close
close

Colorado voting system passwords are heating up | Elections

Posted on by L. Dreeye
Colorado voting system passwords are heating up | Elections

Passwords to Colorado voting computers had been visible online for months, and Colorado Secretary of State Jena Griswold, a Democrat, learned about it on Oct. 24.

Her office began changing the leaked passwords only after the issue was made public, Denver Gazette media partner 9News reported Wednesday.

Voting machines used by county clerks are listed in a spreadsheet on the Colorado Secretary of State’s website. Machines are listed by serial number, region, model and supplier.

Until last week, there was a hidden tab at the bottom of the table that, when hidden, showed one of two passwords required to make changes on each computer.

A Griswold spokesman said the office did not begin changing passwords until the security issue became public Tuesday. Her office also did not notify county clerks until it became public.

“This is bad. Let me emphasize that we have other precautions in place, but the fact that a serious breach occurred is alarming,” said former Colorado Secretary of State Wayne Williams, a Republican.

Williams was Secretary of State before Griswold. The two even teamed up to publicly announce trusted sources in the election.

“Your county clerks are one of those sources, and the fact that they were not involved in this matter or notified of it is alarming,” Williams said. “First, make sure the election is conducted correctly, and second, reassure the public that the election is conducted correctly.”

Leaking passwords is one of two required to make changes to voting machines. Any changes require personal access to the machines. Personal access is monitored 24/7 via video surveillance and tracked via badge identification logs.

In a statement Wednesday, the Secretary of State’s Office said it took “immediate action” to inform the federal agency that oversees security infrastructure, but the statement did not explain why county employees were not notified.

“The Department took immediate action once it became aware of this disclosure and informed CISA (Cybersecurity and Infrastructure Security Agency), the federal agency that closely monitors and protects counties’ essential security infrastructure, and began conducting an investigation. Personnel were on their way to the affected county when the news became public,” the statement said.

The statement also said that an “external firm” would check for password errors on the hidden tab, but did not specify whether the affected computers or counties would also be checked externally. On Tuesday, Griswold told Next with Kyle Clark that her office would investigate.

“Someone loaded the wrong document without opening the hidden BIOS passwords tab,” Williams said. “This does not require a lengthy investigation because I assume the Secretary of State’s Office knows who this person was. This man made a mistake.”

The attorney general has no oversight authority, according to the Secretary of State’s Office. However, Griswold could have voluntarily asked for supervision.

In a statement, a spokesman for Democratic Attorney General Phil Weiser said: “While the Attorney General’s Office cannot confirm or otherwise comment on investigations, we in Colorado are very proud that our election system is the gold standard in the country. Any illegal actions that undermine public confidence in our elections should be taken seriously. With regard to the release of election system passwords, it is critical that this issue is thoroughly reviewed, that every step is taken to ensure the security of our elections, and that every vote is counted.”

The attorney general’s office said it would not comment further when asked whether Weiser asked for a thorough review of the matter.

Democratic Gov. Jared Polis said in a statement that several state agencies have briefed him on election security. The statement included a line that said, “The Governor has been assured that all passwords have also been changed.”

When 9NEWS reported that this was not the case, the governor’s office sent a new statement without that statement and without explaining why it was removed.

Williams believes there needs to be another step beyond changing passwords.

“We need to audit every machine that potentially had passwords compromised,” Williams said.

Republican and Democratic county clerks who spoke with 9News are not concerned that their voting machines have been or will be compromised, based on security measures and additional passwords required.

They expressed concern about the lack of transparency and communication.

“I think the issue is not doing it through a more transparent process,” Williams said.