Updated 6:50 p.m. November 4.
The Colorado Secretary of State’s office was first alerted that passwords to many of the state’s 2,100 pieces of election equipment were posted online by the maker of some of that equipment.
The state learned of the situation on Oct. 24, five days before the Colorado GOP sent an email to members describing the security breach.
“As soon as we got the call, staff took it down, and then we started our planning,” Democratic Secretary of State Jena Griswold said in an interview with CPR News Monday morning.
What they learned was that current passwords to equipment in 34 of Colorado 64 counties were listed on a hidden tab on a spreadsheet that had been online since June. The visible portions of the sheet contained other information about the voting machines that Colorado is required to make public.
That information is part of a new timeline of the disclosure the state released ahead of a court hearing Monday afternoon in which the Colorado Libertarian Party argued that all affected equipment should be decertified and ballots in those counties tallied by hand. It's unclear how soon the judge will rule.
Ever since the posting became public, the state, local clerks and the equipment manufacturers have all emphasized that BIOS passwords can only be entered into machines in person and that this type of voting equipment is stored in locked rooms, under 24-7 video surveillance, with entry limited to back-ground checked staff.
Griswold said to her knowledge none of the BIOS passwords were posted on the dark web or anywhere else on the internet.
CPR learned last week that the spreadsheet, including the hidden tab, was created by an employee who stopped working in the office earlier this year and that a subsequent employee, who was apparently unaware of the hidden data, posted the spreadsheet online. Griswold on Monday confirmed that the first employee left their job on amicable terms and the second employee still works for the Secretary of State.
“It is our understanding that there is no evidence that the staff that posted the spreadsheet was aware of the hidden tab,” said Griswold.
The Secretary of State’s office has contracted with the Denver law firm Garnett Powell Maximon Barlow & Farbes to conduct an outside investigation of the situation, with attorney David Powell leading it. Griswold said any potential consequences for members of her staff would occur after that wraps up.
“There was a mistake, and because of that, we'll be doing further training with the staff and also contracting with this outside law firm to do a further investigation of how this happened, how it could be prevented, and any other recommendations of improvements of practices and procedures,” said Griswold.
She said having the passwords stored in plain text on a spreadsheet wasn’t department policy.
“We do a lot of training and reinforcement that passwords must be stored in a password safe. We need passwords to be in an encrypted setting.”
Griswold also noted that her office did a risk assessment with the U.S Department of Homeland Security in August to look for vulnerabilities of both their internal and external-facing websites and systems. That process failed to turn up the hidden tab.
The state completed password updates to all affected active voting machines last Thursday. The staff who did those updates also checked to see if any settings had been changed on the equipment and found no security breaches.
Griswold has faced pushback from county clerks for not alerting them to the security breach until several hours after the Colorado GOP sent out its email. She continues to defend that decision.
She said, initially, her office didn’t know whether the passwords were still active, and that until there was a concrete plan for addressing the situation, revealing publicly what had happened would have been “contrary to cybersecurity best practices, and carried a significant risk of fueling a major disinformation environment.”
It took until several hours after the Colorado Republican party made the information public, that Griswold’s office had a full understanding of the scope of components impacted and then held a meeting with the clerks that run county elections.
Libertarians ask judge to restart voting counting, by hand
Despite assurances from Griswold’s office and Republican and Democratic election officials that Colorado’s general election remains secure — the Libertarian Party of Colorado has decided to take legal action.
The party is suing Griswold and Christopher Beall, the Deputy Secretary of State, demanding that the court decommission any voting machine associated with the passwords and that counties restart counting ballots by hand.
“In allowing these passwords to be available to the public, the Secretary has breached her duty to ensure that Colorado’s upcoming General Election is fair and accurate,” the complaint states.
A Denver District Court judge held an emergency hearing in the case Monday afternoon, just about 30 hours before polls close for this election. Many of those in the packed courtroom took part in a protest beforehand, calling for Griswold’s resignation.
In the opening statements, Gary Fielder, the attorney representing the Libertarian Party, acknowledged how little time is left in the election. “We’re not trying to cause chaos… (but) that’s on the Secretary of State.”
Fielder called a number of witnesses, including Shawn Smith, a retired Air Force Colonel and conservative activist. According to Smith, he discovered the hidden tab with the passwords on Aug. 8, more than two months before the state became aware of it. An affidavit signed by Smith said he viewed the tab again twice in October before it was removed.
“I would say, just in general, it's incredibly concerning that someone knew this information and didn't tell us,” Griswold told CPR News.
Smith is one of the founders of the U.S. Election Integrity Plan (USEIP). The group, which is based in El Paso County, sent grassroots canvassers to neighborhoods around the state to search for voter fraud in the aftermath of the 2020 election. Smith has been a strong proponent of the efforts of Mike Lindell, the CEO of MyPillow, to sow distrust in the election system. He has previously accused Griswold of criminal conduct and suggested she should be executed.
The judge allowed Smith to testify as an expert witness on voting systems, over the state’s objections. Smith described the BIOS passwords as giving someone “foundational control over the computer” and if a person has access to them, they can “access the voting system.”
However, Smith acknowledged that he had “no personal knowledge” that any unauthorized persons have accessed voting system equipment in Colorado using the posted passwords.
The suit calls for the “removal of all devices” associated with the compromised BIOS passwords and that the ballots in impacted counties be hand counted.
However, attorneys for the state argued strenuously that those steps are unnecessary, noting that the passwords have been changed and the machines inspected, with no sign of any tampering. Lawyers for the Secretary of State’s office characterized the suit and its claims as “fear mongering.”
“It cannot be overstated the unnecessary chaos decommissioning the counties’ machines would sow,” Griswold’s attorney said.
The attorneys also noted the significant financial and human resources it would take to deploy last-minute hand counters to the impacted counties.
Hilary Rudy, the state’s Deputy Director for Elections, testified that just finding the BIOS passwords would not make it possible for someone to access voting system equipment.
“There’s checks and balances,” said Rudy. “In Colorado, voting machines are not connected to the internet. Someone would need physical access to the computer.”
Rudy also told the judge that trying to count so many ballots by hand would be “incredibly unreliable.” Studies have shown that hand counts produce more errors than machine counts.
“There has not been a hand count in my career,” Rudy, who has been working for the Colorado Secretary of State’s office for almost two decades, said.
The judge did not say how soon she will issue an order.
- Password mishap latest headache for Colorado’s beleaguered election clerks
- What are Colorado’s voting machine BIOS passwords?
- Investigation continues into how Colorado voting machine passwords ended up online
- Secretary of State Jena Griswold says employee responsible for posting voting equipment passwords is gone
