Software Flagged In Federal Voting System Advisory Never Used In Colorado

By Sara Wilson, Colorado Newsline

June 1, 2022

Colorado election officials received an advisory about software vulnerabilities in Dominion Voting Systems electronic voting machines, but the officials say they remain confident in the state’s election process.

The U.S. Cybersecurity and Infrastructure Agency, which sent the advisory, said that the machines, which are used in at least 16 states, can be susceptible to hacking, as reported by the Associated Press, which obtained the advisory ahead of its expected release on Friday.

The advisory reportedly makes clear that there is no evidence that the machines’ flaws were used to change election results, simply that they exist. It deals with potential vulnerabilities with ImageCast X, a Dominion product that can be used as a ballot marking device. In some states, like Georgia, the machines print a paper ballot with a barcode after a voter selects their choices. The voter can check a summary of the votes, and then a scanner uses that barcode to tally votes.

"Those codes can be subject to attacks that exploit vulnerabilities, such as the barcode being inconsistent with the human-readable summary list of the voter’s selection," the advisory says.

Colorado, however, has never used the ICX software version that researchers evaluated in the report that the advisory is based on. In fact, ICX usage in Colorado is limited: "In 2020, 2.5% of the ballots were cast using the equipment. In 2021, roughly 0.5% of ballots used it," a spokeswoman for Secretary of State Jena Griswold, a Democrat, said.

“Security and elections experts in the Department have reviewed CISA’s advisory and remain confident in the security of Colorado’s elections,” the spokeswoman said. “There is no evidence that any of the potential risks identified in CISA’s advisory have been exploited in any election in Colorado or elsewhere. Colorado is one of the nation’s leaders in secure elections and already implements a range of security measures that protect the state’s election equipment and voting systems from threats, including many of the mitigations CISA recommends.”

Those mitigation measures include compliance with chain of custody procedures, physical security measures and rigorous post-election audits. A recently passed elections security bill, which is expected to be signed into law, will further increase certain protection measures.

The vulnerabilities the advisory warns against are the kind that an insider threat or someone with advanced knowledge could exploit, such as an election official.

Colorado has landed at the forefront of election security issues with the recent indictment of Mesa County Clerk Tina Peters, who allegedly facilitated a security breach that resulted in sensitive election systems passwords being posted to election conspiracy websites. A district court judge barred Peters, a Republican who is running for secretary of state, from overseeing the 2022 primary and general elections in her county.

Dominion Voting Systems machines are used in 62 of Colorado’s 64 counties. The company has been the subject of baseless conspiracy theories tied to the “big lie” that the 2020 election was stolen from former President Donald Trump.

Democracy functions only when people have access to reliable information about government and society. Colorado Newsline’s mission is to be a trusted source of such information. Newsline is nonprofit, nonpartisan and independent, and it provides fair and accurate reporting on politics, policy and other stories of interest to Colorado readers