Colorado’s election equipment password breach explained

What we know about the investigations into Secretary of State's office
Colorado Secretary of State Jena Griswold speaks during a committee meeting in Baton Rouge, La., on July 8, 2022. (Matthew Hinton/Associated Press file)

The revelation that BIOS passwords for ballot tabulation machines in 32 of Colorado’s 64 counties were posted for months in a hidden tab on a spreadsheet on the Secretary of State’s website set off statewide shock waves in the days before the November election.

As we continue to learn more about how the security breach occurred, here are some of the essential things to understand about the situation.

How did the security breach come to light?

The Secretary of State’s office was originally notified by an election equipment vendor who had spotted the tab. The passwords were removed on Oct. 24, after being online since June.

Shawn Smith, a retired Air Force Colonel and conservative activist, wrote in an affidavit that he discovered the hidden tab much earlier, on Aug. 8, and checked twice in October that it was still there, without informing the state.

The public became aware through an email the Colorado Republican Party sent to its supporters on Oct. 29.

What did the breach mean for the security of Colorado’s election equipment?

Having the BIOS password, which grants access to the equipment’s underlying software, is not enough on its own to manipulate a voting machine; it also requires physical access to manually enter the password.

The machines are housed in counties across the state, under 24-7 video surveillance, with key card access limited to a small number of background-checked staff.

When the breach came to light, state IT staff visited each affected county to update its equipment passwords and check for any tampering.

“We have people in the field working to reset passwords and review access logs for affected counties,” Griswold told CPR News. “This is out of an abundance of caution; we do not believe there is a security threat to Colorado's elections.”

What has this meant for election officials?

The county clerks who administer Colorado’s elections weren’t told of the situation until the Colorado GOP sent out its email.

Clerks had a virtual meeting with state officials shortly afterward. While they reiterated the equipment remained secure, they were worried about the impact on public trust.

“I knew it was not an immediate security concern,” said Republican Montrose County Clerk Tressa Guynes. “My concern is that this information, when it got out to the voters, that it would diminish their confidence in the integrity of the election system.”

Clerks were also frustrated that the state was aware of the situation for days without letting them know about it.

9News obtained audio of a call between Deputy Secretary of State Chris Beall and clerks on the day the breach was revealed.

“We were not going to tell counties because we could not tell counties without it becoming the media storm it has become,” Beall told them.

“It’s bulls—t, Chris,” Adams County Clerk Josh Zygielbaum, a Democrat, responded.

Boulder Clerk Molly Fitzpatrick, the current chair of the Colorado County Clerks Association, said transparency will be critically important moving forward.

“I do think the public deserves to know what happened,” she told CPR News before the election. “But right now we just have to resolve it and make sure folks know the impact as a voter. And so that's what we're trying to catch up on now, is that communications front.”

Who is responsible for the passwords ending up online?

Democratic Secretary of State Jena Griswold said her office’s initial internal review points to the situation being an accident.

According to Griswold, a former employee created the spreadsheet with the hidden tab. That person left their job in the office earlier this year on amicable terms.

A different employee later posted the spreadsheet, which also contains information about the voting equipment the state is required to make public, online, apparently unaware of the hidden tab. The second employee still works for the state.

The Secretary of State’s office has said storing the passwords in plain text on a spreadsheet violated the department’s policies and procedures. It is conducting a personnel review.

How is the situation being investigated?

There are now multiple active investigations.

Attorneys Beth Quinn and J. Mark Baird with the law firm Baird Quinn LLC are leading an investigation on behalf of the Secretary of State office. The office hired the Denver-based employment, labor and commercial law firm to replace the first firm it contracted with. Several partners at that firm had donated to Griswold’s campaign.

The Denver District’s Attorney's office has also launched an investigation on behalf of three district attorneys offices that have all received requests to investigate. Under Colorado law, it’s a felony to knowingly publish, or cause to be published, passwords and other sensitive voting equipment information.

A person familiar with the DA investigation told CPR the Secretary of State is not herself being investigated and at this point, there’s no evidence of criminal activity.

What has the response been?

Colorado’s Republican Party, as well as some of its most prominent members, have called on Griswold, a Democrat, to resign over the situation.

State party chair Dave Williams said the posting represents significant incompetence and negligence and the state’s response so far raises more questions than it answers.

“The Secretary and her office should be held to the same high standard as everyone else. The integrity of our elections is too important,” wrote Williams in an email to Republicans.

The Libertarian Party filed a lawsuit against the Secretary of State’s office asking for Colorado to decertify the affected voting machines days prior to the general election and count all those ballots by hand. That effort was rejected by a Denver District Court judge.

The Trump campaign also called for Colorado counties to reset their machines and restart the counting of votes. However, the campaign took no action when that didn’t happen.

Will other parts of the state government get involved?

The bipartisan Legislative Audit Committee will discuss in December whether to order the state auditor to investigate the Secretary of State’s office. Republican members, who last year tried to impeach Griswold over an unrelated issue, have called for the committee to take that step.

“Griswold’s reckless disregard for professional standards and consistent lack of transparency has threatened trust in our democratic system by causing doubt in the security of our election process,” House Minority Leader Rose Pugliese said in a statement on behalf of the chamber’s Republican caucus.

Democrats, though, seem inclined to wait for the other investigations to play out.

“An audit takes approximately a year to conduct,” said Sen. Dafna Michaelson Jenet, who sits on the committee. “What we need now is an independent investigation, swiftly, to uncover what’s going on. If something untoward is uncovered, then a full audit would be appropriate.”

Democratic Gov. Jared Polis told CPR he wants to understand what exactly happened.

In response to Republican criticism, Griswold has defended her record advocating for Colorado’s election system and noted the Legislature has denied her office’s requests for increased funding.

“I take my job very seriously. We take election administration very seriously,” said Griswold shortly after the situation came out. “The people in my office have done a really good job under a trying situation because of the lies, the conspiracies, the threats.”

To read more stories from Colorado Public Radio, visit www.cpr.org.