Colorado Updates Voting System Passwords After Leak
/ 5 min read
Quick take - The Colorado Department of State is urgently updating voting system passwords after a spreadsheet containing partial passwords was accidentally posted online, with officials emphasizing that there is no immediate security threat to elections.
Fast Facts
- Colorado’s Department of State is updating voting system passwords after a spreadsheet with partial passwords was accidentally posted online for over two months.
- Secretary of State Jena Griswold assured that there is no immediate security threat, as two unique passwords and physical access are required for each voting system component.
- The incident, attributed to a former civil servant, has prompted a personnel investigation and a review of access logs to ensure no tampering occurred.
- The Colorado Republican Party criticized Griswold, claiming the leak posed a significant security risk and called for her resignation, while she remains committed to her role.
- The Polis administration is supporting the password updates, with cybersecurity experts assisting in the process to ensure the security of voting components.
Colorado Scrambles to Change Voting System Passwords After Accidental Leak
The Colorado Department of State is working to update voting system passwords after a spreadsheet containing partial passwords was accidentally posted online. The department aims to complete the password updates by the end of today.
Press Conference and Acknowledgment of the Leak
Colorado Secretary of State Jena Griswold held a press conference with Matt Crane, Executive Director of the Colorado County Clerks Association, at her office in Denver on Thursday, October 24, 2024. The spreadsheet reportedly contained hundreds of BIOS passwords and was accessible on the website for over two months before being removed last week. A government statement issued Tuesday acknowledged the spreadsheet’s existence and stated that it included a hidden tab with partial passwords to certain components of Colorado voting systems.
The department emphasized that there is no immediate security threat to Colorado’s elections, as two passwords are required for each component. Griswold told Colorado Public Radio that partial passwords alone do not pose a security risk because two unique passwords are needed for every election equipment component. Physical access is also required, and under Colorado law, voting equipment is stored in secure rooms with restricted access.
Security Measures and Response
The department’s statement noted that the two passwords for each component are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system. Clerks are required to maintain restricted access to secure ballot areas and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized or supervised by an authorized and background-checked employee.
The department also cited strict chain of custody requirements that track when a voting systems component has been accessed and by whom. Each Colorado voter votes on a paper ballot, which is then audited during the Risk Limiting Audit to verify that ballots were counted according to voter intent. Griswold described the upload as an accident and said the mistake was made by a civil servant who no longer works for the department.
Out of an abundance of caution, the department has people in the field working to reset passwords and review access logs for affected counties. Governor Jared Polis and Griswold issued a joint update about the password changes today. The Polis administration is providing support to complete changes to all the impacted passwords and review logs to ensure that no tampering occurred.
Political Reactions and Criticism
The Secretary of State will deputize certain state employees with cybersecurity and technology expertise to assist in the process. These employees will only enter badged areas in pairs to update the passwords for election equipment in counties and will be directly observed by local elections officials. The goal is to complete the password updates by this evening and verify the security of the voting components.
Griswold expressed gratitude to the Governor for his support in resolving the issue. She stated that her department has no reason to believe the passwords were posted with malicious intent. A personnel investigation will be conducted by an outside party to look into the particulars of how this occurred.
The Colorado Republican Party criticized Griswold after receiving an affidavit from someone who accessed the BIOS passwords on the publicly available spreadsheet three times between August 8 and October 23. The file contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties before being removed on October 24. The affidavit described how to reveal the passwords in the VotingSystemInventory.xlsx file.
The state GOP accused Griswold of downplaying the security risk, stating that only one password is needed for BIOS access. BIOS passwords are highly confidential and allow broad access for knowledgeable users to manipulate systems and data. The GOP said the passwords were not encrypted or otherwise protected. State GOP Chairman Dave Williams criticized the incident as significant incompetence and negligence, claiming the breach could jeopardize the Colorado election results unless all machines meet the standards of a ‘Trusted Build’ before next Tuesday.
US Rep. Lauren Boebert and other Republicans called on Griswold to resign. Griswold stated she would remain in her position and continue her work. She addressed the criticism, stating that a civil servant made a serious mistake and they are actively working to address it. Griswold has faced conspiracy theories from elected Republicans in the state and remains committed to her role.
Colorado previously experienced a voting-system breach orchestrated by former county clerk Tina Peters of Mesa County. Peters was sentenced to nine years in prison in early October for her involvement in a leak of voting-system BIOS passwords. Testimony from the Peters case was cited in the GOP’s criticism of Griswold. The Trump campaign called on Griswold to halt the processing of mail ballots and re-scan all mailed ballots that were already scanned.
Original Source: Read the Full Article Here
