Lawmakers grill Colorado Secretary of State Jena Griswold about possible security breach
Colorado lawmakers grilled Colorado Secretary of State Jena Griswold on Friday at the state capitol about her handling of a possible security breach. Hundreds of passwords to election equipment were leaked days before Election Day and could have severely impacted half of Colorado's counties.
The passwords were for voting equipment across the state, and they were posted on the Colorado Secretary of State's website. There are still a lot of questions about what happened, which is why Griswold says she has hired an outside firm to investigate. The Denver District Attorney's Office is also looking into the leak to determine if a crime was committed.
Griswold, a Democrat, went before the Joint Budget Committee Friday to talk about funding, but members wanted answers about the leak. She told them she followed cybersecurity best practices when she learned of the situation, and says there was never an immediate threat, but she admits she has some regrets.
Griswold knew about the leak for several days but didn't tell the governor or county clerks who secured the equipment.
"If you weren't outed by an outside group, would you have ever notified the clerks?" said Republican state Sen. Barbara Kirkmeyer.
"Yes. We needed to determine the size and the scope of the issue and finalize our technical and outreach plan before sharing it to avoid fueling the major disinformation environment that surrounds elections," Griswold said.
But in a secretly recorded call with clerks, Griswold's top deputies said they never intended to notify them. Colorado Deputy Secretary of State Christopher Beall said in that call that "We were not going to tell counties because we could not tell counties without it becoming the media storm it has become."
Adams County Clerk Josh Zygielbaum was on the call and in disbelief over the decision. The Democrat said on the call: "It's completely unacceptable that this is our process now, five days before the election, to get this done."
This week Zygielbaum said he doesn't regret what he said on the call.
"I have always been one to speak my mind. Sometimes it gets me into a little bit of trouble," Zygielbaum said.
After hearing Griswold's explanation, Zigglebaum says she did the right thing.
"So I understand the secretary's decision to not say anything until she had a full grasp of the situation," he said. "I hope that ... number one, that, you know, we can just move forward from it. Essentially no harm came from it, other than some public perception. And that's on us to continue doing the work to improve that."
But Kirkmeyer isn't letting Griswold off so easy. She says she left clerks in the dark.
"They get blindsided, but she has all the time to prepare written statements that she just keeps repeating? It's just ridiculous. It's reprehensible," she said.
Griswold told the committee the important thing is no one gained access to the election equipment.
"The whole error is something that I take accountability for. I'm regretful that the clerks did not learn first from us, but we were following cybersecurity best practices to approach this in a methodical way to make sure that we got it right, and we did," she said.
Griswold declined an interview with CBS Colorado but her communications director says the recording of that deputy secretary call with clerks is incomplete. Communication Director Kailee Stiles says, later in the call, a staff member told clerks the secretary did plan to notify them after she assessed the scope of the leak.
Griswold says there are more than 2,000 pieces of election equipment that are password protected. The leaked passwords were for equipment in 34 counties. She says they were able to change them and able to confirm that no systems were accessed, and that the election results were verified with the audits that happened this week. The secretary says she is now requiring additional cybersecurity training for her staff.