Thu. Oct 31st, 2024

Ballots are sorted at the Weld County Elections office in Greeley on June 25, 2024. (Andrew Fraieli/Colorado Newsline)

Colorado’s election system remains secure even after voting system passwords were inadvertently exposed for months on the secretary of state’s website, say experts interviewed by Newsline on Wednesday, including several county clerks.

Decision 2024: On-the-ground election coverage in Colorado and by local reporters in all 50 states. Fair. Fearless. Free.

Secretary of State Jena Griswold acknowledged Tuesday that the passwords were hidden but accessible on a spreadsheet posted online. The spreadsheet, which contains an inventory of voting system components used throughout Colorado’s 64 counties, has been updated to remove the passwords, but not before they were detected by at least one person who alerted the Colorado Republican Party to their presence.

Griswold’s office announced the leak late Tuesday in a statement that said it “does not pose an immediate security threat to Colorado’s elections.”

That assessment aligns with those from other sources who spoke with Newsline. Several county clerks said that a person with a password could gain unauthorized access to sensitive election computers only if they were physically present. Election equipment is kept in locked rooms under mandated security protections, they said. 

GET THE MORNING HEADLINES.

“It would be very difficult to get into where our equipment is,” Lori Mitchell, the Democratic Chaffee County clerk, said.

Bobbie Gross, the Republican clerk for Mesa County, said in an email to Newsline, “It is important to note these passwords cannot be used to access the system remotely. The only way the system passwords can be used is by physical access to the equipment.” Gross added, “All employees authorized to access the equipment have background checks, the equipment is under 24/7 camera surveillance and our cameras send alerts if anyone would enter the room outside of the normal business hours.”

The leak involved Basic Input Output System — or BIOS — passwords for more than 700 election system components in every Colorado county except Las Animas, according to the person who detected them, as described in an affidavit the person shared with the Republican Party. BIOS passwords can access the most basic level of software in the computer and give a person a large amount of control over the system. 

“If a person has the BIOS passwords they would need physical access to the equipment to access it. We are confident with our security measures and audits that voters can vote with confidence and our equipment is secure,” Gross said.

Duncan Buell, a computer scientist who researches election systems and serves as the chair emeritus of the Computer Science and Engineering department at the University of South Carolina, agreed that the passwords being exposed poses a low risk of an election security breach.

“It seems to me, from what I have read, that there are sufficient safeguards in place that this is not a disaster. It’s uncomfortable. It’s concerning, but it’s not a disaster, and I think it should not be treated as such,” Buell said.

He called the incident a “huge glitch” and said it’s Griswold’s responsibility to investigate and communicate to the public how it happened and who signed into components using the posted passwords.

The bottom line is I think we need to take accountability for this issue, and we need to mitigate and respond to the issue.

– Molly Fitzpatrick, clerk for Boulder County and president of the Colorado County Clerks Association

But some officials were sharply critical of how Griswold, a Democrat, handled the leak. Steve Schleiker, the Republican clerk of El Paso, the state’s most populous county, said he is confident that the leak will not compromise the reliability of elections in Colorado, because officials are required to provide physical security for election equipment. He has provided even more physical security for El Paso election equipment than what the state requires, he said.

“I have extreme confidence that there is not an individual that can get in there,” he said.

But the password leak can contribute to voter doubt about elections, he said.

“It has put a lot of us in a very bad position,” he said. “When this is done by the secretary of state, voter confidence just basically plummets.”

Griswold said Tuesday that she learned about the leak Oct. 24. But clerks told Newsline the secretary of state’s office didn’t inform them until late Tuesday, a lag some feel was irresponsible.

“I do plan on taking some action after the election. I feel that something needs to be done,” Schleiker said, referring to Griswold. “Right now, the way I’m looking at it, I will probably ask for her resignation.”

Gross said she was notified about the leak “at 4:30 with the same press release sent to the media,” adding, “It is disappointing county clerks were not notified ahead of the press release.”

Political fallout

Some officials have already called for Griswold to resign. They include Republican U.S. Rep. Lauren Boebert, though Boebert also expressed confidence in election security, writing on Facebook Wednesday, “I have faith in our county clerks to run this election well and make sure every legal vote counts.”

Colorado House Republicans also called for Griswold’s resignation Wednesday.

A spokesperson for Griswold told Newsline Wednesday that “The Secretary will not be resigning.”

She told CPR that a “civil servant accidentally” made the error that caused the leak and that the employee “no longer works with the department.”

Molly Fitzpatrick, the Democratic clerk for Boulder County and president of the Colorado County Clerks Association, said it was important for election officials to be honest with community members about the leak. She acknowledged that for voters who hear about the leak “it just sounds horrific,” and she said, “We have clerks that doubters are coming into their elections office and screaming at them.”

“The bottom line is I think we need to take accountability for this issue, and we need to mitigate and respond to the issue,” Fitzpatrick said. “Every single election, something comes up, and it’s all about how you respond and mitigate.”

She echoed other clerks in saying layers of security measures would prevent a bad actor with leaked passwords from gaining physical access to election machines.

“On top of that the secretary’s office is doing what they should do. They’re updating the passwords and they are verifying that system settings are in place appropriately,” she said.

Plus, elections in Colorado are conducted on paper ballots, which can be audited for accuracy after an election, she said.

Asked if she thinks Griswold can effectively oversee a statewide election, Fitzpatrick said she does.

“The bottom line is that the politics of it are right now of no interest to me,” Fitzpatrick said. “I just want to run a good election, and I just want our counties to have the support that they need to run a good election.”

Sara Wilson contributed to this report.

YOU MAKE OUR WORK POSSIBLE.

By