by Amuse
The Colorado voting machine security breach under Secretary of State Jena Griswold’s watch is an epic in incompetence and deceit, a calamity born not out of malice but sheer, unchecked ineptitude. This debacle is yet another compelling reason for the United States to move to paper ballots and same-day voting, at least for federal elections, to ensure the integrity and security of our electoral process. Four months. Four full months of a ticking time bomb, and yet no one seemed to notice the system BIOS passwords posted online for all to see. It was like a “Help Yourself” buffet for anyone with an internet connection.
This isn’t merely a local administrative error. It is a significant threat to the very foundation of electoral integrity—a threat fostered by a combination of bureaucratic negligence, lax security protocols, and Griswold’s dogged refusal to take meaningful action. Not only was the BIOS password exposed, but it was maintained unencrypted, sitting vulnerably in an Excel spreadsheet stored on state network drives. One might think these officials were desperate to be hacked. And when it comes to passwords—let’s just say their approach violated even the most basic CISA guidelines, rules that have been around for more than fifteen years. Apparently, securing voting systems is a task too advanced for those in charge.
Contrary to Griswold’s initial reassurances that this was a minor, isolated error, it later emerged—through the admissions of Deputy Secretary of State Christopher Beall—that more than half of Colorado’s counties were affected. One cannot help but marvel at the level of ineptitude required to let a disaster like this go unnoticed for so long. If you leave your house door wide open for a few minutes, you should assume that something may have happened inside. Griswold and her merry band of public servants managed to leave the door open for four months and then acted surprised when people noticed.
If there is one thing clear about basic cybersecurity, it is that you cannot be this reckless without consequences. Any compromise of BIOS passwords in a critical infrastructure computer requires assuming that the entire system has been compromised unless proven otherwise. We are talking about passwords that give direct access to the foundational layer of a voting machine—and by extension, the very process by which we select our representatives. If that isn’t the definition of critical infrastructure, then what is?
And it wasn’t just the BIOS passwords. Once one voting system component is compromised, anything connected to it—LAN cables, HDMI cables, even air-gapped systems using removable media—must be assumed compromised as well. It’s Cybersecurity 101. CISA, the lead federal agency for election infrastructure security, lays out clear standards and procedures for handling such incidents. The very least Colorado could have done is follow them. Instead, they opted for a comedic routine of denial, delay, and deception.
The immediate actions taken by Griswold’s office can best be described as an exercise in performative futility. Day 1: they found out (through their vendor, no less), scrambled to remove the .xlsx file from the web after a leisurely four-month gap, and reported it—to CISA, naturally. Did they bother telling Colorado election officials or the public? Of course not. Why trouble the plebeians with such trivialities?
Days passed, and when the state GOP learned of the breach and the media caught wind, Griswold finally came out of her bunker. Her strategy? A classic: evade, obfuscate, and pretend everything was under control. Griswold claimed that each voting machine required two separate passwords, with different people or groups entrusted with only one password each, making it supposedly impossible for the machines to be compromised. This claim was false. Even if it were true, the group not supposed to have the BIOS passwords could have simply downloaded them from the internet, meaning that multiple individuals certainly had complete and unfettered access to the machines. They dispatched people to change a handful of passwords, and Griswold went on a media blitz, making a futile attempt to gloss over the enormity of the breach. Day 9 saw Governor Jared Polis attempt his own desperate act of damage control, ordering a broader, albeit equally ineffective, response to ensure password changes. Apparently, it takes helicopters to change passwords in Colorado.
But what Griswold and Polis both failed to do was address the real danger: the integrity of the voting systems themselves. The affected machines were still in use, election officials continued to tabulate votes with them, and—most damningly—no real forensic analysis was ever conducted to determine the scope and impact of the compromise. At no point did anyone pause and take a breath to say, “Maybe we should actually stop using these machines until we’re absolutely sure they’re safe.”
A proper response would have been as follows: first, halt the use of all affected systems; second, image the compromised machines to preserve the evidence; third, bring in qualified cyber forensic experts to determine if, when, and how the systems were breached; fourth, address the timing and impact of any compromise, especially since this breach was active during the Colorado primary election. And fifth—and only after all other steps were satisfactorily completed—remove any malicious influence, if possible, and restore functionality. None of this happened.
What did happen, instead, was a spectacle of bureaucratic incompetence that would be almost humorous if it weren’t undermining the sanctity of Colorado’s elections. The public was told, “Nothing to see here, folks, move along,” as if we’re all too stupid to understand the ramifications of a four-month breach that affected a majority of the state’s counties. Anyone insisting today that Colorado’s voting systems are secure, or that citizens can rest assured their votes have been accurately counted, is either woefully ignorant or has a vested interest in upholding the false narrative of a “swift response.”
Consider, for comparison, the case of Tina Peters. The former Mesa County Clerk, convicted in October 2024 for allowing access to her county’s voting systems to a security consultant in 2021, received a nine-year prison sentence. Nine years for trying to determine if voting machines were secure—yet Griswold’s office escapes unscathed after spilling the keys to half the state for four months. How is it that Peters is demonized while Griswold and her team, despite being blatantly negligent, get a pass? It seems there are different rules for those in power, especially if they have the right political connections.
In the wake of the breach, the Libertarian Party of Colorado filed a lawsuit against Griswold, demanding she step aside from her election responsibilities, remove compromised devices from service, and order ballots to be hand-counted in affected counties. Yet Griswold’s lawyers, in a performance of unrepentant arrogance, argued that such actions would create “chaos” with Election Day looming. It’s always chaos that’s to be avoided, never accountability.
During the subsequent court hearing, it became clear just how deep the rot went: 46 counties had systems with the passwords exposed, and 34 of those still had active passwords. The court dismissed the testimony of expert Clay Parikh, an election systems analyst for nearly a decade, because—wait for it—he supposedly wasn’t qualified to discuss Colorado’s specific voting systems. The absurdity of the objection would be laughable if it didn’t have real-world consequences. It’s akin to saying an automotive engineer couldn’t testify about a car because it was built in a different state. Yet this is where we are: justice obstructed, integrity compromised, and those responsible for safeguarding democracy performing nothing but a hollow pantomime of action.
Time to recycle all those Dominion Voting Machines and start a Investigation into this all
Time to vacate Tina Peters sentence and examine what she discovered. And to prosecute Griswold!