Election Security and Cybersecurity

Election security encompasses the technical, operational, and policy measures that protect voting infrastructure, voter registration systems, and election management platforms from cyberattacks, unauthorized access, and interference. Federal designation of election systems as critical infrastructure in 2017 established a formal cybersecurity accountability structure for the sector, drawing in agencies including CISA, the FBI, and the Election Assistance Commission. The scope extends from precinct-level voting equipment to the software supply chains supporting state election offices.

Definition and scope

Election infrastructure is classified as a subsector of Government Facilities critical infrastructure under the framework established by Presidential Policy Directive 21 (PPD-21). The Cybersecurity and Infrastructure Security Agency (CISA) serves as the Sector Risk Management Agency (SRMA) for election security at the federal level, coordinating threat intelligence sharing with all 50 state election offices and more than 8,000 local jurisdictions (CISA Election Security).

The scope of election cybersecurity divides into three primary asset categories:

1. Voter registration databases — State-administered systems storing voter eligibility records, targeted for data exfiltration or manipulation to disrupt voter access.
2. Election management systems (EMS) — Software platforms used to program ballot definitions, accumulate results, and manage audit trails; typically air-gapped from public networks but exposed during software update cycles.
3. Voting equipment — Direct-recording electronic (DRE) devices, optical scan tabulators, and ballot-marking devices; physical security and firmware integrity are primary concerns.
4. Unofficial results reporting infrastructure — Public-facing websites and results transmission networks that, while not authoritative, are high-visibility targets for defacement or manipulation designed to erode public confidence.

The National Cybersecurity Strategy identifies election infrastructure as a priority protection domain alongside energy, water, and financial systems.

How it works

Federal support for election security operates through a layered coordination model. CISA deploys Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) services, managed in partnership with the Center for Internet Security (CIS), to provide real-time threat intelligence, Albert Network Monitoring sensors, and malicious domain blocking to participating jurisdictions (EI-ISAC, Center for Internet Security).

The operational security framework follows a phased structure aligned to election cycles:

1. Pre-election assessment — Risk and vulnerability assessments of voting systems, network penetration testing, and tabletop exercises conducted 90–180 days before an election.
2. Configuration and hardening — Application of CIS Benchmarks and NIST SP 800-53 controls to EMS servers and network perimeters; removal of unnecessary remote access pathways.
3. Supply chain verification — Review of software and hardware provenance for voting equipment; supply chain cybersecurity risks have been formally identified as a vector in the NIST framework for election systems.
4. Monitoring and incident detection — Deployment of Albert sensors at state and local network ingress points to detect anomalous traffic and known threat indicators during the election window.
5. Post-election audit — Mandatory paper ballot reconciliation in jurisdictions with paper audit trails; risk-limiting audits (RLAs) provide statistical verification of machine-reported outcomes.

The Election Assistance Commission (EAC) administers the Voluntary Voting System Guidelines (VVSG 2.0), the technical standard governing software independence, auditability, and access control requirements for certified voting systems (EAC VVSG 2.0).

Contrasting federal-state authority: Federal agencies provide support and intelligence but hold no directive authority over state election administration. States retain constitutional jurisdiction over election administration, which means baseline security postures vary across 50 separate regulatory frameworks. This structural gap differentiates election security from sectors such as financial sector cybersecurity, where federal regulators can mandate compliance controls directly.

Common scenarios

Documented threat scenarios in election infrastructure fall into distinct operational categories:

• Voter registration database intrusion — In 2016, Russian GRU operatives targeted election infrastructure in all 50 states, successfully accessing voter registration data in Illinois and at least one other state, as documented in the Senate Intelligence Committee Report on Russian Active Measures (Volume 1, 2019).
• Spearphishing against election officials — Local election administrators receive targeted email campaigns designed to harvest credentials for EMS access or internal communications platforms. CISA's 2022 election security advisory identified credential theft as the primary initial access vector in election-related incidents.
• Disinformation amplification via website compromise — Defacement of unofficial results pages or injection of false tabulation data into media-facing feeds exploits the gap between unofficial and certified results to manufacture doubt.
• Ransomware affecting county IT infrastructure — Ransomware affecting general county government networks has disrupted ballot printing, payroll for poll workers, and internal communications in documented incidents during the 2020 and 2022 cycles, even when voting equipment itself was not compromised.
• Physical hardware interdiction — Supply chain tampering with voting equipment during manufacturing or distribution, addressed in CISA's Hardware Bill of Materials (HBOM) guidance.

Decision boundaries

Jurisdiction over election security incident response follows distinct authority boundaries that practitioners must recognize:

Federal jurisdiction applies when the incident involves a foreign state actor, crosses state lines, or implicates federal computer fraud statutes under 18 U.S.C. § 1030. The FBI leads criminal investigation; CISA leads technical incident response support.

State jurisdiction applies when the incident is domestic in origin, confined to in-state infrastructure, and does not meet federal nexus thresholds. State Fusion Centers and state National Guard Cyber Units are the primary response assets. The cyber incident reporting requirements framework under CIRCIA does not yet cover election-specific reporting mandates, though state-level reporting obligations vary.

Local authority governs physical security of polling places, chain-of-custody procedures for voting equipment, and post-election canvassing. Local officials are not typically equipped to conduct digital forensics and rely on state or CISA emergency support under the Election Security Emergency Support Function.

The distinction between voting system certification (EAC/VVSG jurisdiction) and operational security (CISA/state jurisdiction) is a persistent structural boundary: a system may be federally certified but deployed in a configuration that introduces vulnerabilities not covered by certification testing.

References

• CISA Election Security
• Election Assistance Commission — VVSG 2.0
• EI-ISAC, Center for Internet Security
• NIST SP 800-53, Rev 5 — Security and Privacy Controls
• Senate Select Committee on Intelligence — Report on Russian Active Measures, Volume 1 (2019)
• Presidential Policy Directive 21 (PPD-21)
• CISA — National Cybersecurity Strategy