Election-Related Threats and Defenses

It’s that time again. If you weren’t already aware from the campaign calls & emails, the televised debates, and the social media storm, the latest American election is upon us.

That also means the latest debate about secure voting has also ramped up. As time has passed, the electoral system has largely progressed beyond paper ballots and hand counts, but transitioning to technology means new security concerns that grow more sophisticated all the time.

But how much should we really be worried about electronic dangers to the electoral process? And what can be done to secure our systems against them?

As providers of a slew of different cybersecurity assessments, we know a few things about what it takes to protect critical data like your vote. Threats to voting machines, registration lists, and significant infiltration by disinformation intended to sway voters one way or another—we’ll address all these in this article, where we’ll also attempt to clear some of the apprehension that’s become synonymous with elections.

Once you understand where we should concern ourselves and what defenses we can employ, you’ll be able to go to the ballot box with more confidence.

3 Election Threats and Their Likelihoods

1. Vulnerabilities in Electronic Voting Systems

Let’s start from the ground up.

We’ve heard it for years now—experts in hacking, elections, and computer security have warned that electronic voting machines have security vulnerabilities that could allow an attacker to alter vote counts.

And that’s technically true, and concerning particularly for those places that rely entirely on the voter’s interaction with the touch screen or other interface rather than a paper record. Absent a paper ballot that confirms the voter’s intention, an electronic record is more easily altered or deleted.

However, despite how easily accessed these machines can be from the Internet, attacks against voting machines remain an inefficient technique for a hostile nation-state or other foreign adversaries. The scope of such an attack is less appealing for those interested in changing voting outcomes, because, typically, they’re limited to those counties or precincts where these vulnerable machines are in use.

Truly subverting the outcome of even a statewide race requires an enormous amount of effort, including some potentially on the ground at the polling place—plus, to attack online you must at least be in the range of the machines’ Wi-Fi network.

The fact also remains that, while a bad actor may have a stake in affecting the outcome of a relatively local election, the probability of a large, capable organization doing so remains relatively small.

2. Voter Registration Rolls Susceptibility

In fact, election machines themselves may be vulnerable, but voter registration databases actually present a potentially more efficient target.

Many states use modern software for registration, with reasonable protections for securing their sites. However, many other state or municipal governments have constraints on their budgets or resources for the relevant security either endemic to the software or for its proper use—that opens the door for an attacker to disenfranchise voters without their knowledge.

That is, until they turn up to vote and are denied the right. In some states, voters can still register and vote on Election Day, but given they’re likely unaware they’ve been purged from the rolls, they may not come to the polls with the required proof of residence in hand. In other states, removal from the roll of registered voters after a certain point precludes voting at all.

With that being said, this isn’t just a software or budget issue either. Most election officials are usually ordinary citizens working for their county or municipality a few days a year to facilitate elections. As such, they may not have much security training and may rely on shared user accounts to access these systems when performing voter registration drives or early voting activities—this kind of casual usage could allow a bad actor to obtain the credentials necessary to attack such a system and adversely affect voter registrations.

3. The Spread of Harmful Misinformation

Though election hardware and software do need securing, the greatest one-to-many potential for large, foreign-threat actors to change the outcome of elections is to target citizens themselves with disinformation.

That’s because their efforts to do this or to incite certain actions over social media or similar venues have the largest audience and can be conducted entirely remotely. Election disinformation from 2016 is widely and well documented, and many of the techniques learned about how to target key voting blocs or how to propagate disinformation also appeared in the 2020 election—this is becoming an unfortunate tradition, it seems.

But while disinformation remains a potent and effective threat to free and fair elections, its singular weakness is that it can only influence the decisions people make—disinformation cannot actually compel a specific outcome (like hacking voting machines or preventing people from voting outright).

Still, we can combat this as voters and public officials by disregarding obvious disinformation or comparing it against credible news sources for accuracy—of course, that’s easier said than done. Voters in this election, like nearly everyone else, largely live inside their own information bubbles that may or may not include credible news and information, and thus, may or may not compete with aggressive and deliberate disinformation.

But someone deeply affected by conspiracy theories or who’s inclined to only believe the news they wish to believe is more a matter of psychology and sociology than information security. But given this very real threat, voters should stay aware of predatory disinformation—consciously choose to weigh the information your receive from various sources, and you should avoid the most harmful disinformation.

Get Out and Vote

Irrespective of any political position, the United States—like all modern democracies—rests on the foundation of free and fair elections. As the sophistication of online attacks grows, together with the previous proof of success, it remains an essential task for voters and public officials to protect our elections.

We must resist attempts to undermine both our actual electoral process as well as the public’s faith in said process—that means understanding the threats, taking steps to combat them, and regularly considering the effectiveness of both.

Now that you understand—at a high level—the degree of a few electoral threats, the next important step is getting familiar with:

  • How individual voter registration works in your state;
  • How the voting process works in your states; and
  • How to manage the sometimes-disparate pieces of information about the voting process.  

But in the meantime, Election Day is November 8th. If you haven’t already, please go vote and make your voice heard.


For more information on other pertinent cybersecurity threats you should be aware of, as well as resources that can help, check out our other content:

About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit schellman.com.

More Content by Schellman Compliance
Previous Article

What distinguishes HIPAA from HITRUST? We detail the differences between your compliance with these two and...

Next Article
Is There Value in a Compliance Readiness Assessment?
Is There Value in a Compliance Readiness Assessment?

Some consider readiness assessments a skippable step in compliance, but we lay out how valuable this extra ...


First Name
Error - something went wrong!