How a Trump ally got his unfounded voting-machine audit push in front of federal cyber cops

  • Oops!
    Something went wrong.
    Please try again later.
  • Oops!
    Something went wrong.
    Please try again later.
  • Oops!
    Something went wrong.
    Please try again later.

Donald Trump’s top pick to administer Arizona elections in 2024 is more than a garden-variety backer — he played a little-known but notable role in bolstering the former president’s push to subvert the 2020 ballot.

It was the waning weeks of the Trump presidency when Arizona state Rep. Mark Finchem made an unusual request of the federal agency that deals with cybersecurity threats. Finchem, a longstanding Trump ally now running for Arizona secretary of state, asked the Department of Homeland Security agency to conduct “a full spectrum forensic examination” of voting machines.

Finchem’s request was elevated to the acting director of DHS’ Cybersecurity and Infrastructure Security Agency, Brandon Wales, at 7:59 a.m. on Christmas Eve 2020. And it got his attention. “We need to do a call on this today,” Wales wrote to several people eight minutes later, including the agency’s then-deputy chief external affairs officer.

The emails to the DHS agency, known as CISA, are part of a tranche of new communications that show Trump lawyer Rudy Giuliani and his allies’ attempts to get the federal government to help them reverse election results went even broader than previously known. American Oversight, a watchdog group, obtained the emails through a Freedom of Information Act lawsuit and shared them with POLITICO.

Perhaps even more significantly, the emails underscore that Trump’s stalwart allies in his baseless quest to contest his loss to Joe Biden are still core parts of his network heading into a possible 2024 White House bid. Finchem, in particular, worked overtime in the weeks after the 2020 election to try to reverse Biden’s win in his swing state. And last September, Trump endorsed his bid to become Arizona’s secretary of state, in charge of its 2024 ballot.

During the last days of Trump’s administration, Finchem was one of the leading proponents of “auditing” voting machines — and hosted an infamous hearing with Giuliani in late November 2020 where then-President Trump called in to lie about his loss. Emails reviewed by POLITICO show Finchem asking for help from one of CISA’s Hunt and Incident Response Teams, saying a subcontractor to one of the nation’s largest defense contractors could help.

Finchem did not respond to requests for comment.

An odd request

On Dec. 18, 2020, Trump met in the Oval Office with a group of supporters trying to change the election outcome — including Sidney Powell, Michael Flynn and Giuliani — who were pushing for extreme measures to advance their goal. Finchem’s outreach to CISA appears to have begun around that same time.

During the Oval Office meeting, some attendees urged Trump to have the Defense Department seize voting machines so they could be audited. They even brought along a draft executive order to do just that. (Baseless allegations of voting machines being “flipped” were a foundation of pro-Trump conspiracy theories at the time.)

POLITICO reviewed a second, similar draft executive order that would have had the Department of Homeland Security take on that project, rather than DOD. The same week, Giuliani called DHS’ second-in-command to ask if his department could seize the voting machines, The New York Times reported. That official, Ken Cuccinelli, told him that wouldn’t be possible.

The newly released emails show that six days after the Oval Office meeting, top CISA officials viewed Finchem’s request for help. Finchem sent CISA the request through a standard online form that anyone can use to report suspicious cyber activity to CISA, and the date of his initial outreach isn’t clear from the documents.

CISA spokesperson Michael Feldman said the agency “does not comment on specific correspondence with state or local officials.”

“We work regularly with the election community, including officials in all 50 states, in support of their security and resilience efforts,” the spokesperson continued. “This includes sharing timely and actionable information and intelligence, and providing cybersecurity services, technical assistance, and guidance. CISA services are provided at no cost, when requested by system owners or operators for the purposes of improving their security.”

Finchem and the Arizona state legislature where he serves did not own or operate any of the state’s voting systems.

On Dec. 28, 2020, four days after CISA’s acting director requested the call on Finchem’s voting machines request, the emails show another person — whose name is redacted — flagging that CISA had conducted fact-finding on the issue with the sitting Arizona secretary of state, Katie Hobbs, and the state elections director at the time.

A spokesperson for Hobbs’ office declined to comment. Hobbs, a Democrat, is now running for Arizona’s open gubernatorial seat.

A problematic suggestion

In the request to CISA’s tip line, Finchem specifically asked for help from one of the agency’s Hunt and Incident Response Teams — a term of art not widely used outside the cybersecurity community. The team would help probe voting machines, Finchem hoped.

“If possible, we understand that Raytheon’s subcontractor ‘CyTech’ has the technology (CyFIR) and the subject matter expertise that can do this expert level of analysis and investigation,” Finchem continued. “We would request that they support this effort in a manner as expeditiously as possible.”

CyTech has worked with the federal government since 2010, getting awarded contracts with the Defense Department and two other agencies, but a review of public records does not show the small company had any connection to Raytheon Technologies.

However, CyTech, CyFIR and their former owner, Ben Cotton, eventually played their own roles in the effort to undermine Biden’s win in Arizona — focused on the decisive Maricopa County.

While Trump and his allies were unsuccessful in getting the federal government to audit the 2020 election, they successfully pushed the Arizona state Senate to conduct a review of the election in Maricopa, the state’s largest county, which Biden narrowly carried by about 45,000 votes. It was the first time Maricopa had voted for a Democrat on the presidential level in decades.

That state Senate review was run by a company called “Cyber Ninjas” that drew widespread consternation from bipartisan election experts, as well as the county’s Republican-controlled elections office and board of supervisors. The “Cyber Ninjas” review was ultimately dismissed as a sham effort run by amateurs who spent most of their time chasing conspiracy theories.

CyFIR was a subcontractor for that review and was listed in Cyber Ninjas’ statement of work.

The election review lasted for much of 2021, during which Cotton copied data from the county and drove it to a lab in Montana, the Arizona Republic reported at the time. Cotton also presented during the delivery of the final report to the state Senate. That report was published in September 2021.

Two years before the 2020 election, Cotton had spun off CyFIR from CyTech, for which it was initially developed as a tool that provides incident response, threat hunting, digital forensic investigation, insider threat analysis and malware detection.

Cotton continued to own both separate companies, but sold CyFIR to eSentire in 2021 and is working for the company as vice president for incident response, according to his LinkedIn profile. eSentire announced the acquisition on June 17, as the Arizona audit was underway.

eSentire confirmed to POLITICO that the firm was aware of CyFIR’s work on the Arizona audit when it bought the spun-off company. CyTech and Raytheon Technologies declined to comment. Cotton did not respond to multiple requests for comment.

‘I look forward to working with you’

Another cryptic email in the tranche obtained by American Oversight appears to show that — a few days before CISA’s top brass scrambled to field Finchem’s tip-line request — a different Trump ally reached out directly to DHS’ top lawyer with a request for collaboration.

Chad Mizelle, DHS’ acting general counsel, received an email at 9:48 p.m. on Dec. 21, 2020, from a sender whose email address is partially redacted.

“Here is the image of the request memorandum,” the sender wrote. “I look forward to working with you.”

It's not clear what the "request" in question referred to. But American Oversight spokesperson Dera Silvestre said the group is confident, based on other open records requests it has made, that the partially redacted email belongs to Trump ally Phil Waldron.

Waldron is a retired Army colonel who has said he worked under Michael Flynn at the Defense Intelligence Agency, according to The New York Times. A Giuliani ally has told the Jan. 6 select committee that Waldron originated the idea of having the Defense Department seize the voting machines to halt Trump’s loss.

Waldron also distributed a PowerPoint presentation after the election pushing Trump to declare a state of emergency. His outreach to Mizelle came as he worked feverishly to overturn the 2020 election results.

“It’s concerning that someone like Phil Waldron had this degree of access to DHS officials even while he and other Trump allies were pursuing dangerous schemes to reverse the election,” said Silvestre, the American Oversight spokesperson. “It’s even more concerning that we’re only now finding out about it, over a year later.”

DHS did not provide any materials to American Oversight that indicated Mizelle replied to the message he received. Mizelle declined to comment on the communication, and Waldron did not respond to requests for comment.