By Heidi Ganahl | Commentary, Rocky Mountain Voice
Colorado’s elections are far from secure. Rather than being a “gold standard” of integrity, they are a gilded mess of lies and half-measures.
Ten years ago, I handed off my “baby,” a $100 million pet care franchise built from scratch, so I could fight for the American dream I have been so blessed to live. I had seen how our politicians and government were tearing opportunities away from our children. Government was making it harder and harder to start and grow a business, raise our families, and live freely.
So, I went to work. First, I launched a non-profit to fight for justice in our court system: Moms Fight Back. Then, I was the last Republican to win a statewide race in Colorado as regent at the University of Colorado. For six years as a regent, I battled cancel culture, indoctrination and a growing administrative state on the front lines of higher education.
Then, I ran for governor, where I found myself at war with what I call “the machine,” a web of progressive billionaires and their sham non-profits, bought-and-paid for politicians and lapdog press.
Through all of that, I gained a deep knowledge of how the sausage is made in our institutions, in our politics, in our media — things you can’t know unless you’ve been through that grinder…and it’s ugly.
I learned transparency and truth are the way out of this mess, which is why I launched Rocky Mountain Voice. We exist to hold bad actors accountable, to shine sunlight on their dark efforts, and to give others a way to get the truth out.
Two weeks ago, I held a press conference to announce the results of a two-year investigation backed by a dedicated team of researchers. We found gaps in our so-called “gold standard” elections.
The “machine” does not like being called out, so it lashed out. Eight media stories coordinated in the last few days, with various politicians and their paid “experts” spouting prepared misinformation. They hoped their coordinated efforts would bury the truth.
This is not my first rodeo. I knew they would do this, so I made damn sure we checked, double-checked, and confirmed again every claim with industry experts that know far more than the bureaucrats and politicians claiming there is nothing to see. We want these problems fixed. I trust computer security experts to know how to do that, not politicians.
At the end of the day, it is up to you, the citizens of Colorado to decide what to believe. I am here to expose the “machine” and provide accurate, well-researched information so you can hold your government accountable. That is it, no other agenda. I am on a mission to get you the truth and force them into the sunshine.
In that spirit, what follows is a lot of detail provided by our experts to counter what we are being told by the “machine” about our elections. I encourage you to do your own research, and hear out the media, the politicians, and the well-paid bureaucrats. Put it on the politicians to PROVE their information is accurate.
As you will find, like I found, they want to keep Coloradans in the dark.
The Other Side of the Story
Our public officials have misled us about whether our voting systems have vulnerabilities related to remote access connectivity. Here’s what they had to say before our investigation.
“The voting system is secured from tampering through multiple safeguards. Voting systems are never connected to and cannot be accessed through the Internet because Wi-Fi and Bluetooth capability are stripped from the unit before use and all other connective technology is disabled by the Trusted Build.” — Jena Griswold, RE: Legislative Audit Committee Hearing on Election Integrity, Page 4, para. 15, Dec. 14, 2020.
In the news in early September 2024, Sarah McAfee, a spokesperson for the Jefferson County clerk’s office said, “No vote counting machines in Colorado are connected to the Internet.
“To start with, none of our tabulation software and none of our tabulation machines are connected to the Internet. So they cannot be hacked from the outside,” former Secretary of State Wayne Williams told Peter Strescino with The Pueblo Chieftain, Oct. 19, 2016.
On June 3, 2024, Bobbie Gross, the Mesa County clerk and recorder, said, “Mesa County’s ballot processing equipment is not connected to the Internet in any way, but the voter registration database elections staff need to access is connected to the Internet.”
A week ago, after we brought to light that 12 counties have remote Wi-Fi access capabilities in their voting systems, they changed their tune.
“This is a known thing amongst the counties and amongst the Secretary of State’s office — that the (wireless) card was physically present, and so that there’s a couple of steps that were taken to ensure that it wasn’t activated or present,” Boulder County clerk and recorder Molly Fitzpatrick, a Democrat, said. She is the president of the Colorado County Clerks Association.
In an email to CPR News, the Colorado Department of State explained that no voting equipment in Colorado has ever been allowed to be connected to the Internet, as stated in Rule 20.5.3 of Colorado’s Election Laws, and that there are systems in place to make sure it doesn’t happen.
Carly Koppes, the Weld County clerk and recorder said, “The reality is that there are layers upon layers of security measures around it, to where if this is a component that has WIFI in it, it is nearly impossible to get in there and expose it.” Koppes is the vice president of the Colorado County Clerks Association.
These non-technical officials have created word salad to obfuscate the truth about whether or not the election management systems are vulnerable to remote access. In the time and effort they have taken to deny what we have found, the modules could have been easily removed in all 12 counties.
Here’s what our experts have to say about their recent claims:
Myth 1: Once WiFi is disabled in the BIOS, it’s completely inaccessible.
In reality, this is a half-truth at best. Disabling a component in the BIOS only restricts access from the operating system; it does not affect technologies like Intel’s AMT, which operates outside the system’s BIOS and OS. AMT can override BIOS settings and allow remote control of the system, including the reactivation of disabled components. AMT runs on its own microprocessor embedded within Intel chips, meaning it can function independently and invisibly.
Moreover, Dell systems, which are widely used in voting systems, have a feature called Wake-on-LAN (WoL). Even with the hardware module disabled in the BIOS, a computer can be woken up remotely using a magic packet, potentially re-enabling network components, including WiFi, without leaving an audit trail in system logs.
Myth 2: The Trusted Build process is performed biannually, and WiFi components are disabled in the BIOS in line with NIST guidance.
The truth is, there is no biannual Trusted Build process. Trusted Build is validated only when necessary, such as when a new version of the software is released or there is a change in hardware components system wide. A trusted build is reapplied to a computer when a device needs replacement. For example, if a laptop used in the system fails, it will be replaced, and the Trusted Build will be applied to ensure the same software configuration.
Moreover, while disabling WiFi components in the BIOS may sound like a solid solution, it overlooks critical details. The fact that these components are included in the system at all raises a red flag. Colorado law prohibits the use of wireless networks in voting systems, so why are these systems even equipped with WiFi hardware? Voting machine vendors, like Dominion and ClearBallot, could have chosen to use non-wireless hardware or processors without remote management technologies, such as AMD processors. Instead, they opted for Intel processors, which are known to have built-in technologies like Active Management Technology (AMT) that operate independently of both the BIOS and the operating system. This choice adds a layer of vulnerability that goes beyond mere BIOS settings.
Myth 3: Tampering with voting systems would void certifications and contracts.
Yes, tampering with voting systems voids certifications, but historical events show that improbable scenarios do occur. For instance, before 9/11, no one imagined that box cutters could be used to take control of airplanes, yet it happened. Similarly, while tampering with election equipment may seem unthinkable to some, supply chain vulnerabilities and weak oversight mean that tampering is not only possible but has precedent in other areas of critical infrastructure.
The U.S. government’s procurement process for sensitive equipment is strict precisely because of the risks posed by compromised components. For example, the Department of Defense won’t source critical technology from countries that pose a security risk. Unfortunately, the same level of scrutiny doesn’t always apply to voting systems.
Removal of remote access WiFi modules is not considered tampering as long as it is done by official election personnel.
Myth 4:. Tampering after installation would require disabling security measures that are nearly impossible.
While voting systems in Colorado are subject to various checks and balances, post-installation tampering remains a possibility, particularly through remote access. Voting system vendors, or anyone with access to their servers, could potentially introduce malware consisting of only a few lines of code or vulnerabilities into election files downloaded by counties. Once a compromised file is loaded onto voting systems, it could exploit existing vulnerabilities, particularly if the system has wireless capabilities that may have been re-enabled remotely.
Additionally, most county officials do not have BIOS or iDRAC (Dell’s Integrated Dell Remote Access Controller) passwords, meaning they cannot verify whether WiFi components are truly disabled or whether out-of-band management tools are active.
Myth 5: Colorado’s Logic and Accuracy (L&A) testing ensures the WiFi is disabled in the BIOS.
L&A testing is primarily designed to ensure that the voting system tabulates votes correctly, not to assess its security posture or hardware configuration. The truth is that there is no explicit verification that WiFi is disabled during these tests. The process focuses on the accuracy of ballot processing, not whether potential attack vectors, like wireless components, are truly neutralized. Various Logic and Accuracy Test board members at the county level have pointed out that they were never shown evidence that WiFi was disabled during the L&A process. The system’s configuration is simply assumed to be secure. The same is true of the Canvas Board after the election.
Conclusion: Are Elections Secure?
While election officials tout robust security measures, the truth is that significant vulnerabilities remain, particularly concerning wireless capabilities in voting systems. The presence of wireless cards, the potential for remote access through Intel AMT, and the limited scope of current testing protocols mean that these systems are not as secure as many believe.
To ensure true election integrity, more stringent steps must be taken. This remedy includes physically removing wireless components from machines, adopting processors without remote management capabilities, and ensuring that all county officials have the ability and authority to independently verify system configurations. Anything less leaves the door open for exploitation, whether by foreign adversaries or domestic bad actors.
While no system can ever be 100% secure, the current measures fail to provide the kind of trust and transparency that voters deserve. More must be done to address these systemic weaknesses before the next election cycle.
And this certainly doesn’t mean you shouldn’t vote in the next two weeks, turn in your ballot like the future of our country depends on it – because it does!
Editor’s note: Opinions expressed in commentary pieces are those of the author and do not necessarily reflect the opinions of the management of the Rocky Mountain Voice, but even so we support the constitutional right of the author to express those opinions.