August 17, 2021

Update from Colorado Secretary of State's Office regarding Mesa County Election Equipment 08/16/21

RELEASE: Colorado Secretary of State’s Office Confirms that Mesa County Election Equipment Hard Drive Images were Publicly Posted; DHS Confirms Posting does not Heighten Risk to State or Nation’s Elections
Colorado Secretary of State sent this bulletin at 08/16/2021 04:22 PM MDT
colorado secretary of state
FOR IMMEDIATE RELEASE

Media Contact:
Annie Orloff
annie.orloff@sos.state.co.us

Steve Hurlbert
steve.hurlbert@sos.state.co.us

August 16, 2021


Colorado Secretary of State’s Office Confirms that Mesa County Election Equipment Hard Drive Images were Publicly Posted; DHS Confirms Posting does not Heighten Risk to State or Nation’s Elections

DENVER, Colo- The Colorado Department of State has been alerted to and confirmed the release of two hard drive images from Mesa County election servers by election conspiracy theorists. While the investigation is ongoing, it appears these hard drive images contain copies of the election management software that runs voting system equipment in Mesa County.

The Colorado Secretary of State alerted the Director of the U.S. Cyber Security and Infrastructure Security Agency (CISA), which is an agency within the U.S. Department of Homeland Security, of this aspect of Mesa County Clerk and Recorder’s Office security breach. CISA has confirmed that it does not view this breach as a significant heightening of the election risk landscape at this point.

One of the hard drive images is believed to have been taken on May 23. New information acquired during the Department of State’s investigation reveals that the secure room where this election equipment is stored was accessed on the evening of Sunday May 23, 2021, outside of normal work hours, by the Mesa County Clerk Tina Peters; Gerald Wood, the unauthorized individual who attended the Mesa County trusted build; and another Mesa County Clerk and Recorder employee.

Under the authority outlined in the Colorado Election Code, with respect to the Secretary’s role as the Chief Election Officer for the State of Colorado and her duty to supervise the conduct of elections, the Secretary of State Jena Griswold is now determining who to appoint to supervise Mesa County Elections.

Colorado leads the way in secure elections, and has layers of security measures, both preventative and for detection purposes. This includes restricted access, chain-of-custody logs, equipment that is under lock and key, multiple sets of passwords or keys that no single person holds, and tamper evident seals. Colorado’s election system is also segmented, with each county having its own closed network and systems across counties are not connected to one another. Election systems have separate sets of passwords; one set is only held by a few specific civil servants with the Department of State and the other is held by the county officials. No one person has all the keys to the castle, as there are several passwords that are kept separate and protected by separate parties. Should there be an internal security breach like the one that occurred in Mesa County, in addition to the safeguards outlined prior to an election, Colorado also requires security protocols such as bipartisan testing on election equipment like tabulation machines before and after elections, mail ballot signature verification, and bipartisan risk limiting audits.

Last week, Secretary Griswold prohibited Mesa County’s election equipment from further use. The Colorado Secretary of State’s Office will continue its investigation into Mesa County Clerk and Recorder’s Office and is fully cooperating with the investigation undergoing concurrently by the District Attorney of the 21st Judicial District.

###

August 10, 2021

Statement from Colorado Secretary of State's Office on August 9, 2021--

Statement from Colorado Secretary of State’s Office Regarding Official Order to Mesa County

DENVER, Colo- Today, the Colorado Secretary of State’s office issued an Order in response to a potential chain-of-custody and security protocol breach for Mesa County’s voting system components.

Several items were published online that constituted a breach in the security protocols for Mesa County voting system components. The posted images depict the BIOS passwords specific to the individual hardware stations of Mesa County’s voting system. The public disclosure of the BIOS passwords for one or more components of Mesa County’s voting system alone constitutes a serious breach of voting system security protocols, as well as a violation of Election Rule 20.6.1. This breach in security protocol has not created an imminent direct security risk to Colorado’s elections, and did not occur during an election.

It is likely from the content of the social media postings that this sensitive information was collected during the limited access trusted build installation in Mesa County on May 25, 2021. The collection and dissemination of this information during the trusted build installation violated security protocols and Department of State rules governing the process.

In response to this breach in protocols, the Secretary of State’s office has sent an Order requesting inspection of election equipment and other relevant materials to the Mesa County Clerk and Recorder. Depending on the outcome of the investigation, these violations may result in the decertification of the voting systems in Mesa County.