Special master chooses experts for ‘audit’ examination of routers and logs

The special master who is overseeing the examination of Maricopa County’s routers as part of the so-called “audit” of the 2020 election has selected his team of experts, and the Senate has provided him with a list of questions it wants answered. 

The end goal of the examination is to see whether Maricopa County’s election equipment was ever connected to the internet, as proponents of conspiracy theories about the 2020 election have insisted. The county has repeatedly denied the allegations, and audits it conducted of its election equipment confirmed as much in early 2021. 

Some proponents of the false allegations that the 2020 election was rigged against former President Donald Trump have espoused wild theories that election systems in Arizona and other swing states that President Joe Biden won were hacked so that votes could be changed. Senate President Karen Fann and Senate Judiciary Committee Chairman Warren Petersen subpoenaed the routers and Splunk logs as part of their “audit,” despite a lack of evidence that the county’s ballot tabulation machines or other parts of its election system were ever connected to the internet.

Two pieces of equipment that the Senate’s “audit” team said were connected to the internet were election department web servers that are supposed to be connected, and which aren’t connected to the election management system, the county said.

John Shadegg, a former Republican congressman whom the Maricopa County Board of Supervisors and Fann chose as the special master in September, announced his three-person team on Friday. 

Shadegg’s team consists of Jane Ginn, a cybersecurity threat analyst from Cyber Threat Intelligence Network, Inc.; Brad Rhodes, an independent cybersecurity consultant and adjunct professor at Gannon University in Erie, Penn.; and Andrew Keck, the owner and chief technology officer at Profile Imaging of Columbus, LLC. Under the terms of his agreement with the county, Shadegg had sole discretion to select the team, though Fann said in a press statement that all parties had agreed on the IT experts. 

Shadegg is being paid $500 an hour for serving as special master. The Arizona Republic reported Friday that he has been paid nearly $17,000 so far. Each of the experts will bill the county for their time, and it’s unclear how much it will cost to examine the routers and the logs.

The three experts will answer the list of questions submitted by the Senate pertaining to the county’s routers and logs created by the software Splunk, which creates records of events and tasks that occur over a network in order to monitor security, troubleshoot issues or detect threats. 

“Having been instructed not to release the questions prior to the IT experts being hired, the Senate is now submitting the list of questions provided by the auditors. We are hoping to conclude this part of the audit expeditiously and without any further delays,” Fann said in a press statement. 

The Arizona Mirror spoke with two people with knowledge of Splunk and network security about the questions posed by the Senate to gain a better understanding of what information the Senate is asking for and the feasibility of its demands. 

“A lot of the information they’re asking for is information that wouldn’t be logged,” Bryan Andrews, a network engineer, told the Mirror. He added that the Senate is asking for “good diagnostic information,” but it wouldn’t likely have a “smoking gun.” 

Many of the logs the Senate would likely receive will be encrypted, as well, meaning they will be impossible to interpret and the Senate will only be able to see that a request happened and no other information. Additionally, Splunk does not log information such as IP or netflow data. 

“They want to pretend that there was a wiretap and that they can pull all the records,” Andrews said. 

The logs will only show certain information, such as failed log-in attempts, communications between servers or if a cable is unplugged. It won’t show if a hacker or nefarious state actor tried to hack the county’s system, Andrews said. 

Andrews also said that it is possible that other county information could be contained among the logs, as generally Splunk is all contained in one account that is shared across one system which is then split into different “silos” so you “have to be very careful when giving someone access,” Andrews said. 

One cybersecurity expert said there will be reams of data to sift through, and that it will be easy to cherry-pick data and present it as evidence of something that can’t be proven.

“It’s going to generate a ton of data — just as if you were going to record somebody’s conversations for a week,” Jason Hernandez, an independent security researcher, said. “There would absolutely be something that would be taken out of context and make somebody look bad.” 

Hernandez said he doesn’t believe the process will be overly burdensome on the county to produce, and that examining the Splunk logs for security reasons on occasion may not be entirely a bad idea. However, in light of the context of the request, Hernandez said it makes things feel different. 

“If it wasn’t for the context and craziness, this would be something that is more routine — that would be a chore,” he said. 

County officials turned over most of the materials that Fann and Petersen sought after a judge ruled that the subpoenas were valid. But the county balked at providing access to the routers, which service all county departments, and which contain information that goes far beyond the 2020 election. The agreement they reached in September keeps the routers in the county’s possession and out of the audit team’s hands, and protects the confidential information. 

“I’m encouraged to hear that Special Master Shadegg has hired the IT team he needs to answer Senate questions about the November 2020 election and the county’s routers,” Board of Supervisors Chairman Bill Gates said in a written statement. “We look forward to continued cooperation with Mr. Shadegg and the Senate.”