DENVER — Three Republican clerks in Colorado have now been questioned by the Secretary of State's Office about potential security breaches to their voting equipment.
Douglas County Clerk Merlin Klotz responded to questions by Colorado Democratic Secretary of State Jena Griswold, saying he used "inexact wording" when he wrote a constituent an email saying he 'took a full image backup of our server." That email was posted on a social media app called Telegram.
He explained that he simply did the required backup of "records containing Douglas County election data."
Two other Republican clerks, Mesa County Clerk Tina Peters and Elbert County Clerk Dallas Schroeder, have admitted to copying their election software and sharing it with people outside of the county.
They say it is to preserve evidence of the 2020 election.
It got us wondering, what else could you do with a copy of a voting server?
"If you understand how the program is because you've got your hands on it, you can start to go, 'How can I manipulate it for whatever my gains are?'" said Cybersecurity Research Chris Roberts.
Roberts gives presentations on election security. In a 2020 presentation, he included a slide with the following tidbit: "Anyone with physical access to a machine can install malicious software in less than 60 seconds."
"What this does, with having access to the software and controls and everything, it now just gives you the additional insight into going 'OK, I know that when you walk in and you press this button, this is exactly the set of commands that occur, this is exactly where it goes. I know if I build a program that I can adjust it,'" said Roberts.
After each election, before the results are certified, Colorado conducts what is called a risk-limiting audit. A bipartisan team looks at random ballots from each county and compares them to how the scanner counts the vote. If the machine count were off, this audit would reveal the discrepancy. Since the risk-limiting audits started in 2017, Colorado has never found fraud.
"In this computer security industry, we've been working and trying to work with a lot of the voting systems for a number of years, for all the reasons we're talking about now and a lot more," said Roberts. "If I'm an attacker, if I'm a country looking into this country, we already know there's so much instability, so all I have to do is potentially do something or even introduce a flow or a fault in one or two or five or 10 different places, and you've introduced basically people not trusting it."
One other aspect of election machine security is one you can use in everyday life: password complexity.
Roberts said voting machines have been found to have really easy to crack passwords.
In one of his presentations, he includes a chart on password complexity and how many characters are needed to keep a hacker from guessing.
If you are only using numbers, you need 18 numbers to keep someone guessing for 126 years.
Just using upper and lower case letters require at least 12 to have 600 years of protection.
With mixed numbers, upper and lower case letters and symbols, at least 10 would give you more than 900 years before someone can crack the code.