Today, Gov. Jared Polis and Secretary of State Jena Griswold announced that the effort to update all passwords and verify the security of affected active voting systems components in Colorado is complete. The joint effort concluded successfully Thursday evening.
Colorado elections include many layers of security. The passwords that were improperly disclosed were one of two passwords to make changes to these particular voting system components and can only be used with in-person physical access to that specific machine.
Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access. That ID badge creates an access log that tracks who enters a secure area and when. There is 24/7 video camera recording on all election equipment.
Clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee. There are also strict chain of custody requirements that track when a voting systems component has been accessed and by whom.
It is a felony to access voting equipment without authorization.
“The effort to change these passwords been completed in every affected county. I want to thank Governor Polis for deploying extra state resources to help in this effort,” said Griswold. “Colorado has many layers of security to ensure our elections are free and fair, and every eligible voter should know their voice will be heard.”
“We appreciate the swift work to update these passwords and provide voters confidence in Colorado’s elections system. Every Coloradan can rest assured that their vote will be counted fairly and accurately. While the leaked passwords compromised just one of many layers of security that protect our election integrity in Colorado, we knew it was critical to take swift action and to work with Secretary Griswold and the county clerks to update the passwords immediately,” said Polis. “I want to especially thank the hardworking state employees and county clerk personnel who were part of this effort.”
Within hours of being briefed on Wednesday, Oct. 30, Polis deployed human capital, air and ground assets, and other logistical support to the Secretary of State’s Office to complete changes to all the affected passwords and verify that no settings had been changed in any piece of election equipment.
Last evening, the operation was completed to change all impacted passwords. This included eight staff from the Department of State and an additional 22 state cybersecurity personnel who were directed to support the operation by Polis. All staff had appropriate background checks and underwent training pursuant to rules promulgated by the Secretary of State prior to beginning work on election systems. Additionally, state agency staff worked in pairs, and were observed by county elections officials.
This password disclosure never posed an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted. Changes to passwords were made out of an abundance of caution.
Every Colorado voter votes on a paper ballot, which is then audited during the risk limiting audit to ensure ballots were counted according to voter intent.