The news that the Colorado Secretary of State’s office inadvertently included BIOS passwords for the state’s voting machines in a hidden tab on a spreadsheet on the department’s website has election officials scrambling days ahead of the election.
In an interview with CPR News, Secretary of State Jena Griswold said the employee responsible for the passwords ending up online no longer works for the state and a personnel investigation is ongoing.
“We have people in the field working to reset passwords and review access logs for affected counties,” Griswold said. “This is out of an abundance of caution; we do not believe there is a security threat to Colorado's elections.”
Griswold said the passwords posted online were “partial” and not enough on their own to access the machines’ operating systems. She said that, while the personnel audit still is underway, the initial investigation indicates that the leak was an accident.
“Ultimately, a civil servant made a serious mistake and we're actively working to address it. Humans make mistakes,” she said.
Clerks are meanwhile working to assure the public about the scope of the leak and that the election systems are secure.
“You would need to have physical access to this equipment in order to do something nefarious with this leaked password,” said Democratic Boulder county clerk Molly Fitzpatrick, the current chair of the Colorado County Clerks Association. She noted that counties must store their voting equipment in a room with strict key card access controls. Background checks are required for the few employees authorized to enter the area and it’s under 24-hour video surveillance.
Fitzpatrick said it’s critically important to communicate with voters about what’s happening and for the state to take accountability.
“What we need to do right now is own the issue, explain the issue, remediate the issue, which is exactly what we're doing,” she said. “I do think the public deserves to know what happened, but right now we just have to resolve it and make sure folks know the impact as a voter.”
Clerks that CPR News spoke with said they only learned about the security lapse on Tuesday when the Colorado Republican Party publicized the situation in an email to members. Clerks had a virtual meeting with state officials a few hours later.
“I knew it was not an immediate security concern,” said Republican Montrose County Clerk Tressa Guynes. “My concern is that this information, when it got out to the voters, that it would diminish their confidence in the integrity of the election system, and, at this point in the election, that it would discourage people from voting.”
Guynes said clerks were not happy during the call with staff from the Secretary of State’s Office, especially when they learned that the state had been aware of the leak for roughly a week and failed to notify them.
“I think probably what every clerk would appreciate, is when things like this happen, if they would immediately notify us,” Guynes said. “We have the standard practice and protocol that we immediately notify them” when problems occur locally.
Guynes said it’s her understanding that the passwords had been online in a hidden tab since June.
Griswold’s office said the passwords pose no immediate security threat and will not impact how counties tabulate their ballots. Griswold said the Department took immediate action when they became aware of the situation and informed the Cybersecurity and Infrastructure Security Agency, a federal agency under the Department of Homeland Security.
The two companies that make Colorado’s election equipment also said the situation does not pose a direct security risk. Almost all of Colorado’s counties use Dominion Voting Systems machines to tabulate paper ballots. In a written statement provided to CPR News, the company said it’s committed to supporting state and local election administrators.
“The public can be assured that state-issued BIOS passwords are just one of many compensating controls required to maintain the security and integrity of voting system components,” the company wrote.
Clear Ballot, which makes machines used in two counties, said they’d been in contact with the Secretary of State's office “and we understand that they are taking appropriate measures. We are confident in the security of our systems.”
Fitzpatrick and the state also said state staff are going in person to impacted counties to reset their BIOS password and make sure the system is running currently.
Election equipment passwords also came up in the Tina Peters’ prosecution
The revelation that the state accidentally exposed voting machine passwords comes on the heels of this summer’s trial of former Mesa County Clerk Tina Peters. Peters’ plan to help an unauthorized person access her voting equipment came to light after photos of the machines’ BIOS passwords appeared online. In response to Peters’ actions, state lawmakers made it a felony to knowingly publish passwords for voting equipment.
During the Peters trial over the summer, an employee for the Secretary of State’s office testified on the significance of the BIOS passwords and explained why the security around them is supposed to be extremely tight.
"The BIOS is kind of the underlying program beneath the operating system, like Windows, that kind of instructs the computer what to do when you start it up,” the staffer explained in court. “We change settings in the BIOS menu to secure the system. So we set that password and retain it so the counties don't even know that password."
Even as those who are familiar with the equipment have hurried to reassure the public the passwords could not be used on their own to access the machines, one IT expert questioned why they were ever in a format that could end up online in the first place.
“The fact that clear text passwords were stored in a spreadsheet, that's pretty crazy, and obviously you should not do that,” said Chris Nelson, a DevOps engineer who works at a startup in Denver and has a background in software development and IT administration.
“There's all sorts of different ways that you can handle securely storing and managing credentials such that they're encrypted at best. The one thing you don't want to do is keep them in plain text on a spreadsheet, then this kind of thing can happen.”
However, Nelson said because the BIOS password must be physically entered into the voting machine to be effective, the leak could have been worse. He said moving forward the state should overhaul how it stores sensitive information like passwords.
Calls for Griswold to step down
Colorado Republicans are taking their criticism a step further; the party and some of its most prominent members have called on Democratic Secretary of State Jena Griswold to resign.
“Griswold’s reckless disregard for professional standards and consistent lack of transparency has threatened trust in our democratic system by causing doubt in the security of our election process,” House Minority Leader Rose Pugliese said in a statement on behalf of the chamber’s Republican caucus.
In their demand that Griswold step down, House Republicans also noted that two years ago her office accidentally sent postcards to 30,000 non-citizens, encouraging them to register to vote. Last year a robocall inaccurately reminded some voters who had already voted to turn in their ballots.
Pugliese told CPR News that while she has complete faith in the county clerks who run elections and count the ballots, she doesn’t think Griswold should be in charge of the overall system because she has lost the trust of voters.
“When they hear of incidences where the Secretary of State who is in charge of our election system for the state is being, in my perspective, reckless, it just causes issues with the integrity of our system,” said Pugliese.
Pugliese said Republicans are still discussing what options they have to put pressure on Griswold. A GOP attempt to impeach her last legislative session failed. They’ve long accused her of being too partisan for the job, in part due to her support for the state supreme court ruling to remove former President Donald Trump from the state’s primary ballot.
In response to Republican criticism, Griswold defended her record advocating for Colorado’s election system and said the legislature has denied her office’s requests for increased funding.
“I take my job very seriously. We take election administration very seriously,” said Griswold. “The people in my office have done a really good job under a trying situation because of the lies, the conspiracies, the threats.”
GOP State Party Chair Dave Williams said the state’s response so far to the password leak raises more questions than it answers.
“The Secretary and her office should be held to the same high standard as everyone else. The integrity of our elections is too important,” wrote Williams in an email to Republicans Wednesday.
Williams said he would take legal action if the state fails to provide sufficient reassurances. He’s asked whether the BIOS passwords were current, who posted the passwords, how it happened and what evidence there is that it was a mistake and not deliberate.
He’s also called on lawmakers to convene an emergency hearing of the bipartisan Legislative Audit Committee. While a Republican currently chairs the committee, under legislative rules at least one Democrat would need to sign off on a hearing.
