Election Infrastructure Cybersecurity in the US
Election infrastructure cybersecurity encompasses the policies, technical standards, federal coordination mechanisms, and state-level programs that protect voting systems, voter registration databases, and election management systems from cyber threats. The sector is governed by a distinct regulatory and operational landscape shaped by the designation of elections as critical infrastructure under Presidential Policy Directive 21. Securing this infrastructure involves federal agencies, state election authorities, and a specialized set of technical frameworks — all operating under the constraint that election administration is constitutionally reserved to the states.
Definition and scope
The Department of Homeland Security designated election infrastructure as a critical infrastructure subsector in January 2017, placing it under the Government Facilities Sector umbrella. The formal scope, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), includes:
- Voter registration databases
- Voting systems (ballot-marking devices, optical scanners, direct-recording electronic systems)
- Election management systems used to program and tabulate ballots
- Polling place infrastructure and e-pollbooks
- Election night reporting systems and official websites
State governments retain primary authority over election administration, which creates a federated security model with no single federal mandate equivalent to HIPAA in healthcare or NERC CIP in energy. CISA's role is advisory and voluntary-assistance based — it cannot compel states to adopt specific controls. The Help America Vote Act of 2002 (HAVA) established the Election Assistance Commission (EAC) as the primary federal body for election administration standards, with authority to certify voting system test laboratories and publish the Voluntary Voting System Guidelines (VVSG).
How it works
The federal-state coordination model for election infrastructure cybersecurity operates across three functional layers.
1. Standards and certification
The EAC publishes the Voluntary Voting System Guidelines — VVSG 2.0 was adopted in February 2021 — which set baseline requirements for voting system hardware and software. Voting systems must be tested by EAC-accredited labs before states can certify them for use. These standards cover software independence, auditability, and physical security, but adoption by states remains voluntary.
2. Federal assistance and threat intelligence
CISA operates the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), which provides threat intelligence, vulnerability scanning, and incident response support to state and local election officials at no cost. The EI-ISAC is one of the sector-specific bodies within the broader ISAC information-sharing network. CISA also provides the Albert network intrusion detection sensors, deployed at the network perimeters of election agencies in 48 states as of 2022 (CISA Election Security).
3. State and local implementation
Individual states translate federal guidance into operational controls. State election directors coordinate with county and municipal clerks — the actual operators of polling infrastructure. This creates a security attack surface that spans thousands of jurisdictions, each with varying IT capacity, budget, and personnel.
The NIST Cybersecurity Framework and NIST Special Publication 800-53 serve as the technical reference baselines most commonly cited in state election security plans, even where not formally mandated. NIST SP 1800-45 specifically addresses election technology security.
Common scenarios
Election infrastructure faces three operationally distinct threat categories:
Registration database attacks
Voter registration systems are internet-connected back-end databases managed by state agencies. Adversaries targeting these systems seek to alter, delete, or exfiltrate registration records — with the effect of disrupting voter eligibility verification on Election Day. The Senate Intelligence Committee's bipartisan report on the 2016 election cycle found that Russian state actors conducted reconnaissance or intrusion attempts against election infrastructure in all 50 states (Senate Select Committee on Intelligence, Volume 1, 2019).
Voting system integrity threats
Physical and logical attacks against voting machines represent a second scenario. Tabulation software manipulation, firmware tampering, and supply chain compromise are the primary vectors. Post-election audits — particularly risk-limiting audits (RLAs) — serve as the primary detection mechanism. As of 2024, 42 states have enacted post-election audit statutes of some form, though RLA requirements are less uniformly adopted (National Conference of State Legislatures).
Influence operations targeting election infrastructure perception
A third scenario involves adversaries targeting the public perception of election integrity rather than the systems directly. This includes disinformation campaigns about voting machine vulnerabilities and denial-of-service attacks against election night reporting websites — designed to create confusion rather than alter results. This intersects with the broader national cyber threat landscape and requires coordination with the FBI and the Cybersecurity and Infrastructure Security Agency's mis-, dis-, and malinformation (MDM) programs (CISA MDM).
Decision boundaries
Election infrastructure cybersecurity differs from most other sector-specific cybersecurity requirements in three structural ways:
| Characteristic | Election Infrastructure | Regulated Sectors (e.g., Energy, Finance) |
|---|---|---|
| Federal mandate authority | Advisory only (CISA, EAC) | Mandatory compliance (NERC CIP, FFIEC) |
| Primary operator | State/county government | Private sector entities |
| Incident reporting obligation | Voluntary to CISA | Mandatory under sector rules |
Jurisdictions with fewer than 5,000 registered voters — which constitute a substantial share of county election offices — typically lack dedicated IT staff, making CISA's free Albert sensor deployment and EI-ISAC membership the primary security posture available to them. Urban jurisdictions with dedicated CISO functions operate under substantially different capacity conditions.
The boundary between election cybersecurity and cybercrime reporting channels matters operationally: suspected intrusions against election infrastructure are reported to CISA's Election Security team and to the FBI's Cyber Division, not solely through general law enforcement channels. The FBI maintains dedicated election crime coordinators in each field office.
Physical security of voting equipment — chain of custody, tamper-evident seals, logic and accuracy testing — intersects with cybersecurity but is governed separately under state election codes rather than federal cyber frameworks.
References
- CISA Election Security
- Election Assistance Commission (EAC)
- Voluntary Voting System Guidelines 2.0 (EAC)
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls
- Senate Select Committee on Intelligence, Volume 1: Russian Interference in the 2016 Election (2019)
- Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience
- Help America Vote Act of 2002 (HAVA)
- National Conference of State Legislatures — Post-Election Audits
- CISA EI-ISAC (Election Infrastructure ISAC)