Former County Clerk of Mesa, Tina Peters, was placed under the hammer earlier this month. She was handed a sentence approaching the nine-year mark resulting from her actions in creating a forensic duplication of the Dominion Voting system of Mesa County. Her deeds were conducted prior to the execution of a ‘Trusted Build’, a complex process carried out by the Secretary of State post-election. Partially redacted passwords were a part of this process, which, under normal practice, are subject to modification upon completion of the ‘Trusted Build’.
For the uninitiated, Mark Cook, considered an authority in the field, explains the role of the BIOS (Basic Input/Output System) within the computer framework. Essentially, the BIOS is the pioneering system that initiates as a computer boots and lays the groundwork for configuring the operating system. It allows or prohibits system connection to the wireless card integral or associated with the system and managing the connection of an external drive.
Discussion has been rife with false allegations attributing Peters for the disclosure of BIOS passwords for the Dominion System in Mesa County. Being public knowledge, these passwords would raise certain eyebrows, but questions linger over whether they were ever accessible to the general public. According to some think tanks, it was the Colorado Secretary of State, Jena Griswold, who was engaging in such an exercise from the period of August to late October 2024.
These organizations are behind a written claim stating that according to an affidavit, over 600 BIOS passwords for the voting system components across 63 of the state’s 64 counties were displayed on the Secretary of State’s site. Allegedly, these passwords were neither encrypted nor adequately safeguarded and were within easy reach of the public.
An election regulation at play in Colorado, designated 8 CCR 1505-1 Rule 20.5.2(c)(11), explicitly lays down the need for proper maintenance of BIOS passwords-the maintenance to be both confidential and secure. This is a mandatory requirement for all civil servants assigned the responsibility of managing the voting system components.
Indeed, this grave oversight cannot be categorized as concrete ‘evidence of a breach’, right away. Yet, it indisputably points towards a significant disregard of rudimentary systems security and password administration principles.
A nefarious individual would still require either physical or remote connectivity to the systems in order to exploit this lapse. Open questions remain regarding whether these passwords were operational in any sense while being outright available to the public.
A pertinent reminder was propagated amongst clerks to scrupulously vet that the Wi-Fi on all voting system components, possessing such capability, remains disabled. Considering the nearness of the November 5th election, the Colorado GOP spared not a moment in seeking responses from Secretary Griswold — a request marked with a 24-hour reply deadline.
A significant correspondence was dispatched to Secretary Griswold, also reaching a number of other officials. This urgency highlights the seriousness of the potential security breach.
In response to the rising public concerns, a spokesperson from the office of the Secretary of State issued a statement. It declared that swift action was taken to remedy the situation at the very moment they became privy to it.
Cybersecurity and Infrastructure Security Agency (CISA) was engaged in the effort, which works tirelessly to safeguard the county’s key security infrastructure. CISA was duly informed of the lapse and the remedial actions initiated.
Continuing on the cover provided by the spokesperson, it was elucidated that the election equipment components are secured with twin unique passwords. These are stored separately in different locations and protected by various parties.
The point, undeniably vital to note, was that these passwords have a limited usability window. They require physical in-person access to the voting system, thereby adding a significant layer of security above and beyond simple password protection.
Overall, it’s evident that, despite the alleged security lapse, measures appear to have been taken to mitigate the potential risk. The situation underlines the continuous need for vigilance amongst those entrusted with such crucial administrative roles in our democracy.