By Heidi Ganahl, Commentary | Rocky Mountain Voice
In a troubling development, Colorado’s Secretary of State recently confirmed that critical election system passwords were inadvertently published online, leaving sensitive data exposed for months. This exposure, according to conservative leaders, highlights severe security concerns and a failure of transparency from the Secretary’s office, prompting calls for accountability and an independent investigation.
The released passwords, typically reserved for only a small circle of trusted state employees, were accessible to a much broader audience, including county clerks, certain county employees, and third-party vendors. These passwords, particularly for the Basic Input/Output System (BIOS), provide access to fundamental system settings, creating a potential vulnerability in Colorado’s election infrastructure. BIOS access bypasses standard operating systems, allowing control over hardware at its most basic level—a level that cybersecurity experts have long warned is susceptible to exploitation by even moderately skilled hackers.
In her response, the Secretary attempted to downplay the security risks, stating that the passwords were only “partial” and that multiple passwords are required to gain access to election systems. However, this claim has drawn criticism, with opponents arguing it demonstrates a worrying lack of understanding of BIOS security. BIOS access does not rely on multiple password layers, as the Secretary implied, which raises doubts about her office’s grasp of the system’s vulnerabilities.
This response from the Secretary’s office has left several key questions unanswered. Her statement failed to clarify:
• Whether the exposed passwords were current at the time of the breach. While she suggested in an interview that some passwords were outdated, it remains unclear how many of the passwords, if any, were actively in use.
• Who within her team posted the confidential information and how the breach occurred. Was it an error or something more intentional?
• Whether an investigation into the incident is ongoing or was even initiated to uncover the breach’s origins.
• When the passwords were initially posted, which would indicate if the security lapse occurred before recent election events, raising questions about the integrity of those results.
One of the most pressing issues is the matter of physical access. While the Secretary highlighted the physical security measures in place, hundreds of individuals—ranging from county employees to state contractors—have direct access to voting systems. With the BIOS passwords inadvertently released, the traditional protections against unauthorized access are now effectively nullified. The Secretary has yet to explain how she intends to assure the public that no one with access used these passwords, especially over the extended period they were exposed.
Adding to the controversy, a 2022 security review in Douglas County, led by me as the GOP Governor nominee, indicated that election systems could potentially be accessed remotely, further amplifying concerns about the broader security framework surrounding Colorado’s election infrastructure.
In the wake of these revelations, conservative leaders sent a detailed letter to the Secretary, outlining their concerns and demanding an appropriate response. They emphasized that their goal was not to score political points but to ensure the integrity of Colorado’s elections. According to these leaders, this issue transcends party lines; it’s about holding public officials to a standard of transparency and accountability, especially regarding election security.
In light of the Secretary’s perceived evasions and the absence of a clear action plan, conservative leaders announced plans to pursue legal relief to compel her office to provide concrete reassurances about the safeguards in place—or the lack thereof—following this breach. They are also calling on state lawmakers, particularly Republicans, to convene an emergency committee to investigate the Secretary’s handling of the incident and bring transparency to the situation.
Furthermore, these leaders point to the Colorado Election Rules as grounds for action. Specifically, they argue that the Secretary violated Rule 20.5.2(c)(11), which governs the confidentiality of election system passwords. Under Rule 20.5.8(a)(1), county clerks are now required to file incident reports due to this violation, and the Secretary must subsequently assess, as per Rule 20.12/2(b), whether the affected voting machines should be decertified.
For Colorado’s county officials, the burden now shifts to them to ensure compliance with state election rules. They are urged to file the necessary incident reports and work toward a resolution that restores public trust in the security of Colorado’s election systems.
With election security already a topic of national debate, this incident has intensified scrutiny on the Secretary’s office. The release of these passwords demands more than a standard public relations statement—it requires a thorough investigation, accountability, and a transparent corrective plan to ensure that such a lapse does not recur. As the situation unfolds, conservative leaders’ call for a serious and substantive response from the Secretary’s office underscores a growing demand for transparency, trust, and integrity in the state’s election infrastructure.
Editor’s note: Opinions expressed in commentary pieces are those of the author and do not necessarily reflect the opinions of the management of the Rocky Mountain Voice, but even so we support the constitutional right of the author to express those opinions.