STATETECH: What would you say are some of the lessons that Colorado has learned in terms of election security from the primary season?
Griswold: I think we’re facing two crises when it comes to elections in November: the pandemic and the attack on our democracy by Russia and other countries.
Colorado really leads on both fronts and can serve as a model for voting under both crises. The first and foremost is the use of mail-in ballots and early voting and the accessible elections we have. And for the second, Colorado is one of the safest states in which to cast a ballot. And today, voting machines are not connected to the internet. Each vote has a paper record, we do risk-limiting audits and I can go over all the things that we do to innovate.
I do think it’s very important to realize that election systems across the nation combat literally millions of malicious intrusions from all over the world, searching for vulnerabilities. And that the fact of the matter is that foreign countries and would-be hackers will continue to innovate. And I’m really proud of what we have done through COVID and also some lessons learned from our primary.
MORE FROM STATETECH: Explore this infographic to discover how to protect voter information.
STATETECH: Can you talk about how Colorado approaches ensuring that its election systems are resilient in the event of cyberattacks?
Griswold: Absolutely. I think it’s really important to have various backup plans, basically. We have same-day voter registration. So, say the worst-case scenario happens when our statewide poll book is down; no voter will be turned away from the polls because of that same-day voter registration. But we do have backup servers that are continuously updated in real time. All of that information on those servers also goes onto a paper record that we can pull from.
And then I issued a series of rules to make sure that, leading up to the election, every county has a backup of their registrations, either printed or on a laptop that is not connected to the server, that has the most recent registrations within the last 24 hours. And, of course, I also ran an emergency rule that is now a regular rule to make sure that we have a sufficient amount of paper ballots and provisional ballots at every polling location.
We were the first state in the nation to conduct a risk-limiting audit that shows to a high statistical degree of certainty that our election results are correct. We were the first in the nation to institute two-factor authentication to that statewide voter registration database, and the first to do a secure ballot return. And, specifically related to the statewide poll book, we also set up on what we learned from our primary, which is a virtual command center where we are partnering with the Colorado National Guard, our IT security team and other partners to make sure that we are monitoring all of our election and support systems.
LEARN MORE: What is a deepfake and how can it impact the election?
STATETECH: How do you look at the election security threat landscape?
Griswold: From my perspective, we have the three priority threats, and these aren’t in order of their severity; they’re all very important. No. 1 is directed hacks on election infrastructure. No. 2 is the increase in ransomware attacks we’re seeing, where the election infrastructure itself is not being attacked, but a door to the election infrastructure is being attacked. And No. 3 is these misinformation campaigns.
And I do think it’s very important to contextualize for your readers that misinformation isn’t about one person saying a falsehood. These are coordinated campaigns from foreign countries to try to suppress the vote or trick voters. These are sophisticated campaigns that go right to the heart of our democratic right to vote. We prioritize all of them.
Of course, we do penetration tests and hunts, but we’re one of the only states to actually monitor the dark web and social media. We’re looking for all types of words, from, “Hey, Election Day is on a wrong date” to key things that would alert us that our election systems or Colorado voters were being targeted.
I am proud that, last winter, I was able to lead a coalition of states to finally get the [intelligence community] to change their policy to alert states when state election infrastructure and local election infrastructure is under attack. Which, if you can recall from 2016, was a major failure of the federal government.
When it comes to disinformation, I have been pushing intelligence and calling on the federal government to take action. We know how effective Russia was in 2016, and looking to 2020, we know that other nations, including Iran, China, Russia and others, consider disinformation a top tool. So, I really do think that intelligence needs to work with states to declassify and roll out in a bipartisan, fact-based way information on disinformation campaigns. I just think that it is a major failing of the federal government to get in front of this threat. You know, the civil servants at DHS are great partners. But there has just been a complete lack of leadership out of Congress — there are various great bills sitting there — and out of the president to address this attack on our democracy and on American voters.
VIDEO: Hear from cybersecurity experts on the top election security threats.
STATETECH: Are there election security tabletop exercises you’re going to be doing between now and November with the counties?
Griswold: In preparation for November 2020 we did a remote tabletop with the counties, so it was remote in 2019. We did an in-person tabletop with our counties — I want to say 62 out of 64 counties participated — in January 2020. We had five other states, the Department of Homeland Security, FBI, National Guard, the attorney general and three Election Assistance Commission commissioners attend that.
And then my executive team, including our IT manager, elections director, my deputy secretary and myself, did another in-person event with other states in D.C. And then we will be doing another remote tabletop on the 30th of July. We’re planning on doing another in-person after January because we have three statewide elections in 2020 in Colorado. But the answer is we feel really well prepared in terms of these tabletop exercises.
STATETECH: Is there anything in particular that keeps you up at night from election security perspective?
Griswold: From an election security perspective? No, because we have a lot of contingencies in place for all foreseen possible scenarios, including [ransomware attacks on voter registration databases]. That is a concern in a lot of different states, other states.
But like I said, we are backing up our voter registration systems, on tape basically, that we could recreate very quickly. We have same-day voter registration. We’re going to have backups of those voter registration systems both in paper and on a disconnected laptop. We have backup generators. We have various servers. We’re monitoring the servers. We are really leading the nation in what we do to have cyber protection of our election infrastructure. But other states that don’t have same-day voter registration, that don’t have enough paper ballots at the polls or provisional ballots, that don’t have double servers, that don’t have two-factor authentication or are not doing the trusted builds that we do — there is major cause for concern.
And that’s why I’ve been so steadfast in making sure that the federal government does not shirk its responsibilities. It’s absolutely within the province of every state to administer elections, but it’s also Americans’ fundamental right to have their voices heard in elections. And there is a minimal duty of care. For me, that means mail-in ballots when it comes to a pandemic. We should not be forcing Americans to risk their health to cast a ballot. And even before the pandemic, it means a voter-verified paper ballot, ensuring that no voting equipment is connected to the internet and a statistical audit. It doesn’t have to be a risk-limiting audit, but an audit after the fact that shows to a high statistical degree of certainty that outcomes are correct. And cyber protections to make sure that if worst-case scenarios happen, there are backup plan, and that we are preventing a worst-case scenario from happening.
