and training people to work in cybersecurity. Logan himself was a participant at the first US Cyber Challenge in 2010 and has helped design capture-the-flag contests that pit contestants against each other to test their hacking skills.

Logan used to work for Cigital Software in its Bloomington, Indiana office and founded Cyber Ninjas there in 2013 before moving to Sarasota the next year with help from Sarasota’s Economic Development Corp. He has eleven children and describes Cyber Ninjas as a Christian firm.

“As a Christian company, we also believe we have a responsibility to serve, as Christ served,” reads a company press release. “Helping the USCC is a great way to be a blessing to others, while helping combat evil hackers.”

The company’s web site is outdated — the last blog posts and press releases posted are years old. It’s also vague about who Cyber Ninja’s clients are, saying only that its customers are in government and the financial sector. A conference speaker’s bio for Logan, however, says he has done cybersecurity work for the Federal Communications Commission, United Services and Administration Corporation, JP Morgan Chase, Bank of America, Citibank, and Sally Mae. Another speaker bio says he has worked in technology for 15 years, including “roles in development, product management, application penetration-testing, consulting and training.”

The bio says Logan “takes his enthusiasm for teaching home with him to help shape the lives of his eleven wonderful children. He finds that if you master the art of taming the ‘Why’s' of a two-year old, deftly handling corporate politics is a piece of cake; and if you can successfully design a kitchen cleaning program which trains and engages 4 & 5-year-olds; building an application security program out of recent college graduates just doesn't seem that hard.”

There is no mention of election auditing experience or training on the Cyber Ninja’s web site or in Logan’s speaker bios. Nonetheless, he asserted last week that he and his auditing subcontractors do have election experience: “In each component [of the audit], the company administering that work has election experience in that area. Each member of our team has been part of election audits, including Cyber Ninjas, which was part of election audits in Michigan and in Georgia.”

Cyber Ninjas was not part of official county and state audits or recounts in either Georgia or Michigan. But Logan was cited as an expert witness for the plaintiff in a lawsuit alleging electoral malfeasance in Antrim County, Michigan. The plaintiffs got court permission to conduct a forensic audit of Dominion voting machines there. It was done by a collective called Allied Security Operations Group — a loosely affiliated group described in the report as “globally engaged professionals who come from various disciplines.” ASOG, however, has been the center of the Stop the Steal movement and has been instrumental in furthering Trump’s claims about election fraud.

Logan’s name isn’t on the ASOG report in Michigan, but the report may be a forecast of what Logan’s auditing team in Maricopa may conclude. The Michigan report claims that Dominion Voting Systems are “intentionally and purposefully designed with inherent errors to create systemic fraud and influence election results” and that the “results of Antrim County should not have been certified.”

Screenshot of now-deleted retweet that Logan amplified through his Twitter account after the 2020 presidential elections.

Logan himself has been a vocal supporter of Trump on social media, has repeatedly amplified false claims about fraud on social media, and has been a strong proponent of conspiracy theories about Dominion and other voting machine vendors. He and Ron Watkins retweeted each other’s false messages about election fraud after Biden won, including assertions that 200,000 votes for Trump in Arizona went uncounted and that Dominion Voting Machines dropped votes for Trump. All of which makes him a troubling choice to lead an audit of Dominion election equipment in Maricopa.

Dominion has called Cyber Ninjas “beyond biased.”

Logan, however, claims that he’s just skeptical about the election and that this is a positive quality in an auditor. It’s “the most skeptical person who makes the best auditors; not the person who thinks it is impossible to find anything,” he has said.

Is the Audit Transparent?

It’s become somewhat more transparent following court battles.

Although a live videostream of the audit is available at azaudit.org, Cyber Ninjas fought to prevent the media from observing the procedures in person. Though currently media outlets can take shifts observing the audit from bleachers inside the facility.

Cyber Ninjas also fought to keep its auditing procedures secret. Even after a judge ordered the company to submit the auditing documents to the court, Cyber Ninjas insisted they be kept sealed and also asked the judge to bar the media and public from a hearing to discuss them.

The company’s attorney argued variously that the documents were protected by legislative privilege, since the Senate is Cyber Ninjas’ client; that they are proprietary and making them public would undermine the security of the audit; and that disclosing them publicly would harm Cyber Ninja’s financial interests, since the company plans to turn election auditing into a side business. The company “expects to have similar business opportunities to undertake such work for other governments around the country” Alexander Kolodin, the company’s lawyer wrote in court documents.

Arizona’s First Amendment Coalition argued that, “It is difficult to conceive of a case that warrants transparency more than this one.” The judge agreed.

What problems have occurred so far?

The state’s election director, Bo Dul, has called the auditing procedures haphazard, and other critics have accused the auditors of making things up on the fly.

Arizona Secretary of State Katie Hobbs (D) wrote in a letter to Bennett that “our elections are governed by a complex framework of laws and procedures designed to ensure accuracy, security, and transparency [but] the procedures governing this audit ensure none of those things.”

The issues have included lax building security — journalists found they were able to enter unlocked doors without anyone stopping them. The Senate asked Maricopa County’s sheriff to dispatch deputies to secure the coliseum, noting the Senate’s in ability “to protect the election equipment and ballots on its own.” The sheriff declined, saying the coliseum was state property, not the county’s.

Election observers speaking to reporters on Thursday described ballots left unsupervised on tables in the vicinity of observers and disorganization in tracking ballots were removed from boxes, distributed to auditors and returned to boxes.

Under Arizona law, the three counters on a team are supposed to tally the votes separately and not discuss them or compare notes until a batch is done. But observers said the counters were sometimes saying candidate names out loud as they marked their tally sheets. They also stopped to consult each other on the number of ballots each had counted to make sure that none of them had missed a ballot. Observers described the process as a free-for-all in which no one seemed to be ensuring that procedures were followed or followed consistently.

The audit continues this week.

If you found this article useful, please consider sharing it.

If you’d like to receive other articles like this, you can subscribe to Zero Day here: