News that the Colorado Secretary of State’s office inadvertently included BIOS passwords for state voting machines in a hidden tab in a spreadsheet on the department’s website has election officials scrambling days before the election.

In an interview with CPR NewsSecretary of State Jena Griswold said the employee responsible for the passwords going online no longer works for the state and a personnel investigation is ongoing.

“We have people on the ground working to reset passwords and review access logs for the affected counties,” Griswold said. “This is out of an abundance of caution; we do not believe there is a threat to the Colorado election.”

Griswold said the passwords posted online were “partial” and not sufficient on their own to access the machines’ operating systems. She said while the personnel audit is still ongoing, the initial investigation indicates the spill was an accident.

“Ultimately, a public servant made a serious mistake and we are actively working to resolve it. People make mistakes,” she said.

Kevin J. Beaty/Denverite

Clerks are working in the meantime to reassure the public about the extent of the leak and that election systems are secure.

“You would have to have physical access to this equipment to do something nefarious with this leaked password,” said Democratic Boulder County Clerk Molly Fitzpatrick, the current president of the Colorado County Clerks Association. She noted that counties must store their voting equipment in a room with strict key card access controls. Background checks are required for the few employees authorized to enter the area, and there is 24-hour video surveillance.

Fitzpatrick said it’s extremely important to communicate with voters about what’s going on and for the state to take responsibility.

“What we need to do now is own up to the problem, explain the problem, fix the problem, which is exactly what we’re doing,” she said. “I think the public deserves to know what happened, but now we just have to fix the problem and make sure people know the impact as a voter.”

Officials CPR News spoke with said they only learned of the lack of security on Tuesday, when the Colorado Republican Party made the situation public in an email to members. The clerks had a virtual meeting with state officials a few hours later.

“We knew it wasn’t an immediate security issue,” said Republican Montrose County Clerk Tressa Guynes. “My concern is that this information, when given to voters, will diminish their confidence in the integrity of the election system and, at this point in the election, will discourage people from voting.”

Guynes said officials were not happy while speaking with Secretary of State’s Office staff, especially when they learned the state had known about the leak for about a week and had not notified them.

“I think probably what every clerk would appreciate is when things like this happen, if they let us know right away,” Guynes said. “We have standard practice and protocol that we notify them immediately” when problems arise locally.

Guynes said her understanding is that the passwords have been online in a hidden tab since June.

Griswold’s office said the passwords don’t pose an immediate security threat and won’t affect how counties tabulate their ballots. Griswold said the Department took immediate action when they became aware of the situation and notified her Cyber ​​Security and Infrastructure Security Agencya federal agency within the Department of Homeland Security.

The two companies that make the election equipment in Colorado also said that the situation does not pose a direct security risk. Almost all counties in Colorado use Dominion Voting Systems machines to tabulate paper ballots. In a written statement provided to CPR News, the company said it is committed to supporting state and local election administrators.

“The public can rest assured that state-issued BIOS passwords are only one of many compensatory controls necessary to maintain the security and integrity of voting system components,” the company wrote.

Clear Ballot, which makes used machines in two counties, said they have been in contact with the secretary of state’s office “and we understand they are taking appropriate action. We trust the security of our systems.”

Fitzpatrick and the state also said state staff are personally going to affected counties to reset their BIOS password and make sure the system is currently working.

Electoral equipment passwords also appeared in the prosecution of Tina Peters

The revelation that the state accidentally exposed voting machine passwords follows this summer’s trial of former Mesa County Clerk Tina Peters. Peters’ plan to help an unauthorized person access his voting equipment came to light after photos of the machines’ BIOS passwords appeared online. In response to Peters’ actions, state lawmakers made it a crime knowingly publish passwords for voting equipment.

During the Peters trial this summer, an employee of the secretary of state’s office testified about the significance of BIOS passwords and explained why the security around them should be extremely tight.

“The BIOS is a kind of basic program under the operating system, such as Windows, that instructs the computer what to do when you turn it on,” Staff explained in court. “We change the settings in the BIOS menu to secure So we set that password and keep it so the counties don’t know that password.”

Even though those familiar with the equipment were quick to reassure the public that the passwords could not be used alone to access the machines, one IT expert questioned why they were ever in a format that could make it online in the first place.

“The fact that clear-text passwords were stored in a spreadsheet is pretty crazy, and obviously you shouldn’t do that,” said Chris Nelson, a DevOps engineer who works at a Denver startup and has experience in software development and IT administration. .

“There are all kinds of different ways that you can manage the secure storage and management of credentials so that they’re encrypted at best. The only thing you don’t want to do is keep them in plain text on a spreadsheet, and then things like this can happen.”

However, Nelson said that because the BIOS password must be physically entered into the voting machine to be effective, the leak could have been worse. He said the state should next review how it stores sensitive information such as passwords.

He asks Griswold to resign

Colorado Republicans take their criticism a step further; the party and some of its top members called on Democratic Secretary of State Jena Griswold to resign.

“Griswold’s reckless disregard for professional standards and consistent lack of transparency has threatened trust in our democratic system, casting doubt on the security of our election process,” House Minority Leader Rose Pugliese said in a statement on behalf of the House Republican Caucus.

In their call for Griswold to resign, House Republicans also noted that two years ago, her office accidentally sent postcards to 30,000 non-citizens, encouraging them to register to vote. Last year, a robocall incorrectly reminded some voters who had already voted to turn in their ballots.

Pugliese told CPR News that while she has full confidence in the county clerks who conduct elections and count ballots, she doesn’t believe Griswold should be in charge of the overall system because she has lost the trust of voters.

“When I hear of incidents where the secretary of state who handles our election system for the state is, from my perspective, reckless, it just causes problems with the integrity of our system,” Pugliese said.

Hart Van Denburg/CPR News

Pugliese said Republicans are still discussing what options they have to put pressure on Griswold. A GOP the attempt to impeach her the last legislative session failed. They have long accused her of being too partisan for the job, in part because of her support for the state Supreme Court’s decision to remove former President Donald Trump from the state’s primary ballot.

In response to Republican criticism, Griswold defended his record supporting Colorado’s election system and said the legislature had rejected his office’s requests for increased funding.

“I take my job very seriously. We take election administration very seriously,” Griswold said. “The people in my office have done a very good job in a difficult situation because of lies, conspiracies, threats.”

State GOP Chairman Dave Williams said the state’s response so far to the password leak raises more questions than it answers.

“The secretary and her office should be held to the same high standard as everyone else. The integrity of our elections is too important,” Williams wrote in an email to Republicans on Wednesday.

Williams said he would take legal action if the state did not provide sufficient assurances. He was asked if the BIOS passwords are current, who posted the passwords, how it happened, and what evidence there is that it was a mistake and not deliberate.

He also called on lawmakers to convene an emergency hearing of the bipartisan Legislative Audit Committee. While a Republican currently chairs the committee, under legislative rules, at least one Democrat would have to approve a hearing.