Colorado authorities say election system wasn’t breached after report leaks NSA intel

DENVER – Colorado authorities haven’t received any notice from federal agencies that state voter systems were compromised during last year’s election, they said Tuesday.

On Monday, The Intercept published a leaked National Security Agency classified intelligence document showing that Russian hackers were able to phish their way into some U.S. elections systems, specifically through a company called VR Systems.

Then Tuesday, Sen. Mark Warner, a Virginia Democrat who is the chairman of the Senate’s intelligence committee, followed up by telling USA Today that while he doesn’t believe the hackers were able to change any voting outcomes, “the extent of the attacks is much broader that has been reported so far.”

But the Colorado Secretary of State’s Office told Denver7 Tuesday afternoon that it doesn’t appear Colorado falls even under that broader scope, though its officials are already taking note of the reports.

Colorado did not utilize VR Systems for any election services, said Trevor Timmons, the chief information officer for the secretary of state’s office.

Timmons also noted that Colorado’s system has extra steps to ensure phishing schemes, like the one that was purportedly used to gain access to other states’ systems, don’t affect Colorado’s.

He said that Colorado’s system requires multi-factor authentication beyond a simple user name and password. He also says that there are special codes needed for the multi-factor authentication that change thousands of times each day—another level of security aimed at keeping hackers from penetrating Colorado’s voting and voter registration systems.

The Secretary of State’s Office also gives new employees rigorous training on security measures, and often conducts phishing tests to identify any employees who may be susceptible to those schemes for further training.

Timmons says that phishing is extremely common, however.

“I can’t even turn around without reading a story about a person—whether they were targeted or fell for a well-crafted email—that someone was trying to do something nefarious,” Timmons said.

The office is adamant that everyone use good “cyber hygiene” and to be wary of any suspicious emails or phone calls—especially if they ask for specific or personal information.

As for if Colorado is taking extra steps already to prevent any possible future hacking attempts, both Timmons and office spokeswoman Lynn Bartels said state officials were taking note.

“We’re going to reach out to the Department of Homeland Security and other organizations and gain addition information. Are there things we’re not paying attention to that we need to be that surfaced as a result [of the report]?” Timmons said of the NSA revelations. “Even if the super-secret people are not able or willing to share information, at bare minimum, we’re going to use this as an example.”

Bartels said that the matter was also highly likely to come up when the state’s county clerks meet in Aspen later this month.

In the meantime, the National Association of Secretaries of State called the NSA report “concerning,” but said it had “yet to see any evidence that would call into question the outcome of the 2016 elections in any state or locality.”

The association also asked DHS to share “documented threat intelligence” with secretaries of state and other local election officials targeted in the campaign detailed in The Intercept’s report.

Posted on: June 7, 2017Blair Miller