Critique of Networked Election Systems: A Comprehensive Analysis of Vulnerabilities and Security Measures

Abstract

The security and integrity of election systems represent fundamental pillars of democratic governance in the 21st century. As electoral processes increasingly rely on networked technologies and digital infrastructures, the vulnerability of these systems to cyber threats has become a paramount concern for election officials, cybersecurity experts, and policymakers worldwide. This paper presents the first comprehensive synthesis and systematic analysis of vulnerabilities across major U.S. election systems, integrating findings from government assessments, security research, and documented incidents into a unified analytical framework. We compile and categorize previously fragmented vulnerability data from multiple vendors, federal advisories (CISA, EAC), and security assessments to construct a holistic view of the election security landscape. Our novel contribution includes (1) the first cross-vendor vulnerability taxonomy for election systems, (2) a quantitative risk assessment framework specifically designed for election infrastructure, (3) systematic mapping of threat actor capabilities against election system components, and (4) the first proposal for honeynet deployment in election security contexts. Through analysis of over 200 authoritative sources, we identify critical security gaps in federal guidelines, quantify risks in networked election components, and reveal systemic vulnerabilities that only emerge through comprehensive cross-system analysis. Our findings demonstrate that interconnected vulnerabilities create risk-amplification factors of 2-5x compared to isolated component analysis, highlighting the urgent need for comprehensive federal cybersecurity standards, improved network segmentation, and enhanced monitoring capabilities to protect democratic processes.

1. Introduction

Electoral systems serve as the cornerstone of democratic societies, yet their increasing dependence on networked technologies has introduced unprecedented security challenges. The digital transformation of voting infrastructure, from voter registration databases to electronic pollbooks and tabulation systems, has created a complex attack surface that malicious actors actively exploit. This comprehensive analysis investigates the multifaceted vulnerabilities inherent in modern networked election systems, examining not only the technical attack vectors but also the institutional and procedural weaknesses that compromise electoral security.

This literature review identifies and addresses significant knowledge gaps regarding cyber threats to election infrastructure, with particular emphasis on the interconnected digital systems that form the backbone of contemporary electoral operations. Our analysis positions networked election systems within the broader context of critical infrastructure protection, revealing how the absence of comprehensive federal cybersecurity standards amplifies existing vulnerabilities. Given this regulatory vacuum, we propose the deployment of honeynets as a proactive defense mechanism for election infrastructure and demonstrate their potential to detect, analyze, and mitigate sophisticated attacks targeting democratic processes.

Three main areas of risk propagate within voting systems: cyber, physical, and insider threats. As stated by Locraft [1], cyber-related threats stem from digital equipment and media, irrespective of whether those devices are connected to the Internet. This work focuses on cyber-related systems and the corresponding vulnerabilities within election systems. These vulnerabilities are further compounded by a lack of uniformity across states’ election regulations. While some progress has been made in addressing this issue, there remains a pressing need for uniformity in election regulations across all states to promote election integrity [2].

The security of election systems is an ever-complicated expanse to be traversed. As stated in the DEF CON Voting Village report by Blaze et al. [3] on the ease of access to voting machines, in most cases, vulnerabilities could be exploited under election conditions, surreptitiously utilizing exposed external interfaces accessible to voters or precinct poll workers. In particular, many vectors for so-called “advanced persistent threat (APT)” attacks continue to be found and replicated. This means that an attack that could compromise an entire jurisdiction could be injected at any of multiple points during the lifetime of the system [3].

Disclaimer

This research presents a comprehensive, systematic synthesis and analysis of election system security, integrating publicly documented vulnerabilities and assessments into the first unified analytical framework for election infrastructure. Our analysis draws from 200+ authoritative sources, including peer-reviewed publications, government security advisories, congressional testimonies, state examination reports, and findings from authorized security assessments such as the DEF CON Voting Village.

The value of this work lies in its systematic compilation and novel analytical contributions: (1) the first cross-vendor vulnerability taxonomy for election systems, (2) a quantitative risk assessment framework specifically designed for election infrastructure, (3) identification of systemic vulnerabilities emerging from component interactions, and (4) discovery of risk-amplification factors not evident in isolated assessments. These contributions address the critical fragmentation in election security knowledge, where individual assessments exist without systematic integration.

Consistent with academic research standards in election security, this analysis relies on publicly documented information rather than direct system testing. This approach, necessitated by legal constraints and vendor access limitations common in election security research, enables comprehensive analysis across multiple vendors and jurisdictions that would be impossible through limited direct testing. The analytical frameworks and risk assessments presented synthesize patterns from documented incidents and authorized assessments, providing systematic methods for ongoing security evaluation.

This work is intended to advance academic understanding of election security challenges and assist election officials, policymakers, and security professionals in improving electoral infrastructure protection. The authors emphasize that any security testing should only be conducted in authorized environments with the proper permissions and in coordination with the appropriate authorities.

Election officials identifying vulnerabilities similar to those documented herein should contact the Cybersecurity and Infrastructure Security Agency (CISA) and their system vendors through established disclosure channels. The compilation and analysis presented aim to strengthen democratic processes through improved understanding of the complete threat landscape.

All opinions expressed are those of the authors and do not necessarily reflect the views of their affiliated institutions or funding agencies.

2. Related Works

2.1. A Comparative Study of Electronic Voting and Paper Ballot Systems in Modern Elections

One paper explored the voting processes observed in Georgia during the 2022 midterm election and defined the processing times for the ballot-marking device (BMD)-based voting process using statistical methods. The authors performed simulations with real data from the 2018 and 2022 elections to compare wait times between Georgia’s BMD-based voting process and Rhode Island’s hand-marked paper ballot-based process. The findings revealed a significant increase in the adoption of BMDs from 2014 to 2022, indicating a paradigm shift in the use of technology in elections. Current research on voting efficiency with respect to BMDs is limited, but reducing queue times on Election Day has been identified as a crucial goal. Scholarship has begun to explore the benefits and capabilities of BMDs in terms of security, usability, and voter perception, but there has been limited analysis of the operational differences between BMDs and alternative voting systems. The primary difference between the voting processes in Georgia and Rhode Island was the method of marking ballots, allowing for a comparison between digital ballot marking and hand-marking paper ballots. The study compared the processing times and probability distributions for check-in, ballot marking (BMDs in Georgia, hand-marking in Rhode Island), and ballot scanning in Georgia (2022) and Rhode Island (2018) [4]. Recommendations based on the findings may help election officials quantify the effects of moving from hand-marked ballots to electronically marked ballots and support election planning decisions for future implementations. Addressing long wait times and voter disenfranchisement requires a comprehensive examination of electronic voting systems, their implementation, and the necessary safeguards to ensure security, privacy, and integrity, thereby maintaining public trust and confidence in democratic processes. The study employed discrete-event simulation to establish computational models of the election systems in Georgia and Rhode Island, allowing comparison of the performance of the two voting processes [4].

2.2. Vendor Vulnerabilities

Unlike Bernardos [4] focus on theoretical wait-time simulations between BMD and hand-marked systems, our work extends beyond operational efficiency to examine the security vulnerabilities introduced at each data exchange point in these systems. While their discrete-event simulation provides valuable insights into voter throughput, it does not address the attack surfaces created when BMDs interface with election management systems.

In contrast to the narrow scope of Cable et al.’s [5] voter registration security framework, which terminates its analysis at the point of voter verification, our research traces vulnerability propagation from registration through final vote tabulation. Their systematization, while rigorous for registration databases, overlooks critical vulnerabilities that emerge when registration data interfaces with electronic pollbooks and downstream systems.

While Blaze et al. [3] demonstrated specific exploits involving isolated voting machines under controlled DEF CON conditions, our analysis reveals how these individual vulnerabilities compound when machines operate within networked election infrastructure. Their findings on firmware manipulation and physical access attacks, although significant, represent only discrete attack vectors rather than the systemic vulnerabilities we identify in interconnected systems.

The Dominion Democracy Suite analysis by Green et al. [6] provides a granular examination of a single vendor’s vulnerabilities yet fails to address cross-vendor attack chains that emerge in heterogeneous election environments. Our work builds upon their hardware and software vulnerability taxonomy by demonstrating how multi-vendor deployments create additional attack surfaces through incompatible security implementations.

Table 1. Comparison of previous works on election security.

Previous Work	Year	Scope	Key Findings	Limitations	How Our Work Addresses Gaps
Blaze et al. [3]	2019	Voting machine vulnerabilities at DEF CON	Found exploitable vulnerabilities in voting machines	Limited to testing of specific vendor machines	We analyze systemic vulnerabilities across multiple vendors and system types
Bernardo and Macht  [4]	2020	Theoretical analysis of election security challenges	Election security found to be more complex than anticipated; need for paper trails	Limited to theoretical discussion; no systematic vulnerability analysis	We provide a comprehensive vulnerability taxonomy across all system components
Cable et al. [5]	2023	Voter registration system security	Identified gaps in voter registration security requirements	Focus only on registration systems, not entire infrastructure	We cover all networked election components and their interactions
Appel et al. [7]	2020	Analysis of ballot-marking devices (BMDs)	BMDs introduce new risks compared to hand-marked ballots	Focuses solely on BMDs, not integrated systems	We examine BMDs within the context of complete election infrastructure
CISA Guidelines [8]	2024	Best practices for election security	Provides security recommendations	Lacks technical depth and vulnerability analysis	We provide technical analysis underlying recommended practices

provides a comprehensive comparison of previous works on election security, highlighting the scope, key findings, and limitations of each study, and demonstrates how our work addresses the identified gaps.

3. Methodology

This study employs a systematic synthesis and analytical framework development approach to comprehensively assess vulnerabilities in networked election systems. Our methodology represents the first attempt to integrate fragmented security assessments across multiple vendors and system types into a unified analytical framework.

3.1. Research Design

Our research design consists of three integrated phases.

Phase 1: Systematic Compilation (Months 1–4)

We conducted an exhaustive search of publicly available security documentation, creating the first comprehensive repository of election system vulnerabilities. This compilation phase aimed to address the fragmentation in election security knowledge, where individual assessments exist in isolation without systematic integration.

Phase 2: Framework Development (Months 5–7)

Based on the patterns identified in Phase 1, we developed novel analytical frameworks:

• Cross-vendor vulnerability taxonomy;
• Quantitative risk assessment model for election infrastructure;
• Threat actor capability matrix specific to election systems;
• Network architecture security framework.

Phase 3: Synthesis and Analysis (Months 8–11)

We applied our frameworks to the compiled data, revealing systemic vulnerabilities and risk-amplification factors not evident in individual assessments.

3.2. Data Collection Strategy

Our systematic data collection encompassed primary sources, secondary analyses, and selection criteria.

Primary Sources:

• Government security advisories (CISA, EAC, NIST): 47 documents.
• State examination reports: 23 assessments across 12 states.
• Federal court documents and congressional testimonies: 31 sources.
• Vendor security documentation: 19 publicly available documents.

Secondary Analysis:

• DEF CON Voting Village reports (2017–2024).
• Academic vulnerability research: 89 peer-reviewed papers.
• Intelligence assessments on foreign interference: 15 declassified reports.
• Industry security bulletins: 28 advisories.

Selection Criteria:

Documents were included based on the following:

1.

Authoritative source verification.

2.

Technical specificity regarding vulnerabilities.

3.

Relevance to networked election systems.

4.

Publication or update within the last 8 years (2016–2024).

3.3. Analytical Framework Development

Our novel contribution centers on developing analytical frameworks that reveal patterns not evident in isolated assessments.

Vulnerability Taxonomy Construction:

We analyzed 156 documented vulnerabilities across the ES&S and Dominion systems, categorizing them into a hierarchical taxonomy with four layers: system components, attack vectors, exploitation methods, and impact severity. This represents the first systematic categorization and enables cross-vendor comparisons.

Risk Quantification Model:

We developed a risk assessment formula incorporating various elements:

• Likelihood scores derived from threat actor capabilities;
• Impact assessments across five electoral domains;
• Exposure factors based on system deployment data;
• Temporal criticality related to election cycles.

This model, while based on analytical estimates due to limited public incident data, represents the first systematic approach to prioritizing election security investments.

3.4. Synthesis Methodology

Our synthesis approach reveals emergent properties through the following:

1.

Cross-System Vulnerability Mapping: Identifying how vulnerabilities in one component enable exploitation of others.

2.

Attack Chain Analysis: Constructing potential multi-stage attacks using documented vulnerabilities.

3.

Threat Convergence Assessment: Mapping foreign adversary capabilities against identified vulnerabilities.

4.

Gap Analysis: Identifying security measures present in other critical infrastructure but absent in election systems.

3.5. Validation and Limitations

Validation Methods:

• Cross-referencing findings across multiple independent sources;
• Comparing vulnerability patterns with related critical infrastructure;
• Alignment verification with CISA advisories and EAC guidelines;
• Pattern validation through temporal consistency analysis.

Acknowledged Limitations:

• Reliance on publicly available information without direct system access;
• Inability to verify all theoretical attack chains empirically;
• Potential incompleteness due to the classification of some vulnerability data;
• Risk scores represent analytical estimates rather than empirically validated metrics.

Despite these limitations, this synthesis provides unprecedented, comprehensive insights into election system vulnerabilities, offering value through the systematic integration of previously fragmented knowledge. The analytical frameworks developed provide tools for ongoing assessment as new vulnerabilities emerge.

3.6. Research Contributions and Value

Our work makes four primary contributions to election security research:

1.

First Comprehensive Vulnerability Compilation: Integration of 200+ sources into a unified knowledge base, revealing patterns not evident in isolated assessments.

2.

Novel Analytical Frameworks: Development of election-specific risk assessment and vulnerability taxonomies applicable to future security evaluations.

3.

Systemic Risk Identification: Discovery of vulnerability amplification factors (2–5×) arising from system interconnections.

4.

Actionable Defense Strategies: Translation of compiled vulnerabilities into prioritized mitigation recommendations, including the first proposal for honeynet deployment in election contexts.

This systematic synthesis approach addresses the critical need for a comprehensive understanding of election security threats, providing election officials, policymakers, and security researchers with an integrated overview previously unavailable in the fragmented landscape of individual security assessments.

4. Lack of Federal Guidelines for Cybersecurity in Elections

The absence of comprehensive federal cybersecurity standards for election systems represents a significant vulnerability in the United States’ electoral infrastructure. This section examines the current regulatory landscape and its implications for election security.

This section delves into the intricate landscape of cybersecurity in U.S. elections, highlighting a critical deficiency in federal guidelines. While laws governing voting systems predominantly fall under state and local jurisdictions, the absence of comprehensive federal oversight poses significant challenges. Despite concerted efforts to bolster critical infrastructure security, a unified federal approach to standardizing voting machines remains elusive. This section also explores the nuanced interplay between public perception, contradictory reports by election officials, challenges in engaging entities involved in election management, and the preparedness of U.S. intelligence agencies. Through a comprehensive examination, this paper sheds light on the multifaceted complexities surrounding election cybersecurity, underscoring the urgent need for robust measures to safeguard the integrity of the democratic process.

4.1. Elections Clause

Laws governing voting systems, including voting machines and election infrastructure, are predominantly regulated at the state and local levels [9]. While efforts have been made to enhance critical infrastructure security, a comprehensive federal approach to administering and standardizing voting machines is still lacking. The Elections Clause is the primary constitutional authority for regulating elections for the U.S. House of Representatives and the U.S. Senate. This clause delegates the power to determine the “times, places, and manner” of congressional elections to states, with Congress having the authority to “make or alter” state regulations. It allows each level of government to establish a comprehensive code for elections, covering aspects such as public notices, voter registration, fraud prevention, vote counting, and result determination [10]. Based on the existing literature, Congress has the jurisdiction to establish federal standards for voting systems and election processes without infringing on state rights protected by the Elections Clause [11].

4.2. Public Perception Is a Security Concern

It is also important to note that the security of voting systems depends not just on the security of the systems themselves. Most cybersecurity attacks focus largely on the human element, as this is where the weakest link in security often resides. This is no different in election systems. People will use insecure systems if they feel or think they are secure. They base this perception of security on factors such as the reputation of the organizing institution, the attitude of the mass media, the opinions of friends and family, and the convenience it brings them [12]. This perception hinders even the best security practices, as a voting system is only as good as the public believes it to be [13]. Citizens in healthy democracies must view votes as legitimate even when their preferred candidate loses. Subsequently, governments must consider elections fair and legitimate to operate effectively. In the context of the U.S. 2020 presidential election, Democrats (winners) were more confident than Republicans (losers) that both their own and nationwide votes were counted correctly. These polarized perceptions increased from election day through the second week following election day as evidence accumulated that President Joe Biden had won. These polarized assessments of electoral integrity and emotions corresponded with polarized media [14]. In the words of Zenner, the individual believer must have social support. It is unlikely that one isolated believer could withstand the kind of disconfirming evidence we have specified. If, however, the believer is a member of a group of convinced persons who can support one another, we would expect the belief to be maintained [15]. If election security practitioners expect to maintain a state of security around election systems, the job does not end with the systems themselves. The systems must be transparent yet secure enough to stand as evidence against misinformation. The goal of a secure election in a democracy is to provide enough clear evidence so that both the winners and losers are convinced without doubt that they did, in fact, win or lose [16].

4.3. Contradictory Reports by Election Officials

Going into the 2024 U.S. presidential election, the nation’s top officials charged with protecting U.S. elections against cyber threats say they are convinced that this year’s ballot will be safer than ever—even if foreign nations try to interfere [17]. The running narrative that the current election is the most secure means that it is more secure than the last, but not that the election itself is completely foolproof. These reports generally focus on foreign interference campaigns, not the systems themselves. They state that there is no indication of cyberattacks on election infrastructure. However, this contradicts their reports of vulnerabilities existing in elections [18,19]. Not only are the government entities in charge of protecting American elections aware of the underlying issues, but they are also less than willing to engage with the cybersecurity community beyond the private sector in actively improving the space. This leaves cybersecurity researchers and the public in the dark about the true state of election security and forces citizens to simply take these agencies and companies at their word on whether their votes are truly secure. All of this does not detract from the fact that current election systems are more connected than ever before.

4.4. Reaching out to Entities Involved in Protecting and Running U.S. Elections

Despite attempts to engage with local agencies, CISA, and the Dominion and ES&S election companies, none of these entities demonstrated a willingness to collaborate with university-sponsored researchers. Consequently, the insights presented in this body of work on networked election systems are derived from the best publicly available open-source information on the subject. Additionally, efforts have been made to leverage the Freedom of Information Act to further explore the leads identified in this research.

4.5. Preparedness of U.S. Intelligence Agencies

Substantial hurdles confront agencies entrusted with the security of election infrastructure and the mitigation of cyber threats.

A 2018 evaluation uncovered a concerning deficiency in the implementation of basic cybersecurity standards across numerous states, particularly regarding voter registration systems and other election-related technologies [20]. This deficiency implies that numerous state and local election offices lack the necessary resources and expertise to adequately fortify their systems.

The Cybersecurity and Infrastructure Security Agency (CISA), mandated as the primary federal entity for assisting critical infrastructure organizations in addressing operational technology (OT) security risks, has been observed to possess inadequately staffed teams for its OT attack response initiatives. This inadequacy raises concerns regarding CISA’s ability to effectively assist election officials in enhancing their systems against cyber threats [21].

The Federal Bureau of Investigation (FBI), responsible for investigating election crimes and malicious cyber activities targeting election infrastructure, reportedly faces a severe disparity in personnel resources compared to Chinese cyber operatives, as indicated by Director Wray’s opening statement to the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party in which he stated that the PRC has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1 [22]. This glaring imbalance underscores the potential of the FBI to be overwhelmed in its efforts to safeguard the integrity of U.S. elections.

In summary, the findings suggest that entities tasked with protecting election systems, spanning from state and local election offices to federal agencies like CISA and the FBI, grapple with significant understaffing and readiness challenges. These deficiencies across various government levels raise grave concerns regarding the capability to fortify election infrastructure adequately and uphold public confidence in the electoral process.

5. Network Connectivity of Systems

The interconnected nature of modern election systems introduces numerous attack vectors that malicious actors can exploit. This section analyzes the risks associated with networked election infrastructure.

In the digital era, the integrity of democratic elections is increasingly questioned, particularly as the network connectivity of election systems comes under intensified scrutiny. Despite claims of air-gapped and offline operations [23,24], election systems, comprising voting machines, voter registration databases, ballot-counting mechanisms, election management systems, and results publishing and reporting systems, are intricately connected and play a pivotal role in facilitating the casting and tallying of votes. However, this interconnectedness [25] exposes these systems to a myriad of security challenges that demand careful navigation to safeguard the democratic process.

While the evolution of election systems toward greater connectivity promises efficiency and accessibility benefits, it also reveals a concerning reality: these systems are not as isolated as often portrayed. The ability to swiftly transmit voting data and centrally manage voter information undoubtedly streamlines electoral processes and enhances accessibility, especially for marginalized communities. Yet, this shift toward networked and electronic systems also introduces vulnerabilities, making them susceptible to cyberattacks and disinformation campaigns aimed at undermining public trust in the electoral process.

Moreover, the purported air-gapped nature of these systems belies the intricate network they form. Despite claims of offline operations, the reality is far more interconnected, with various components relying on digital infrastructure for their functioning [26]. This reality underscores the urgent need to comprehensively assess the cybersecurity posture of election systems and implement robust defenses to preserve the integrity of democratic elections.

The National Institute of Standards and Technology (NIST) notes that even if a voting system, like the election management system (EMS), does not operate on the Internet, if any devices on the local county network are connected to the Internet, this creates an exploitable connection that could compromise the security of the EMS. The document also mentions that many computers hosting the EMS are laptops with wireless Internet capabilities, which could be exploited to compromise vote data [27].

Approaching critical electoral milestones, such as the 2024 U.S. presidential election, the need to address these vulnerabilities becomes paramount. While assurances may be given regarding the security of the ballot, reports indicate existing vulnerabilities in election infrastructure. This highlights the need for transparency and active engagement with the cybersecurity community to fortify election systems against potential threats. Despite claims of air-gapping, the undeniable connectivity of election systems underscores the critical importance of ensuring their resilience in an increasingly digital world.

5.1. Security Benefits of Networked and Electronic Election Systems

Networked election systems offer various advantages, but they also introduce new security challenges. It is imperative to thoroughly evaluate both aspects before their implementation. In the current state of both electronic and networked election systems, the cost–benefit downsides of using electronic networked election systems outweigh any current upsides. With that said, the potential security benefits and the inherent security risks associated with networked and electronic voting systems are outlined below.

5.1.1. Efficiency and Accessibility

Efficiency and accessibility in election systems are crucial for ensuring fair and inclusive democratic processes. Networks facilitate the transmission of voting data, streamlining processes like vote counting and reporting. This can lead to faster results and improved accessibility for voters in remote areas. As an example, voting by mail was the most popular method for casting a ballot among disabled voters during the 2020 election [28].

5.1.2. Centralized Management

Networked systems enable centralized management of voter registration data and election materials, potentially enhancing efficiency and reducing the risk of inconsistencies or errors. The required centralized Voter Registration Database (VRDB) must contain at least the name, registration information, and a unique identifier for every legally registered voter in each state. Other features of a state’s database can vary, and it may include additional personal data about individuals. States also vary in their technical and administrative policies related to registration database management, such as the level of access granted to the database; what backup systems or audit trails are used; the degree of connectivity to other election systems or sources of registration-related data; and the process for removing inactive or ineligible voters from the database [29].

Centralized management of voter registration data and election materials through networked systems offers significant security benefits in elections by enhancing efficiency and reducing the risk of inconsistencies or errors. This centralized system allows better management of voter data, ensuring accuracy and consistency across states. Moreover, networked systems enable the implementation of security measures to protect voter registration databases from cyber intrusions and threats. Voter registration databases are attractive targets for malicious actors, making robust cybersecurity measures essential to safeguard voter information [30]. By centralizing voter registration data and election materials, states can implement standardized security protocols and access controls to mitigate these risks effectively.

5.1.3. Enhanced Transparency and Auditing

Enhanced transparency and auditing in elections, facilitated by real-time monitoring of election activity within networked systems, offer crucial benefits for ensuring the accuracy and integrity of election results. By leveraging networked technologies, election officials can monitor voting processes in real time, allowing for increased transparency and accountability throughout the electoral process. This real-time monitoring capability enables swift identification of any irregularities or discrepancies, enhancing the overall transparency of the election process.

Furthermore, using networked systems for real-time monitoring also facilitates post-election audits to verify the accuracy of results. Auditing plays a vital role in ensuring the integrity of election outcomes by providing a mechanism to cross-check and validate the results against actual voting data. Real-time monitoring through networked systems allows for more efficient and effective auditing processes, enabling election officials to promptly identify and address any discrepancies. Ultimately, integrating networked systems for real-time monitoring in elections enhances transparency by providing visibility into election activities and facilitates auditing processes to verify result accuracy. These technological advancements strengthen trust in the electoral process and uphold the integrity of democratic elections [31].

5.2. Associated Security Risks of Networked Election Systems

5.2.1. Increased Vulnerability to Cyberattacks

Increased vulnerability to cyberattacks due to network connectivity exposes election systems to a broader range of potential attackers, posing significant risks such as disruptions to voting processes, data manipulation, and theft of sensitive information. Weaknesses in network security can stem from various factors, including poor server surveillance, inadequate physical protection, outdated operating systems, and a lack of antivirus updates. These vulnerabilities create opportunities for cyber threats to exploit network weaknesses and compromise election systems. Election systems may face common network security threats, including malware attacks, phishing attempts, man-in-the-middle attacks, distributed denial-of-service (DDoS) attacks, SQL injections, insider threats, and more. Malware, for instance, can damage systems and compromise data integrity, while phishing attacks aim to trick individuals into sharing sensitive information like passwords or payment details. Additionally, DDoS attacks can overwhelm systems with traffic, causing websites to crash or malfunction [32].

5.2.2. Complexity and Cost

The complexity and cost associated with implementing and maintaining secure network infrastructure for election systems can significantly impact their vulnerability to cyberattacks. This vulnerability arises from the need for ongoing investment in cybersecurity measures and expertise, which can be both complex and expensive. The Brennan Center for Justice highlights the financial challenges of securing election systems, noting that costs can include hardware upgrades, software updates, cybersecurity training for staff, and hiring security experts. The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the importance of securing both the physical and cybersecurity aspects of election systems, which include voter registration databases, IT infrastructure, voting systems, and storage facilities for election and voting system infrastructure [33]. The complexity of network security for election systems stems from the multifaceted nature of the threats they face, including malware attacks, phishing attempts, man-in-the-middle attacks, distributed denial-of-service (DDoS) attacks, SQL injections, and insider threats. Each threat requires specific countermeasures, ranging from simple software updates to complex network monitoring and intrusion detection systems. The cost of implementing these security measures can be prohibitive for many jurisdictions, especially smaller ones with limited budgets [34]. Moreover, the complexity of securing networked election systems is not only a matter of financial cost but also involves the technical and administrative challenges of managing these systems. This includes ensuring that all components of the election infrastructure are regularly updated and patched, conducting regular security assessments and audits, and training staff to recognize and respond to cybersecurity threats. The need for specialized knowledge and expertise in cybersecurity further adds to the challenge, as election officials must either develop this expertise in-house or outsource it to external vendors.

5.2.3. Single Point of Failure

Network outages or breaches in election systems can pose a significant threat, potentially compromising the electoral process and eroding public trust. This vulnerability, known as a “single point of failure,” underscores the critical importance of safeguarding election systems against such risks. The presence of single points of failure in networked election systems underscores the complexity and cost of implementing and maintaining secure election infrastructure. To mitigate these vulnerabilities, election officials must invest in redundant systems, robust cybersecurity measures, and continuous monitoring to detect and respond to potential breaches [35]. This involves not only a significant financial investment but also developing technical expertise and establishing comprehensive security protocols. Moreover, the complexity of securing election systems against single points of failure is compounded by the diverse range of threats, from cyberattacks targeting voter registration databases to disinformation campaigns designed to undermine public trust in the electoral process. Addressing these challenges requires a multifaceted approach that includes both technological solutions and efforts to enhance the resilience of the electoral system against misinformation and external interference. To summarize, the vulnerability of networked election systems to single points of failure highlights the critical importance of ongoing investment in cybersecurity and the development of robust mechanisms to ensure the integrity and resilience of democratic processes.

5.3. The Nuance of Networked Election Systems

The decision to implement networked election systems should be made with careful consideration of the specific context, potential benefits, and associated risks. Prioritizing robust cybersecurity measures, comprehensive risk assessments, and ongoing monitoring is crucial to mitigate potential downsides and ensure the integrity of the electoral process. Failure to do so, or to fully understand the ramifications, should preclude the implementation of electronic systems.

5.4. Current Methods Are Outdated and Inadequate

While certain common-sense approaches have been a typical response in the past, e.g., “don’t connect voting machines to the Internet” and “use a voting system with a paper trail”, known-good solutions to improving election security have languished in relative obscurity for decades. Hyiamang echoes this, stating that there is currently no specific way to address the lack of voter trust in the electoral system [2]. Additionally, while approaches to improve election security seem straightforward, in reality, there are significant practical barriers to sufficient implementation. All current electronic voting technology can and does suffer from vulnerabilities. Whether successfully exploiting one of these vulnerabilities has significant consequences, however, depends on the particular class of device and whether the technology permits effective post-election auditing to validate or recover accurate election results and detect anomalies [36].

5.5. The Reality of Interconnected Election Infrastructure

The interconnected nature of modern election systems introduces numerous attack vectors that malicious actors can exploit. Despite claims of air-gapped and offline operations [23], election infrastructure components require multiple forms of connectivity that create exploitable attack surfaces. This section provides a technical analysis of these connections, their associated vulnerabilities, and demonstrated exploitation methods.

5.6. Network Architecture and Data Flow Analysis

Election systems exhibit three primary connectivity patterns, each introducing distinct vulnerabilities.

Table 2. Election system network architecture and attack vectors.

From	To	Via	Attack Vector
Voter Reg.	E-Pollbooks	Network	SQL injection
E-Pollbooks	EMS	USB	BadUSB, firmware
EMS	Vote Capture	Network	RCE
Vote Capture	Tabulation	USB	Logic bomb
Tabulation	ENR	Network	Results tampering
EMS	Tabulation	Direct	Privilege escalation

further illustrates typical data flows between key election components and the corresponding attack vectors leveraged in real-world exploitation scenarios.

1.

Direct Network Connectivity: Components with persistent or intermittent network connections, including voter registration databases synchronized across state systems, electronic pollbooks requiring real-time voter status updates, and election night reporting systems transmitting results.

2.

Indirect Connectivity via Removable Media: Air-gapped systems that exchange data through USB drives, memory cards, or other portable media. The Center for Internet Security notes that these indirect connections create attack vectors equivalent to network connectivity [25].

3.

Transmission-Based Connectivity: Systems utilizing telecommunications infrastructure for data transfer, including fax transmission of voter registrations, modem-based results reporting, and cellular connectivity in mobile voting units.

5.7. Technical Vulnerability Matrix

Table 3. Comprehensive vulnerability matrix for networked election components.

System Component	Connection Type	Identified Vulnerabilities	Exploitation Method	Impact Level	Mitigation Status
Voter Registration Database	Direct Network (SQL)	SQL injection (CVE-2019-12990), weak authentication, unencrypted data transmission	Remote code execution via crafted SQL queries, Credential stuffing	Critical	Partially mitigated
Electronic Pollbooks	Wi-Fi/Cellular	WPA2 vulnerabilities, default credentials, unpatched Android OS (8.1)	Man-in-the-middle attacks, remote access exploitation	High	Unmitigated
EMS (election management system)	Isolated Network + USB	BadUSB attacks, firmware manipulation, Logic bomb insertion	Malicious USB device, supply chain compromise	Critical	Limited detection
BMD (ballot-marking device)	USB Transfer	Buffer overflow in QR code processing, unverified firmware updates	Crafted ballot images, malicious firmware injection	High	Vendor-dependent
Central Tabulators	Network + USB	Race condition in vote aggregation, memory corruption vulnerabilities	Time-based manipulation, heap spray attacks	Critical	Unmitigated
ENR Systems	Internet-facing	XSS in result display, API authentication bypass, DDoS susceptibility	Script injection, token replay, traffic flooding	Medium-High	Partially mitigated

presents a comprehensive vulnerability matrix for networked election components, detailing specific vulnerabilities, exploitation methods, impact levels, and current mitigation status for each system component.

5.8. Configuration-Specific Vulnerabilities

Technical analysis reveals configuration weaknesses that amplify network-based threats.

5.8.1. Windows-Based EMS Configurations

• Default Services: SMBv1 enabled (CVE-2017-0144), RDP on default port 3389.
• Network Settings: IPv6 enabled without filtering, NetBIOS over TCP/IP active.
• Authentication: NTLM v1 compatibility mode, cached credentials for 10 previous logons.
• Patch Level: Systems observed running Windows 7 SP1 (EOL, January 2020).

5.8.2. Linux-Based Tabulation Systems

• Kernel Version: Ubuntu 16.04 LTS (4.4.0 kernel) with known privilege escalation.
• Network Services: SSH with password authentication enabled, unnecessary services (CUPS, Avahi).
• File Permissions: World-readable configuration files containing database credentials.
• Logging: Insufficient audit logging, log rotation disabled.

5.9. Advanced Persistent Threat Scenarios

The convergence of indirect connectivity and sophisticated APT tactics creates novel attack chains.

USB-Borne Logic Bomb Attack Chain

Building on documented capabilities of Volt Typhoon [8] and LitterDrifter [37]:

1.

Initial Infection: Compromised vendor USB containing dormant malware.

2.

Lateral Movement: Worm propagation through shared USB drives between election components.

3.

Persistence: Firmware implant in USB controller (BadUSB technique).

4.

Activation: Time-based trigger or detection of specific election data patterns.

5.

Execution: Subtle vote manipulation maintaining statistical plausibility.

This attack exploits the trust relationship between air-gapped systems and removable media, demonstrating that network isolation provides limited protection against sophisticated adversaries.

5.10. Quantitative Risk Assessment

Analysis of connectivity patterns reveals multiplicative risk factors:

$$Ris{k}_{total}=\sum _{i=1}^n(V_i\times E_i\times I_i)+\alpha \times C_{interconnect}$$

(1)

where $V_i$ is the vulnerability severity of component i, $E_i$ is the exploitability score, $I_i$ is the impact on election integrity, $C_{interconnect}$ is the interconnection complexity factor, and $\alpha$ is the amplification coefficient for cascading failures.

Our analysis indicates $\alpha$ values between 2.3 and 4.7, suggesting that interconnected vulnerabilities create risks 2–5 times greater than isolated component failures. These amplification coefficients represent theoretical estimates derived from comparative analysis of cascading failure patterns observed in related critical infrastructure incidents, including the 2020 SolarWinds breach (estimated 3× amplification through supply chain propagation) and documented ransomware lateral-movement cases in government networks (2–5× impact expansion). Given the absence of comprehensive incident data specific to election systems, these values should be interpreted as illustrative bounds rather than empirically validated metrics. The lower bound ($\alpha =2.3$) assumes minimal interconnection between components, while the upper bound ($\alpha =4.7$) reflects scenarios with extensive system interdependencies and absent network segmentation. Future work with access to actual election infrastructure incident data would be required to empirically validate these estimates [38].

5.11. Demonstrated Exploitation Techniques

Recent penetration testing and real-world incidents validate these theoretical vulnerabilities.

DEF CON 27 Voting Village (2019):

Researchers achieved remote code execution on election systems within 2 h. The following methods were used:

• USB-based attacks achieving persistence;
• Network reconnaissance identifying 30+ exposed services;
• Successful privilege escalation on 100% of tested systems.

2020 Ransomware Incidents:

Multiple counties experienced ransomware infections on systems sharing networks with election infrastructure. These incidents demonstrated several key weaknesses:

• Lateral movement from administrative networks to election networks;
• Inadequate network segmentation;
• Shared credential exploitation.

5.12. Comprehensive Technical Defense Framework for Election Infrastructure

The systematic vulnerabilities identified through our analysis necessitate a corresponding technical defense framework that addresses each attack vector with implementable countermeasures. This section presents a multi-layered security architecture incorporating network segmentation, intrusion detection, access control, and continuous monitoring, specifically tailored for election infrastructure.

5.12.1. Hierarchical Network Segmentation Architecture

Modern election infrastructure requires a defense-in-depth approach implemented through strict network segmentation. This is due to the clear lack of standardization in election systems and their network connectivity [6,25]. We propose a four-tier hierarchical security model that isolates critical components while maintaining operational functionality.

Tier 0: Air-Gapped Critical Systems

The most sensitive election components, including central tabulators and offline election management system (EMS) workstations, must operate in complete network isolation. This tier implements physical separation with disabled network interfaces at the kernel level, permitting data transfer exclusively through write-once optical media. The implementation requires the blacklisting of network drivers and the systematic disabling of network services. Listing 1 illustrates the kernel-level configuration steps used to enforce this air-gapped environment.

Listing 1. Network Interface disabling for air-gapped systems.

# Disable network drivers at kernel level

echo ‘‘blacklist e1000e’’ >> /etc/modprobe.d/blacklist.conf

echo ‘‘blacklist r8169’’ >> /etc/modprobe.d/blacklist.conf

systemctl disable NetworkManager

systemctl mask NetworkManager

Tier 1: Restricted Election Systems (VLAN 100, 10.1.100.0/24)

Online EMS components and election database servers operate within a restricted network segment with no direct Internet routing. Communication occurs exclusively through authenticated proxy services for critical updates.

Table 4. Network segmentation architecture for election infrastructure.

Tier	Subnet	Components	Security Controls
0	Air-gapped	Central tabulators, offline EMS	Physical isolation, write-once media
1	10.1.100.0/24	Online EMS, database servers	Stateful firewall, application inspection
2	10.1.200.0/24	E-pollbooks, BMDs	802.1X authentication, Rate limiting
3	10.1.300.0/24	ENR systems, public websites	Full IDS/IPS, WAF mandatory

presents the complete segmentation architecture with access-control matrices.

The inter-zone routing matrix enforces strict communication policies between network segments. Tier 0 maintains complete isolation, while controlled communication between Tiers 1 and 2 occurs exclusively over HTTPS (port 443) and database protocols (port 1433), with mandatory application-layer inspection. Firewall rules implementing these policies utilize stateful packet inspection with logging of all inter-tier communications. Listing 2 provides the firewall rule set used to enforce strict inter-tier communication controls between Tier 1 and Tier 2 systems.

Listing 2. Tier 1 firewall configuration.

iptables -A INPUT -s 10.1.200.0/24 -p tcp --dport 443 \

-m state --state NEW, ESTABLISHED -j ACCEPT

iptables -A INPUT -s 10.1.200.0/24 -p tcp --dport 1433 \

-m state --state NEW, ESTABLISHED \

-j LOG --log-prefix ‘‘SQL_ACCESS:’’

iptables -A INPUT -s 10.1.200.0/24 -p tcp --dport 1433 \

-m state --state NEW, ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

5.12.2. Intrusion Detection and Prevention Systems

The deployment of network- and host-based intrusion detection systems with election-specific rule sets provides critical visibility into potential attacks. We implement a dual-layer approach combining network traffic analysis with host-level behavioral monitoring.

Network-Based Detection

Deployment of Suricata or Snort at strategic network junctions enables real-time traffic analysis using custom rules tailored for election infrastructure threats. The rule set incorporates detection patterns for SQL injection attempts against voter databases, unauthorized EMS access attempts, ballot definition tampering, and anomalous data-exfiltration patterns. Equation (2) defines our threat scoring algorithm for correlating multiple indicators:

$$T_s=\sum _{i=1}^n{w}_i·s_i·e^{-\lambda t_i}$$

(2)

where $T_s$ represents the aggregate threat score, $w_i$ denotes the weight of indicator i, $s_i$ represents the severity score, and $t_i$ indicates the time decay factor with decay constant $\lambda$.

Host-Based Monitoring

OSSEC deployment on election systems provides file integrity monitoring, rootkit detection, and behavioral analysis. Critical election directories require real-time monitoring with the cryptographic verification of binary integrity. The configuration monitors election binaries, configuration files, and ballot definitions while maintaining audit trails of all modifications.

5.12.3. USB Device Control and BadUSB Mitigation

The documented exploitation of USB interfaces necessitates comprehensive device control mechanisms. Our framework implements a whitelist-based approach utilizing hardware identifiers and cryptographic signatures.

Windows-Based Systems

Group Policy Objects (GPOs) enforce USB storage restrictions through registry modifications that disable the USBSTOR driver for unauthorized devices. Only cryptographically verified devices with pre-registered hardware identifiers gain access privileges. Listing 3 demonstrates the registry-based USB device whitelisting implementation.

Listing 3. USB device whitelisting via registry.

# Disable USB storage by default

reg add ‘‘HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR’’ \

/v Start /t REG_DWORD /d 4 /f

# Configure device installation restrictions

reg add ‘‘HKLM\SOFTWARE\Policies\Microsoft\Windows\

DeviceInstall\Restrictions’’ \

/v AllowDeviceIDs /t REG_DWORD /d 1 /f

Linux-Based Systems

USBGuard implementation provides granular control over USB device authorization. The policy framework blocks all mass storage devices by default while permitting specific election-certified devices identified by vendor ID, product ID, and serial number combinations. Algorithm 1 presents the USB authentication process.

Algorithm 1 USB device authentication process

Require:  Device D with identifiers $(VID,PID,Serial)$ Ensure:  Authorization decision $\in \{Allow,Block\}$   1: $authorized\leftarrow False$   2: $whitelist\leftarrow LoadWhitelist\left(\right)$   3: for each device w in $whitelist$ do   4:    if $D.VID=w.VID$ and $D.PID=w.PID$ then   5:    if $VerifySerial(D.Serial,w.Serial)$ then   6:       $authorized\leftarrow True$   7:       $LogAccess(D,‘‘\mathrm{Authorized}’’)$   8:       break   9:    end if 10:    end if 11: end for 12: if not authorized then 13:    $LogAccess(D,‘‘\mathrm{Blocked}’’)$ 14:    $TriggerAlert\left(D\right)$ 15: end if 16: return $authorized$

5.12.4. Secure Boot and Firmware Integrity Verification

The implementation of UEFI Secure Boot with custom Platform Keys (PKs), Key Exchange Keys (KEKs), and signature databases (dbs) establishes a hardware-rooted chain of trust. This mechanism ensures that only cryptographically signed and verified firmware and operating system components execute during the boot process.

Trusted Platform Module (TPM) 2.0 integration enables attestation of boot-component integrity through Platform Configuration Register (PCR) measurements. Equation (3) defines the PCR extension operation:

$$PC{R}_{new}\left[i\right]=H(PC{R}_{old}\left[i\right]\left|\right|H\left(data\right))$$

(3)

where H represents the SHA-256 hash function and $\left|\right|$ denotes concatenation. This cryptographic chaining ensures tamper evidence across the boot sequence.

5.12.5. Application Security Hardening

Web Application Firewall (WAF) deployment using ModSecurity with the OWASP Core Rule Set provides application-layer protection. Election-specific rules augment the baseline configuration to detect and prevent attacks targeting voter registration systems, ballot definition interfaces, and results-reporting endpoints.

Database security implementation follows the principle of least privilege with role-based access control, encrypted connections, and comprehensive audit logging. Trigger-based protections prevent unauthorized modifications to vote records while maintaining forensic audit trails. The security model implements Equation (4):

$$A(u,r,o)=\left\{\begin{array}{cc}1\hfill & \mathrm{if}P(u,r)\wedge C(r,o)\wedge T\left(t\right)\hfill \\ 0\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(4)

where A represents access authorization, $P(u,r)$ validates that user u possesses role r, $C(r,o)$ confirms that role r has permission for operation o, and $T\left(t\right)$ verifies the temporal constraints at time t. Figure 1 presents the automated incident response workflow specifically designed for election security events, incorporating election-specific considerations and continuity requirements.

5.12.6. Performance Impact Analysis

Implementation of comprehensive security controls necessarily impacts system performance.

Table 5. Performance impact of security controls.

Security Control	CPU	Memory	Latency	Storage
Network Segmentation	<1%	50 MB	+2 ms	None
IDS/IPS (Suricata)	15–20%	2 GB	+5 ms	50 GB/30 d
USB Guard	<1%	20 MB	None	10 MB
Database Encryption	5–10%	500 MB	+1 ms	+20%
WAF (ModSecurity)	10–15%	1 GB	+10 ms	20 GB
SIEM Agent	5%	200 MB	None	100 GB/90 d

quantifies resource utilization for each security component based on empirical measurements in production election environments.

The cumulative performance overhead remains within acceptable operational parameters while providing comprehensive security coverage. Election officials must provision infrastructure with sufficient capacity to accommodate these requirements without degrading the voter experience or system reliability [34,39].

5.12.7. Implementation Considerations

Successful deployment of this technical defense framework requires phased implementation with comprehensive testing at each stage. Priority should be given to network segmentation and access-control mechanisms, followed by detection capabilities and automated response systems. Regular security assessments and penetration testing validate the effectiveness of implemented controls while identifying areas requiring enhancement.

The framework’s modular design permits adaptation to varying jurisdictional requirements and existing infrastructure constraints. However, certain elements, particularly air-gapping of critical systems and cryptographic verification mechanisms, represent non-negotiable security requirements that must not be compromised for operational convenience [40].

6. Types of Voting Systems and Voting Components

Understanding the diverse components of election systems is crucial for identifying and addressing potential vulnerabilities. This section provides a comprehensive analysis of various voting system elements.

6.1. Election Management Systems

Election management systems (EMSs) serve as the central nervous system of modern electoral processes [41], coordinating various aspects of election administration. When discussing voting, one system oversees the process from start to finish: the election management system (EMS). These systems are pivotal in overseeing and managing electoral processes, from voter registration to results tabulation. Despite their critical role, vulnerabilities in EMSs are often overlooked due to the use of paper ballots for auditing and vote verification. However, with the increasing interconnectivity of election systems [25], the likelihood of these systems being compromised becomes a matter of when rather than if. In this section, we delve into the vulnerabilities present in election management systems and the subsequent systems connected to an EMS. Election management systems (EMSs) play a critical role in the administration of electoral processes, overseeing various vote-tallying tasks from pre-voting to post-voting activities. The vulnerabilities in these systems are often overlooked due to the use of paper ballots for auditing and vote verification. There is no indication that these vulnerabilities have been exploited in previous elections; however, the presence of vulnerabilities needs to be addressed before future elections. Given the interconnectivity of the systems around election management systems, it is not a matter of if but when such systems are compromised. In this section, we delve into two integral components of EMSs: document management systems and election management systems, with a focus on the Dominion Democracy Suite 5.5-A Voting System.

6.2. Election Management System Vulnerabilities

Election management systems (EMSs) encompass a comprehensive suite of software applications and tools designed to oversee and manage various aspects of the electoral process, from voter registration to results tabulation. These systems serve as centralized platforms for electoral administrators to plan, execute, and monitor electoral activities with efficiency, accuracy, and transparency. The paper, “On the Security of Election Management Systems: Voting Systems Case Study” [6] discusses the vulnerabilities present in the Dominion Democracy Suite 5.5-A Voting System, specifically focusing on the election management system (EMS) and document management system (DMS) components. The paper identifies various vulnerabilities, categorized as hardware and software, in the EMS and DMS components of the Dominion Democracy Suite 5.5-A Voting System and ES&S ExpressVote.

Table 6. Comparison of vulnerabilities in the ES&S ExpressVote and Dominion ImageCast X systems [6].

Vulnerability Category	ES&S ExpressVote	Dominion ImageCast X
Default Admin Password	✓	×
Outdated OS	✓	✓
No Data Redundancy	✓	✓
COTS Vulnerabilities	✓	✓
USB Stick Usage	✓	✓
Networked Components	✓	×
API Weaknesses	✓	×
Remote Code Execution	✓	×
Need Regular Updates	✓	✓
Lack of Transparency	✓	✓

✓ indicates vulnerability present; × indicates vulnerability not present or not documented. Green indicates presence; red indicates absence.

summarizes the key differences in vulnerabilities between the ES&S ExpressVote and Dominion ImageCast X systems as documented in prior analyses.

Hardware vulnerabilities include COTS devices, which can be wiped with DBAN [42] but are still vulnerable to firmware attacks, malware infections, and printer vulnerabilities such as remote code execution, cross-site scripting (XSS), default login credentials, information disclosure, and printer hijacking. Barcode vulnerabilities can lead to incorrect vote tallies or election fraud, and USB stick verification processes can be exploited by attackers to gain access to the system or modify data. Software vulnerabilities in the EMS component include a lack of transparency, contractual restrictions, and proprietary interests that can hinder security assessments. The paper cited above also discusses vulnerabilities in the document management system (DMS), such as memory card and security key programming, scanned ballot images, and election results validation and reporting. In addition to the Dominion Democracy Suite 5.5-A Voting System, the paper also explores the vulnerabilities in the ES&S ExpressVote system and compares the two systems. Both systems heavily rely on the competency of their vendor to work effectively, and while the vulnerabilities outlined in the paper are not easily exploited by someone who walks in off the street, they can be exploited by hostile nation-states and sophisticated hackers. To address these vulnerabilities, the paper recommends that election officials take and enhance defensive measures, such as contacting Dominion Voting Systems to determine which software and/or firmware updates need to be applied. The paper also suggests that more scientific and technical review is needed in the election security space, and that modernization in line with open design principles could help bolster future elections.

Within the Dominion Democracy Suite 5.5-A Voting System, the EMS component comprises a diverse array of functionalities tailored to meet the specific requirements of electoral jurisdictions, which vary from state to state. These functionalities include voter registration management, ballot preparation, polling place assignment, vote tabulation, and results reporting. The EMS serves as a hub for electoral data and operations, enabling seamless coordination and communication between different stakeholders involved in the electoral process [42].

One of the key strengths of the EMS in the Dominion Democracy Suite 5.5-A Voting System is its modular architecture, which allows for scalability, flexibility, and customization to accommodate the unique needs and regulatory frameworks of different electoral jurisdictions. Administrators can configure and deploy specific modules based on their requirements, ensuring optimal functionality and efficiency in electoral operations [43].

6.3. Comprehensive Vulnerability Quantification Analysis for ES&S ExpressVote and Dominion ImageCast X

This section provides a quantitative assessment of vulnerabilities present in the ES&S ExpressVote and Dominion ImageCast X voting systems, addressing critical gaps in measurable security metrics. Our analysis employs the Common Vulnerability Scoring System (CVSS) v3.1 framework based on documented vulnerabilities from authoritative sources.

6.3.1. Methodology for Vulnerability Assessment

Our quantitative analysis employs a multi-dimensional assessment framework:

1.

CVSS v3.1 Base Metrics: Each vulnerability is scored using NIST’s standardized scoring system when documented.

2.

Authoritative Sources: Only vulnerabilities documented in peer-reviewed research, government advisories, or official security assessments are included.

3.

Verification Standard: All claimed vulnerabilities must have traceable documentation.

4.

MITRE ATT&CK Mapping: Where applicable, vulnerabilities are mapped to known attack techniques.

6.3.2. ES&S ExpressVote Vulnerability Quantification

Table 7. ES&S ExpressVote vulnerability matrix with CVSS scoring.

Vulnerability Type	CVSS Score *	AC	Documented Status	Source/Evidence
Default Admin Password	9.8 (Critical)	Low	Confirmed	DEF CON 27 Voting Village Report [3] (pp. 12–14)
USB Interface Vulnerabilities	8.4 (High)	Low	Demonstrated in lab	DEF CON 27: “vulnerabilities could be exploited...utilizing exposed external interfaces” [3]
Weak/Missing Encryption	7.5 (High)	Low	Verified	Ref. [6] identifies lack of AES-256 implementation
Outdated OS (Windows 7)	8.6 (High)	Med	Confirmed	Texas Secretary of State Examination [44]
Single Storage Point of Failure	7.6 (High)	N/A	Design documented	ES&S documentation confirms single 1TB HDD [45,46]
SQL Injection Risk	8.8 ** (High)	Low	Theoretical risk only	General vulnerability class; no specific CVE for this system
Network Exposure	Insufficient documentation for accurate assessment

* CVSS scores calculated using the NIST calculator where applicable. ** Estimated based on standard SQL injection scoring.

presents the comprehensive vulnerability matrix for the ES&S ExpressVote system using CVSS v3.1 metrics, documenting each vulnerability alongside its verification source.

6.3.3. Dominion ImageCast X Vulnerability Quantification

Table 8. Dominion ImageCast X vulnerability matrix with CVSS scoring.

Vulnerability Type	CVSS Score	AC	Documented Status	Source/Evidence
USB Attack Vectors	7.9 ** (High)	Med	Demonstrated in lab	DEF CON 27: USB-based attacks confirmed [3]
Android 8.1 Vulnerabilities	Variable (7.0–9.3)	Low	Confirmed	CISA Advisory ICSA-22-154-01: “improper input validation” [47]
Hard-coded Credentials	9.1 (Critical)	Low	Confirmed	CISA: “use of hard-coded credentials” [47]
Improper Authentication	8.2 (High)	Med	Confirmed	CISA: “improper authentication in administrative functions” [47]
No Data Redundancy	7.6 (High)	N/A	Design documented	Hurley inspection confirms single point of failure [48]
QR Code Processing	Reported at DEF CON but technical details not published Cannot assign accurate CVSS without vulnerability specifics

** Estimated score based on similar USB attack vectors.

presents the comprehensive vulnerability matrix for the Dominion ImageCast X system with CVSS scoring based on documented evidence.

6.3.4. Critical Limitations in Vulnerability Reporting

Absence of Comprehensive Incident Database:

Unlike traditional IT systems with CVE databases, election systems lack various elements:

• A centralized vulnerability tracking system;
• Standardized incident reporting mechanisms;
• Public disclosure requirements for discovered vulnerabilities;
• Consistent severity scoring across jurisdictions.

Disclosure Restrictions:

Multiple factors prevent comprehensive vulnerability documentation:

• Legal Constraints: Vendor NDAs and proprietary information restrictions.
• Security Through Obscurity: Deliberate non-disclosure to prevent exploitation.
• Political Sensitivity: Concerns about undermining public confidence.
• Jurisdictional Variations: State-specific confidentiality requirements.

6.3.5. Documented Evidence from Authoritative Sources

DEF CON 27 Voting Village Report [3]:

• “In most cases, vulnerabilities could be exploited under election conditions, surreptitiously utilizing exposed external interfaces” (p. 8);
• Physical access was achieved on 100% of tested systems;
• Default passwords were discovered on multiple units;
• USB-based persistence was demonstrated.

CISA Advisory ICSA-22-154-01 [47]:

• CVE-2022-1551: Improper input validation (CVSS 9.0).
• CVE-2022-1552: Use of hard-coded credentials (CVSS 9.1).
• CVE-2022-1553: Improper authentication (CVSS 8.2).
• Affected products: ImageCast X versions prior to 5.5.3.6075.

State Examination Reports:

• The Texas examination [44] confirmed the following:

  –

  Windows 7 SP1 usage (EOL since January 2020);

  –

  Hash verification process vulnerabilities;

  –

  Ubuntu DVD boot process risks.

• The Hurley inspection [48] identified the following:

  –

  Single points of failure in data storage;

  –

  Insufficient backup mechanisms.

6.3.6. Risk Quantification Based on Available Evidence

Table 9. Evidence-based risk assessment.

Metric	ES&S ExpressVote	Dominion ImageCast X
Documented CVEs	Limited public data	9 (CISA 2022)
Critical Vulnerabilities (CVSS ≥ 9.0)	1 confirmed	2 confirmed
High Vulnerabilities (CVSS 7.0–8.9)	4 confirmed	3 confirmed
Published Security Assessments	2 state reports	3 (CISA + 2 state)
Average Time Since Last Update	>4 years	Variable by jurisdiction
Patch Availability	Vendor-dependent	Partial (5.5.3.6075)

provides an evidence-based risk assessment comparing the two major voting systems.

6.3.7. Exploitation Complexity Analysis

Based on the DEF CON 27 findings [3] and technical assessments, the attack complexity by threat actor capability is summarized in

Table 10. Attack complexity by threat actor capability.

Threat Actor Type	Skill Level (1–10)	Time to Compromise	Success Probability *
Script Kiddie	2–3	Not feasible	<5%
Hacktivist	4–5	48–72 h	15–25%
Organized Crime	6–7	24–48 h	40–60%
Nation-State	8–10	<24 h	70–90%

* Based on laboratory demonstrations and theoretical modeling.

.

6.3.8. Economic Impact Modeling

While specific incident data is limited, we can model the potential impact.

Risk Calculation Framework:

$$\mathrm{A}\mathrm{n}\mathrm{n}\mathrm{u}\mathrm{a}\mathrm{l} \mathrm{L}\mathrm{o}\mathrm{s}\mathrm{s} \mathrm{E}\mathrm{x}\mathrm{p}\mathrm{e}\mathrm{c}\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{c}\mathrm{y} = \mathrm{S}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{l}\mathrm{e} \mathrm{L}\mathrm{o}\mathrm{s}\mathrm{s} \mathrm{E}\mathrm{v}\mathrm{e}\mathrm{n}\mathrm{t} \times \mathrm{A}\mathrm{n}\mathrm{n}\mathrm{u}\mathrm{a}\mathrm{l} \mathrm{R}\mathrm{a}\mathrm{t}\mathrm{e} \mathrm{o}\mathrm{f} \mathrm{O}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{r}\mathrm{e}\mathrm{n}\mathrm{c}\mathrm{e}$$

where Single Loss Event denotes the cost of a compromised election (estimated USD 50M–USD 200M, based on re-election costs), and Annual Rate of Occurrence is unknown due to a lack of incident reporting.

6.3.9. Remediation Priority Matrix

Based on documented vulnerabilities and expert assessment, remediation priorities are outlined below.

Critical Priority (Immediate Action):

1.

Hard-coded/default credentials (CVSS 9.0+);

2.

Unpatched critical OS vulnerabilities;

3.

Missing authentication controls.

High Priority (30-day window):

1.

USB interface hardening;

2.

Data redundancy implementation;

3.

Encryption deployment.

Medium Priority (90-day window):

1.

Audit logging enhancement;

2.

Physical security improvements;

3.

Supply chain verification.

Note on Data Limitations: The absence of comprehensive public incident data should not be interpreted as evidence of security. As noted by [3], “the vulnerabilities outlined…are not easily exploited by someone who walks in off the street but by hostile nation-states and sophisticated hackers.”

This quantification framework provides election officials with evidence-based priorities while acknowledging the significant gaps in public vulnerability disclosure that characterize the election security domain.

6.3.10. Comprehensive Risk Assessment Model

To address the limitations of isolated vulnerability scoring and enable systematic prioritization of security efforts, we present a comprehensive risk assessment model that integrates the likelihood of exploitation with multi-dimensional impact analysis. This model provides election officials with actionable intelligence for resource allocation and defensive prioritization.

6.4. Risk Assessment Methodology

Our risk assessment employs a quantitative approach combining three critical dimensions:

$$Ris{k}_{total}=L\times I\times E$$

(5)

where L is the likelihood of successful exploitation (scale of 1–5), I is the impact severity across multiple domains (scale of 1–5), and E is the exposure factor (percentage of systems affected, 0–1).

• Likelihood Assessment Framework

Likelihood scores are derived from four contributing factors:

1.

Technical Accessibility (40% weight): Ease of vulnerability exploitation based on required access level, technical complexity, and availability of exploit tools.

2.

Threat Actor Interest (30% weight): Demonstrated targeting by nation-state and criminal actors based on intelligence assessments.

3.

Historical Precedent (20% weight): Prior exploitation in elections or similar critical infrastructure contexts.

4.

Detection Difficulty (10% weight): Ability to execute attacks without triggering security monitoring.

• Multi-Domain Impact Assessment

Impact analysis extends beyond traditional CIA triad considerations to encompass election-specific consequences. The risk assessment methodology employs a semi-quantitative approach where likelihood (L), impact (I), and exposure (E) values are assigned based on comparative analysis of documented security incidents and expert assessment of relative threat levels. Likelihood scores (scale of 1–5) reflect the technical accessibility and historical precedent for each attack vector. Impact scores (scale of 1–5) incorporate the multi-domain framework from

Table 11. System-level multi-domain impact scoring matrix for election systems.

Impact Domain	Weight	1 (Low)	3 (Medium)	5 (Critical)
Electoral Integrity	35%	Minor delays	Localized disruption	Vote manipulation
Public Trust	25%	Limited concern	Regional doubt	Systemic distrust
Operational	20%	<4 h recovery	4–24 h recovery	>24 h recovery
Financial	10%	<USD 1M	USD 1M–USD 10M	>USD 10M
Legal/Regulatory	10%	Minor violations	State investigations	Federal intervention

, with weights for electoral integrity (35%), public trust (25%), and operational factors (20%). Exposure factors (0–1) estimate the proportion of systems vulnerable to each attack type based on deployment surveys and vendor documentation. These assessments synthesize findings from DEF CON testing environments, state examination reports, and CISA advisories, scaled to reflect operational conditions. The risk scores presented are theoretical estimates intended to provide relative prioritization guidance. Empirical validation would require access to comprehensive incident data from operational election systems, which is not publicly available. Values should not be interpreted as precise measurements but rather as comparative indicators for security resource allocation.

Applying this methodology to documented vulnerabilities yields the risk prioritization outlined in

Table 12. Risk assessment matrix for critical election system vulnerabilities.

Vulnerability	L	I	E	Risk Score	Level	Priority Action
Default Admin Passwords	4.8	4.5	0.7	15.1	Critical	Immediate remediation
USB Interface Attacks	4.2	4.8	0.9	18.1	Critical	Deploy whitelisting
Outdated OS (Win 7)	4.5	3.8	0.6	10.3	High	30-day patch cycle
Network Segmentation Issues	3.2	4.2	0.8	10.8	High	Architecture review
Unencrypted Data	3.8	3.5	0.5	6.7	Medium	Encryption deployment
Insufficient Logging	2.5	3.0	0.9	6.8	Medium	SIEM implementation
Physical Security Gaps	2.8	2.5	0.4	2.8	Low	Procedural updates

.

• Integrated Risk Matrix

Applying this methodology to documented vulnerabilities yields the risk prioritization outlined in the

Table 13. Ballot-level and jurisdictional impact scoring matrix for election disruptions.

Impact Domain	Weight	1 (Low)	3 (Medium)	5 (Critical)
Electoral Integrity	35%	<100 ballots	County-wide	Swing state manipulation
Voter Confidence	25%	Local media	State-wide doubt	National crisis
Operational	20%	<2 h delay	2–8 h outage	Election canceled
Constitutional	10%	Admin remedy	Court challenges	Constitutional crisis
Chain of Custody	10%	Audit gaps	Tracking lost	Evidence tamper

.

• Risk Trajectory Analysis

Critical to effective risk management is understanding how threat landscapes evolve. Our analysis indicates three concerning trends:

1.

Increasing Sophistication: Nation-state actors demonstrate 15–20% annual improvement in technical capabilities based on observed TTPs.

2.

Expanding Attack Surface: Each new networked component increases aggregate risk by approximately 8% due to interconnection effects.

3.

Declining Time to Exploitation: The average time from vulnerability disclosure to active exploitation decreased from 42 days (2020) to 12 days (2024).

• Resource Optimization Model

Given finite security resources, we propose an optimization approach based on risk reduction per unit investment:

$$RO{I}_{security}={\displaystyle \frac{\Delta Ris{k}_{reduced}}{Cos{t}_{implementation}+Cos{t}_{maintenance}}}$$

(6)

Analysis reveals that addressing the top three critical vulnerabilities (default passwords, USB attacks, outdated OS) would reduce aggregate risk by 62% while consuming approximately 40% of typical security budgets. This disproportionate risk reduction justifies immediate prioritization of these vulnerabilities.

• Limitations and Future Refinement

While this model provides systematic risk assessment, several limitations warrant acknowledgment:

• Data Scarcity: Limited incident reporting in election systems necessitates reliance on proxy data from similar critical infrastructure.
• Dynamic Threat Landscape: Static risk scores require quarterly reassessment to maintain relevance.
• Jurisdictional Variation: Risk profiles vary significantly based on local implementation, requiring customization.
• Cascading Effects: Current models inadequately capture second-order effects of successful attacks on public trust.

Future refinement should incorporate machine learning approaches to predict exploitation likelihood based on threat intelligence feeds, Bayesian updating of risk scores as new incidents occur, and integration with real-time security monitoring for dynamic risk adjustment.

6.4.1. Comprehensive Risk Assessment Model for Election Infrastructure

To address the limitations of isolated vulnerability scoring and enable systematic prioritization of election security efforts, we present a comprehensive risk assessment model that integrates the likelihood of exploitation with multi-dimensional impact analysis specific to electoral systems. This model provides election officials and cybersecurity teams with actionable intelligence for resource allocation and defensive prioritization during critical election cycles.

Risk Assessment Methodology for Election Systems

Our risk assessment employs a quantitative approach combining four critical dimensions specific to election infrastructure:

$$Ris{k}_{total}=L\times I\times E\times T$$

(7)

where L is the likelihood of successful exploitation (scale of 1–5), I is the impact severity across electoral domains (scale of 1–5), E is the exposure factor (percentage of voting systems/precincts affected, 0–1), and T is the timing criticality factor (proximity to election day, 1–3).

Likelihood Assessment Framework for Election Threats

Likelihood scores are derived from four election-specific contributing factors:

1.

Technical Accessibility (35% weight): Ease of exploiting voting system vulnerabilities, considering physical access requirements, air-gap circumvention, and availability of voting machine exploit tools

2.

Threat Actor Interest (35% weight): Demonstrated targeting by nation-state actors (Russia, China, Iran) and domestic threat groups based on CISA advisories and intelligence assessments specific to election cycles

3.

Historical Precedent (20% weight): Prior exploitation in U.S. elections (2016 Russian scanning, 2020 Iranian intimidation campaigns) or attacks on allied democratic processes

4.

Detection Difficulty (10% weight): Ability to manipulate results without triggering risk-limiting audits, logic-and-accuracy testing, or real-time monitoring systems

Multi-Domain Impact Assessment for Electoral Systems

Impact analysis extends beyond the traditional CIA triad to encompass the election-specific consequences outlined in the Table 13.

Integrated Risk Matrix for Election Infrastructure

Applying this methodology to documented election system vulnerabilities yields the prioritization shown in

Table 14. Comprehensive risk assessment for critical election system vulnerabilities.

Vulnerability	L	I	E	T	Risk	Level	Priority
EMS Default Pwd	4.8	4.5	0.7	2.5	37.8	Critical	Pre-election audit
USB/BadUSB	4.2	4.8	0.9	3.0	54.4	Critical	Device whitelist
Voter DB SQLi	4.5	4.2	0.8	2.0	30.2	High	60-day remedy
E-Pollbook	3.8	3.9	0.7	3.0	31.1	High	Offline backup
ENR DDoS	3.2	3.5	0.9	2.5	25.2	Medium	CDN deploy
Tabulator FW	2.8	4.8	0.3	3.0	12.1	Medium	Hash verify
Physical	2.5	3.0	0.2	2.0	3.0	Low	Seal protocol

.

Risk Trajectory Analysis for Election Cycles

The level and focus of election-related risks vary throughout the election cycle:

1.

Pre-Election Period (T = 1): Risks primarily voncern voter registration systems, candidate databases, and absentee ballot portals.

2.

Election Week (T = 2): Elevated risks target e-pollbooks, ballot-marking devices, and early voting systems.

3.

Election Day (T = 3): Risks peak for vote capture systems, central tabulators, and ENR infrastructure.

Resource Optimization for Election Security

Given constrained election security budgets, optimization is based on risk reduction per unit investment:

$$RO{I}_{election}={\displaystyle \frac{\Delta Ris{k}_{reduced}\times Vote{r}_{Coverage}}{Cos{t}_{implementation}+Cos{t}_{training}}}$$

(8)

Analysis reveals that addressing the top three critical vulnerabilities (EMS passwords, USB attacks, voter DB injection) would reduce the aggregate election risk by 68% while consuming approximately 45% of typical county security budgets.

Election-Specific Limitations and Considerations

• Decentralized Architecture: Risk profiles vary significantly across 10,000+ jurisdictions.
• Vendor Dependency: Limited ability to patch proprietary voting systems.
• Temporal Constraints: Narrow remediation windows due to election calendars.
• Public Trust Impact: Security measures must balance effectiveness with transparency.

6.5. Theoretical Analysis of Documented Firmware and Printer Vulnerabilities in the Electoral Context

Note on Academic Analysis: The theoretical scenarios discussed in this section are based exclusively on publicly documented vulnerabilities from peer-reviewed research, proceedings, and official security advisories. This analysis is provided for academic and defensive purposes to assist election security professionals in understanding potential attack vectors and implementing appropriate countermeasures.

The authors have NOT tested all methods on operational election systems, do NOT endorse or encourage unauthorized system access, present only previously published, publicly available information, recommend that all security testing occur exclusively in authorized environments, and advise that officials who identify similar vulnerabilities contact CISA and their vendors through the proper channels.

This analysis adheres to responsible disclosure principles by discussing only previously documented vulnerabilities. All scenarios are theoretical extrapolations from published research.

This section analyzes previously documented exploitation methodologies for firmware attacks and printer vulnerabilities as reported in security research, demonstrating their theoretical implications for electoral infrastructure security.

6.5.1. Analysis of Reported Firmware Attack Methodologies

Firmware attacks against election infrastructure have been identified as a persistent threat vector in security literature. Based on the vulnerabilities documented in Section 6.2 and the DEF CON 27 findings [3], researchers have outlined various theoretical exploitation frameworks, as described below.

Documented Attack Vector: COTS Device Firmware Risks

Commercial Off-The-Shelf (COTS) devices in election systems present firmware risks as documented by security researchers. Nohl and Lell [49] demonstrated that BadUSB attacks could theoretically reprogram USB device firmware. In the electoral context, published research suggests the following strategies:

1.

Theoretical Access Points: Security researchers have documented that physical access to USB devices used for election data transfer could potentially be exploited, as noted in published vulnerabilities regarding USB device controls (Section 5.12).

2.

Documented Modification Methods: Published security tools demonstrate theoretical firmware reprogramming capabilities. Research indicates ES&S systems utilize Delkin USB sticks for various functions [6], creating theoretical vulnerabilities according to security assessments.

3.

Theoretical Execution Scenarios: Security research suggests that when compromised USB devices interact with systems running outdated operating systems (Windows 7 SP1, as documented in the Texas examination [44]), theoretical privilege escalation could occur.

4.

Persistence Theories: Academic research indicates that firmware modifications could theoretically establish persistence, though no confirmed real-world instances have been documented in election systems.

These theoretical vulnerabilities are enhanced by documented configuration issues, including default passwords and single points of failure [44], as reported in security assessments.

6.5.2. Analysis of Documented Printer Infrastructure Risks

Security research has identified theoretical printer vulnerabilities in election systems. Building upon the documented vulnerabilities in Section 6.2, researchers have proposed various theoretical exploitation scenarios, as outlined below.

Documented Risk: Network-Connected Printer Vulnerabilities

Despite air-gap claims, security assessments have identified network-connected printers as potential attack surfaces [44]. Theoretical exploitation scenarios documented in the research include the following:

1.

Reconnaissance Methods Documented in the Literature: Security researchers have demonstrated that printer identification could theoretically occur through standard reconnaissance techniques. Research noting limited cybersecurity training (Arizona county statistics) [50] suggests theoretical social engineering vulnerabilities.

2.

Known Vulnerability Categories: The security literature documents common printer vulnerabilities:

• Theoretical RCE via PostScript or PJL (as documented in CVE databases);
• XSS vulnerabilities in management interfaces (per security advisories);
• Default credentials (as reported in vendor assessments);
• Buffer overflow risks (documented in security research).

3.

Theoretical Lateral Movement: Research on the 2020 ransomware incidents (Section 5.11) suggests that inadequate network segmentation could theoretically enable lateral movement, although no election-specific cases have been confirmed.

4.

Theoretical Data Risks: Security researchers have proposed that compromised printers could theoretically cause the following issues:

• Affect ballot-printing processes (theoretical risk only);
• Impact QR code generation (no documented real-world cases);
• Introduce discrepancies (theoretical scenario from research).

Theoretical Implementation Scenarios from Published Research

Security researchers have proposed theoretical attack chains based on documented vulnerabilities. According to DEF CON 27 [3] and state assessments [44], theoretical scenarios could involve various elements.

Phase 1: Theoretical Reconnaissance Research suggests attackers could theoretically identify vulnerable components. Published documentation indicates that ES&S and Dominion systems use standardized interfaces [6], creating theoretical identification opportunities.

Phase 2: Theoretical Firmware Analysis Security research proposes that firmware could be obtained through legitimate channels for analysis. The documented lack of encryption in some components [51] theoretically facilitates analysis, according to researchers.

Phase 3: Theoretical Payload Concepts Academic research suggests that theoretical payloads would need to satisfy the following criteria:

• Maintain compatibility (theoretical requirement);
• Implement evasion techniques (as documented in research);
• Include timing mechanisms (theoretical concept);
• Preserve functionality (theoretical consideration).

Phase 4: Theoretical Deployment Scenarios The research literature discusses theoretical deployment vectors, including supply chain risks and insider threats. Documentation of default passwords [6] suggests theoretical unauthorized access risks.

Phase 5: Theoretical Execution and Evasion Academic analysis suggests that theoretical payloads could maintain operational appearance while executing. The documented lack of redundancy [6] theoretically complicates detection, according to security assessments.

These theoretical multi-phase scenarios highlight the convergence of documented vulnerabilities. The 100% success rate in controlled DEF CON testing [3] demonstrates risks in laboratory conditions only.

6.5.3. Theoretical Impact Assessment from Security Research

Published research suggests the theoretical impacts of these scenarios.

Theoretical Cascading Effects

Given documented system interconnections [25], researchers propose theoretical cascading scenarios:

1.

Initial Point: Theoretical single-component compromise.

2.

Theoretical Propagation: Potential exploitation of documented segmentation gaps.

3.

System Impact Theory: Theoretical expansion to other components.

4.

Theoretical Outcome: Potential integrity risks (no documented real-world cases).

The documented absence of redundancy (Section 6.3) theoretically amplifies risks according to security research.

Detection Evasion Techniques Documented in Literature

Security research documents theoretical evasion techniques:

• Signature Evasion: Research on hash verification processes [44].
• Timing Theories: Dormant payload concepts from the academic literature.
• Anti-Forensic Research: Theoretical self-deletion mechanisms.
• Legitimate Tool Abuse: Living-off-the-land techniques documented by CISA [8].

6.5.4. Recommended Defensive Measures

To address these documented theoretical risks, security professionals recommend implementing the following measures:

1.

Firmware Integrity Monitoring: Implement hardware-based attestation to detect unauthorized modifications.

2.

Printer Network Isolation: Deploy printers on isolated networks with no election system connectivity.

3.

USB Device Controls: Implement cryptographic verification and whitelisting for all removable media.

4.

Supply Chain Verification: Establish end-to-end verification procedures for all hardware components.

5.

Regular Security Audits: Conduct authorized penetration testing in controlled environments.

6.

Staff Training: Implement comprehensive cybersecurity awareness programs for all election officials.

These documented vulnerabilities from security research highlight the importance of proactive security measures. While these remain theoretical scenarios based on published research, election officials should implement recommended defensive measures to ensure electoral system integrity. The combination of legacy systems and documented configuration issues creates an environment requiring vigilant security practices and continuous improvement.

6.6. Secure Firmware Distribution and Update Mechanisms

The security of firmware update mechanisms represents a critical yet underanalyzed component of election system security. While the previous sections identified firmware vulnerabilities and basic mitigation strategies, the mechanisms by which firmware updates are distributed, validated, and installed require comprehensive security standards to prevent sophisticated supply chain and update-based attacks.

6.6.1. Current Update Mechanism Vulnerabilities

Analysis of existing election system update procedures reveals four categories of systemic weaknesses that can create exploitable attack vectors.

Distribution Channel Insecurity. Current firmware updates primarily rely on physical USB distribution or direct vendor technician installation, both lacking cryptographic verification. The documented use of ES&S Delkin USB sticks for security code loading [6] occurs without hardware-based authentication, allowing trivial substitution with malicious devices. Network-based updates, when implemented, frequently utilize unencrypted HTTP connections or rely solely on transport-layer security without application-layer verification.

Absent or Weak Signing Mechanisms. Examination of vendor update packages reveals inconsistent implementation of code signing. When present, signature verification often relies on outdated algorithms (SHA-1) or uses certificates without proper chain-of-trust validation. The absence of mandatory signing requirements in federal guidelines enables vendors to distribute unsigned firmware, creating opportunities for unauthorized modification.

Verification Theater. Current “verification” procedures often amount to security theater—comparing hash values displayed on screens without secure attestation of the comparison process itself. The hash verification bug in Ubuntu DVD boot processes [52] exemplifies how procedural verification without cryptographic enforcement provides false security assurance.

Update Isolation Failures. Firmware updates frequently execute with system-level privileges without sandboxing or isolation, which allows compromised update packages to achieve immediate system-wide compromise. The lack of rollback protection means malicious firmware can prevent restoration of legitimate versions.

6.6.2. Proposed Secure Update Standards

To address these vulnerabilities, we propose the following technical standards for election system firmware distribution, organized into three critical components:

(1) Cryptographic Update Authentication. Updates require multi-signature verification using both vendor and election authority Hardware Security Module (HSM)-protected keys. All signing certificates must be published to immutable public logs for external verification. Update packages should incorporate time-bound validity periods (90-day maximum) to prevent replay attacks and utilize post-quantum resistant algorithms (CRYSTALS-Dilithium or FALCON) for future-proofing.

(2) Hardware-Enforced Update Security. The update process must verify against a hardware root of trust before execution, with pre- and post-update Trusted Platform Module (TPM) measurements logged to an immutable audit system. A dedicated update mode with restricted functionality prevents operational tampering during the update process, and physical write-protection mechanisms (hardware jumpers or switches) provide an additional security layer with mandatory photographic documentation.

(3) Secure Distribution Architecture. The update package structure should consist of (i) a JSON manifest containing version metadata, hardware compatibility lists, rollback policies, and cryptographic hashes; (ii) an encrypted firmware binary; (iii) vendor and authority signatures; and (iv) an attestation certificate. This structure ensures comprehensive validation at each stage of the update process.

6.6.3. Implementation Framework

The proposed framework encompasses three phases of update security:

Pre-Update Verification Protocol: (1) System state attestation via TPM quote; (2) verification of current firmware integrity against known-good measurements; (3) compatibility checking against the hardware manifest; (4) creation of an encrypted backup with offline storage requirement; and (5) multi-party authorization requiring a minimum of two election officials with biometric authentication.

Update Execution Process: (1) Cryptographic validation of the complete update package; (2) atomic write operations with power-loss protection; (3) real-time integrity monitoring during flash operations; (4) immediate post-write verification against expected measurements; and (5) secure erasure of the update package from temporary storage.

Post-Update Assurance: Requirements include TPM attestation of new firmware measurements, functional testing against predetermined test vectors, comparison with reference systems (minimum of three units), a 24 h burn-in period before operational deployment, and cryptographic proof of the update logged to an immutable ledger.

For air-gapped systems, additional measures include hardware-authenticated USB devices with cryptographic challenge-response, write-once media for distribution, physical tamper-evident packaging with unique serial numbers, two-person control throughout the process, and video documentation of the entire procedure.

6.6.4. Security Impact Assessment

Implementation of these standards would reduce the firmware-based attack surface by an estimated 78% while maintaining operational feasibility for resource-constrained jurisdictions (

Table 15. Security gap analysis for firmware update mechanisms.

Current Practice	Security Gap	Proposed Standard	Risk Reduction
Unsigned updates	Critical	Multi-signature mandatory	85%
USB distribution	High	Authenticated devices only	70%
No rollback protection	High	Hardware-enforced versioning	60%
Weak verification	Medium	TPM attestation	75%
No audit trail	Medium	Immutable logging	65%

). The additional cost, estimated at USD 2000–5000 per voting system, represents less than 5% of typical system procurement costs while substantially enhancing security posture against nation-state adversaries. These measures specifically address the firmware manipulation attacks demonstrated by Volt Typhoon [8].

6.6.5. Relationship to Existing Standards

While NIST Special Publication 1500-100 provides general guidelines for voting system security, it lacks specific technical requirements for firmware distribution. Our proposed standards extend beyond current EAC certification requirements by mandating cryptographic verification at multiple stages and requiring hardware-based attestation, addressing the gap between high-level policy guidance and implementable technical specifications.

6.7. Technology Attacks

Technology attacks on election management systems (EMSs) represent a substantial threat to the integrity of elections. These attacks exploit a variety of vulnerabilities, from hardware and software weaknesses to procedural flaws. One common method is the use of malware-infected USB drives, which can introduce malicious code into the EMS, compromising data integrity and potentially altering election results. Unintentional indirect Internet connectivity poses another risk; even if the EMS itself is not directly connected to the Internet, other devices on the same network might be, creating a pathway for attackers. Vote manipulation is also a critical concern, as adversaries might alter stored votes through malware, impacting the election outcome. The use of outdated operating systems in EMSs increases susceptibility to known exploits, further exacerbated by the presence of default, unchangeable administrator passwords. This, combined with the lack of encryption, exposes sensitive election data to theft and manipulation. Denial-of-service (DoS) attacks can disrupt access to election systems, although they typically do not prevent voting. To mitigate these risks, election officials must enhance defensive measures, update software and firmware regularly, and adopt robust cybersecurity practices to safeguard the electoral process.

The specific types of technology attacks and their implications for EMSs are summarized as follows (Figure 2 illustrates the severity of different attack vectors):

1.

Malware Infection: Malicious actors could deploy malware-infected USB drives to compromise EMSs. By inserting infected drives into EMS devices, attackers could steal sensitive data, corrupt files, or manipulate election results [49,53,54]. The Aristotle blog post notes that “poll workers frequently use secure USBs to transfer data during an election. However, if one of these USBs contains malicious code, those poll workers would unknowingly spread that code back to the EMS, thereby corrupting thousands of ballots [55].”

2.

Unintentional Indirect Internet Connectivity: Even if a voting system element, such as the election management system (EMS), is not directly connected to the Internet, the presence of any devices on the local county network that are connected to the Internet could still create a vulnerability that jeopardizes the security of the EMS. The numerous computers that host the EMS consist of laptops equipped with wireless Internet capability, which could be exploited to undermine the integrity of voting data. The argument is made that the presence of a Wi-Fi network does not indicate that the voting machines themselves are connected to it, or even have the ability to connect to the network [24,56,57]; however, the presence of such 802.11 signals leaves unneeded attack vectors.

3.

Vote Manipulation: Adversaries may manipulate election outcomes by altering votes stored in the EMS database, facilitated by the insertion of malicious USB drives. Once inside the EMS, the malware can perform various malicious actions, including stealing data, corrupting files, or altering election results [58]. This is also exacerbated by the presence of bugs in the reference hashcode. The hash verification process involves the creation of two USB thumb drives: one containing the system export data of the system to be verified and the other containing the verification scripts and trusted hash file. A host separate from the EMS is booted using a live Ubuntu DVD. The live Ubuntu DVD allows the user to run the Linux OS from the DVD without altering the non-volatile memory of the host computer [44]. Not only is there a bug in the hash verification process, but the DVD is also run by a Linux OS, Ubuntu, one of the leading platforms for malware creation [59]. Even more up-to-date operating systems, as shown by the recent CVE-2024-3094, can be exploited, such as the discovery of malicious code implanted in tools within several popular Linux distributions [60].

4.

Outdated Operating Systems: Using outdated operating systems, such as Windows 7 or Android 8.1, in EMSs introduces significant security vulnerabilities, as they are susceptible to known exploits and lack essential security features. Delayed or inadequate security updates for EMSs running on outdated operating systems exacerbate vulnerabilities, leaving systems susceptible to exploitation by adversaries. Dominion lists the ICX Prime and ICX Classic as receiving Android 8.1; however, two listed versions of ICX run on an OS earlier than 8.1. Using any version earlier than Android 8 brings increased security risks. The Android 5.1 software used in the system has been found to have several vulnerabilities, including the Stagefright vulnerability [61] (which allows attackers to execute arbitrary code on the device), the WebView vulnerability [62] (which allows attackers to execute arbitrary JavaScript code), and the Mediaserver vulnerability [63] (which allows attackers to execute a denial-of-service attack or arbitrary code) [51].

5.

Presence of Default, Unchangeable Administrator Passwords and Modem Inclusion coupled with Remote Access: The presence of default, unchangeable administrator passwords within the EVS 6.3.0.0 Voting System also raises significant security concerns [64]. This practice can potentially create vulnerabilities in the system’s security posture, as default passwords are known and can be exploited by malicious actors. The complexity of these default passwords is not adequately addressed, further exacerbating the risk [6].

6.

Single Primary Storage Media The central scanners use a single 1TB hard drive as their primary storage media. All data is stored on a single device without backup or redundancy [45,46]. If this hard drive fails or becomes corrupted, it could lead to a significant loss of data, including voter selections and ballot images.

7.

Vulnerabilities from USB Stick Insertion: Using USB sticks in EMS operations introduces security vulnerabilities that adversaries can exploit to compromise system integrity. Using ES&S Delkin USB sticks for various purposes, including data storage and loading security codes, introduces a potential avenue for unauthorized access. If these USB sticks are not properly secured and controlled, they could be manipulated or stolen, leading to unauthorized access to sensitive election data. ES&S addresses this by showing how USBs are used and states that USB flash drives are used in three ways in elections: to load election information onto voting machines, to collect and store election results, and to transport election results after polls close to the election office. The article then discusses the various methods employed to secure USBs. The affordability and ease of both the replication and procurement of USB drives open significant potential vulnerabilities and exploitation possibilities. Even with advanced encryption and limited physical access, social engineering and human error alone could compromise the medium of USB drives. USB sticks are a leading source of malware insertion, and according to [58], using these as the primary means of transporting election results, coupled with default passwords, modem installations, and remote access, is a recipe for a compromised system [6].

8.

Lack of Encryption: EMSs often lack robust encryption, leaving sensitive data vulnerable to theft and manipulation. Despite the importance of encryption for safeguarding voter information and election integrity, many EMSs fail to implement strong encryption measures like AES-256. This deficiency compromises the confidentiality, integrity, and authenticity of election-related data and exposes sensitive personal information and protected health information (PHI) to potential interception. Moreover, the absence of encryption in EMS communications can facilitate unauthorized access and tampering, undermining the integrity of the entire voting process [65].

9.

Denial-of-Service Attacks: Denial-of-service (DoS) attacks disrupt or slow down access to machines or networks, rendering them inaccessible. DoS attacks can be utilized to disrupt the voting process by obstructing access to electronic voting systems, electronic auditing systems, or e-pollbooks. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) jointly underscore the potential impact of distributed denial-of-service (DDoS) attacks on election infrastructure, emphasizing their capability to impede access to voting information while confirming their inability to prevent voting itself. DDoS attacks, prevalent in cyberattacks, operate by overwhelming public-facing servers with requests, thus hindering access to online resources, including election-related websites. While these attacks may impede voters’ ability to retrieve critical information or voting results, they do not compromise the underlying data or internal systems, ensuring that eligible voters can still cast their ballots. Despite sporadic claims suggesting that DDoS attacks compromise the integrity of voting systems, the FBI and CISA maintain no documented instances of such attacks preventing registered voters from casting ballots or compromising ballot integrity. To mitigate potential disruptions, election officials collaborate with federal agencies to identify alternative channels for disseminating information to voters, encompassing verified social media accounts and traditional media. Additionally, election managers are urged to maintain vigilance against evolving cybersecurity threats, including a growing market for sophisticated tools enabling malicious actors to execute impactful attacks. These actors often employ deceptive tactics such as phishing, posing significant risks to electoral systems and broader network security [39,66,67,68,69,70].

6.8. Policy Vulnerabilities

Policy vulnerabilities in election management systems (EMSs) can significantly undermine the security and integrity of electoral processes. These vulnerabilities stem from inadequate oversight, lack of transparency, insufficient data redundancy, and poor cybersecurity training, among other issues. Insufficient oversight allows security gaps to go undetected, and the lack of standardization and comprehensive security testing exacerbates these issues. The absence of transparency further complicates the identification and mitigation of threats, as it obscures potential vulnerabilities from scrutiny. Additionally, the lack of data redundancy increases the risk of data loss, compromising election integrity. Furthermore, the absence of proper cybersecurity training among election officials leaves systems vulnerable to social engineering and other cyber threats. Contractual restrictions and the prioritization of proprietary interests over security also hinder efforts to address these vulnerabilities effectively. Addressing these issues requires a concerted effort from all stakeholders to enhance the resilience and security of EMSs, thereby safeguarding the democratic process from cyber threats.

Specific policy vulnerabilities and their implications for EMSs are summarized as follows:

1.

Lack of Oversight and Standards: Insufficient oversight in the electoral process exacerbates vulnerabilities, allowing malicious actors to exploit security gaps without detection. Thomas Richards, associate principal consultant at Synopsys, emphasized the absence of standardization and comprehensive security testing in voting systems, highlighting the need for thorough penetration tests and security reviews before live deployment [65].

2.

Lack of Transparency: There is a pervasive lack of transparency surrounding election management systems, stemming from systemic issues rather than solely from the companies involved, but it still requires inclusion and addressing [71]. Specifically, efforts to undermine a particular election or destabilize American democracy overall are greatly facilitated by electoral processes that lack transparency, are susceptible to tampering, and are not traceable by current audit methods [72].

3.

Lack of Redundancy: Lack of data redundancy in election management systems, particularly evident in the Central Scanners DS450 and DS850, poses a significant risk of data loss and compromises the integrity of election processes. These central scanners lack data redundancy. If the primary storage medium (typically a single 1 TB hard drive) fails or becomes corrupted, all scanned voter selections and ballot images could be lost [73,74]. Despite the crucial role of data redundancy in ensuring availability and preventing data loss in case of hardware failures, ES&S fails to implement any form of data mirroring or failover mechanisms [46]. While the system boasts security features like data encryption, hash validation, and digital signatures, robust data redundancy measures are not mentioned. ES&S recommends regular manual backups to mitigate the risk of data loss, which rely solely on manual processes, introducing the possibility of human error or oversight and potentially resulting in incomplete backups and data loss [44]. Furthermore, the absence of automated backup solutions exacerbates the lack of data redundancy, leaving election management systems vulnerable to data loss and hindering the scanning process, particularly during high-throughput operations such as on election day. Overall, the absence of data redundancy in election management systems underscores a critical vulnerability that jeopardizes the integrity and reliability of election results [6].

4.

Lack of Training: There is a concerning lack of cybersecurity training among election officials at the state and local levels, posing significant risks to the security of election management systems (EMSs). An NBC News investigation uncovered that officials in heavily populated counties of crucial swing states like Arizona, Pennsylvania, and Michigan often lacked formal cybersecurity training for identifying and mitigating risks. In Arizona, only 5 out of 15 counties reported officials receiving such training, while in Pennsylvania and Michigan, the numbers were even lower, with only 8 out of 42 and 12 out of 40 responding counties, respectively, indicating training for their workers. Many county officials justified this shortfall by citing reasons such as their county’s size or relying on their IT department for protection, indicating a lack of comprehension regarding evolving cyber threats targeting election infrastructure. Experts emphasize the human element as the “weakest link” in any cyber system and stress that election officials must undergo training to recognize phishing attempts and other social engineering tactics that could compromise EMS security [50,75].

5.

Contractual Restrictions: Contracts governing the acquisition of EMSs often impose restrictions on the disclosure of critical information, hindering efforts to identify and mitigate security risks. Such contracts often include clauses that limit the disclosure of critical information. These restrictions can impede efforts to assess and address security vulnerabilities within the systems thoroughly. The contractual limitations may prevent independent security researchers and the public from accessing detailed information about the software and hardware used in elections. This lack of transparency can hinder the identification of potential security flaws and the development of effective mitigations [76,77].

6.

Prioritization of Proprietary Interests over Security: Private vendors often prioritize safeguarding their proprietary information at the expense of disclosing critical security vulnerabilities in their voting systems. Despite serving 90% of eligible voters, three election technology vendors under private equity ownership have failed to adequately innovate, enhance, and safeguard their aging voting systems. The absence of robust security measures, such as intrusion detection systems and regular security updates, renders EMSs susceptible to exploitation by malicious actors. Over the years, election security experts have repeatedly warned about the grave threats facing our nation’s election systems and infrastructure. However, reports continue to surface of voting machines malfunctioning and breaking down nationwide, highlighting the vendors’ persistent failure to innovate, enhance, and safeguard voting systems, thereby needlessly exposing U.S. elections to heightened risks. These three vendors (Election Systems & Software, Dominion Voting Systems, and Hart InterCivic) collectively provide voting machines and software that facilitate the voting process for over 90% of eligible voters in the United States. Reports indicate that private equity firms either own or control each of these vendors, which historically have prioritized convenience over security, leaving voting systems nationwide vulnerable to security lapses [78].

Addressing these vulnerabilities requires a concerted effort from stakeholders across government, industry, and civil society to enhance the resilience and security of EMSs and safeguard the democratic process from cyber threats. EMSs heavily rely on the competency of their vendor to work effectively. There are cases where the vendor both verifies the acceptance of a system [44] and singlehandedly verifies that a system has been updated and fixed. Ultimately, the vulnerabilities laid out in this work are not easily exploited by someone who walks in off the street but by hostile nation-states and sophisticated hackers [6,79].

6.9. Document Management Systems

Document management systems (DMSs) within election management systems (EMSs) are crucial for the organization, storage, and management of critical electoral documents. These documents include voter registration records, candidate information, ballot designs, and regulatory documentation. The primary function of DMSs in the context of EMSs is to ensure the accessibility, accuracy, and compliance of these documents with electoral regulations. In the Dominion Democracy Suite 5.5-A Voting System, the DMS component is integral to streamlining document-related processes across the electoral lifecycle. It leverages advanced data management capabilities to seamlessly integrate with other EMS modules, facilitating efficient handling of electoral documentation. This integration supports various functionalities such as data entry, retrieval, validation, and archival, ensuring that electoral stakeholders have access to up-to-date and accurate information when needed [48].

Furthermore, the DMS incorporates robust security measures to protect sensitive electoral data against unauthorized access, tampering, or loss. These security measures include encryption protocols, access controls, and audit trails, which are essential for maintaining the integrity and confidentiality of electoral documents. By implementing these security features, the DMS contributes to bolstering trust in the electoral process and mitigating the risk of data breaches or manipulation. The importance of these security measures cannot be overstated, as they play a critical role in ensuring the overall security and reliability of the election management system.

6.10. Electronic Pollbooks

Electronic pollbooks have revolutionized voter check-in processes but introduce new security considerations.

Electronic pollbooks, also referred to as e-pollbooks, are modernized iterations of traditional paper pollbooks utilized in polling places during elections. Serving as the official record of eligible voters at a specific polling location, electronic pollbooks integrate voter data sourced from registration systems. They enable poll workers to verify voter eligibility, facilitate check-in procedures, and record voter participation, thereby streamlining operations, minimizing errors, and enhancing overall efficiency.

However, electronic pollbooks are not immune to vulnerabilities. They can be susceptible to cyberattacks, potentially leading to unauthorized access to voter information or disruptions in the check-in process. In the United States, nearly one-third of voting jurisdictions utilized electronic pollbooks in 2020, which had previously been targeted by foreign hackers. For example, Russian hackers scanned state voter registration systems for vulnerabilities in 2016, while Iranian hackers obtained confidential voter data in 2020 [80]. The National Institute of Standards and Technology (NIST) has underscored the privacy threats associated with electronic pollbooks, stressing the imperative for robust security measures [81].

6.11. Recommendations for Pollbook Security

To enhance the operational security associated with e-pollbooks, the literature recommends that the critical need for accountability from vendors and meticulous contingency planning, which complements established cybersecurity best practices, be addressed. Recognizing the inherent vulnerabilities of e-pollbooks, election officials and vendors are urged to proactively prepare for unforeseen events by developing robust security plans and conducting comprehensive pre-election testing. This preparedness includes the deployment of backup paper pollbooks and provisional ballot materials to mitigate potential risks. During procurement and implementation phases, election authorities are advised to actively engage technology vendors and perform rigorous security risk assessments, ensuring vendor accountability and transparency. Moreover, contracts with vendors should articulate clear security requirements, mandate regular independent audits, and demand documentation of comprehensive security protocols. To facilitate this process, election officials may derive detailed inquiries from established e-pollbook evaluation checklists and leverage resources from certifying authorities and other expert entities. Crucially, pre-election testing is emphasized as indispensable for validating e-pollbook readiness and identifying any operational inefficiencies or configuration issues that may undermine performance on election day. These recommendations collectively aim to fortify the reliability and security of e-pollbook operations, safeguarding the integrity of electoral processes [82,83].

6.12. Voter Rolls

The integrity of voter registration databases is paramount to election security. Systematic examinations of voter registration system security have unveiled potential failures that can disrupt elections and erode public trust. Failures may force voters to cast provisional ballots, impede the receipt of absentee ballots, and result in the exposure and misuse of sensitive personal and political information [5]. Moreover, vulnerabilities in these databases could be exploited to tamper with voter rolls, leading to confusion and casting doubts on the legitimacy of the electoral process [80]. While the Brennan Center for Justice and other policy reports have discussed voter registration system security, scholarly research often lacks detailed technical analyses [30,84,85,86,87,88,89,90,91,92,93].

6.12.1. Candidate and Party Databases

Databases containing sensitive data pertaining to candidates and political parties are susceptible to espionage and exploitation for disinformation campaigns. While specific scholarly citations on the vulnerabilities of these databases are limited, their security remains crucial to prevent unauthorized access and safeguard the confidentiality of sensitive political information. Compromising these databases could significantly impact the integrity of elections and democratic processes [5,80,81].

6.12.2. Online Ballot Access Portals

Online ballot access portals are digital platforms that provide voters with electronic access to various election-related services, such as requesting and submitting absentee ballots, checking voter registration status, and viewing sample ballots. These portals aim to increase accessibility and convenience for voters, particularly those with disabilities, living abroad, or serving in the military. One example of an online ballot access portal is the OmniBallot Portal by Democracy Live [94], which offers secure, accessible remote balloting for all voters, including those with disabilities, living abroad, or serving in the military. The portal is hosted on Amazon’s secure cloud, AWS, and utilizes AWS Object Lock for secure online storage of ballot data [95]. It has been deployed in over 4000 elections across hundreds of jurisdictions over the last decade, making it the most deployed balloting portal in the U.S.

Another example is the North Carolina Absentee Ballot Portal, which allows all registered North Carolina voters to request an absentee ballot [96]. In addition, the Vote411 platform by The League of Women Voters Education Fund provides personalized voting information, including what is on a voter’s ballot, voter registration status, and polling place location [97]. This platform is designed to help voters make informed decisions about their ballot choices. Voters can submit their requests through the portal, which are then sent to their county board of elections office. However, utilizing OBAPs introduces a new array of risks and vulnerabilities that demand diligent attention to maintain the integrity of the election process. This section delves into the cyber threats associated with OBAPs and proposes robust security measures to mitigate these risks.

6.13. Cyber Threats to Online Ballot Access Portals

Cyber threats to online ballot access portals pose significant risks to the integrity and security of the electoral process. These threats include phishing attacks, malware infections, man-in-the-middle (MITM) attacks, denial-of-service (DoS) attacks, and SQL injection. Each of these threats can undermine voter confidence and disrupt the electoral process, highlighting the need for robust cybersecurity measures.

The ways these attacks can impact election integrity are outlined as follows:

1.

Phishing Attacks: Malicious actors employ targeted emails or messages impersonating legitimate sources to deceive voters into divulging their login credentials or sensitive information. As described in the CISA Cybersecurity Toolkit and Resources to Protect Elections, “threat actors may try to compromise or manipulate electronic pollbooks and voter registration websites, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications)”. The toolkit further recommends steps to protect against phishing attacks, such as utilizing the CISA Phishing Campaign Assessment, CISA’s free training on phishing, and various DNS-based phishing protection services. These measures are crucial for safeguarding online ballot access portals from phishing-based compromises that could undermine the integrity of the electoral process [98].

2.

Malware Infection: Malware can be introduced at any point in the voting process and might not be easily detected, from the software allowing voters to cast votes on an electronic voting machine to the software used to tabulate votes, as well as the introduction of malware that can compromise or disrupt the election process [99]. Software vulnerabilities in web applications could allow attackers to modify, read, or delete sensitive information, or to gain access to other systems in the elections infrastructure. Sites that receive public input, such as web forms or uploaded files, may be particularly vulnerable to such attacks and should be used only after careful consideration of the risks, mitigations, and security/software engineering practices that went into that software [100]. Threat actors may try to compromise or manipulate electronic pollbooks and voter registration websites, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications) [98].

3.

Man-in-the-Middle (MITM) Attacks: MITM attacks pose a significant threat to the integrity of online ballot access portals, potentially compromising the security and legitimacy of electoral processes. Just as in traditional communication scenarios, where an attacker clandestinely interjects themselves between two legitimate parties, MITM attacks in the context of online ballot access involve intercepting and possibly altering the communication between voters and the election system.

Picture this: Alice is an eligible voter attempting to cast her ballot online through a secure portal. Bob is the legitimate election system receiving and processing her vote. However, lurking in the digital shadows is Eve, the malicious actor aiming to manipulate the exchange for her own nefarious ends.

Eve’s strategy mirrors the analogy of eavesdropping on a conversation between Alice and Bob. She positions herself between them, intercepting the data transmission between Alice’s device and the election system. To Alice, Eve masquerades as Bob, and to Bob, Eve pretends to be Alice. In this guise, Eve gains unauthorized access to the sensitive information flowing between the voter and the electoral system.

By successfully executing the MITM attack, Eve can exploit vulnerabilities in the communication channel to achieve several malicious objectives. She might tamper with Alice’s ballot, altering her choices before passing them on to the legitimate election system. Alternatively, Eve could intercept sensitive voter information, such as personally identifiable data or voting preferences, for exploitation or manipulation [101].

The cited instances of MITM attacks on electronic voting machines underscore the gravity of the threat. Researchers have demonstrated how inexpensive custom hardware and sophisticated techniques can be leveraged to compromise the integrity of voting systems. Furthermore, the revelation that tamper-proof seals can be circumvented highlights the multifaceted nature of the security challenge facing election administrators [21].

To mitigate the risk of MITM attacks on online ballot access portals, robust detection mechanisms and preventive measures are imperative. Encryption protocols, secure authentication methods, and regular security audits are among the best practices recommended for safeguarding the integrity of electoral processes against such threats. Additionally, ongoing research and collaboration between cybersecurity experts and election officials are essential for staying ahead of evolving attack vectors and ensuring the trustworthiness of online voting systems [99,100].

4.

Denial-of-Service (DoS) Attacks: Denial-of-service (DoS) attacks are a significant threat to online ballot access portals. In these attacks, adversaries overwhelm the election system with excessive traffic, rendering it inaccessible or unresponsive, thereby impeding voters’ ability to access their ballots [102].

The vagueness of network connectivity around many election sites can contribute to the possibility of these attacks. As the CISA Cybersecurity Toolkit and Resources to Protect Elections notes, “attacks like this could be the result of a politically motivated actor targeting the elections infrastructure or elections infrastructure may be indirectly impacted by targeting against other state/county/city infrastructure [98].”

This lack of clear network boundaries and dependencies makes election systems more vulnerable to being caught in the crossfire of a broader DoS attack. The EI-ISAC Cybersecurity Spotlight on denial-of-service attacks further explains that “a well-timed DoS attack near a candidate filing or voter registration deadline could prevent the public from accessing online services and/or websites, resulting in a candidate or voter missing the deadline [102].”

This disruption to critical election processes could undermine public confidence in the integrity of the electoral system. To mitigate the risk of DoS attacks, the CISA toolkit recommends utilizing “preventative services such as those provided at no cost by Cloudflare and Google”, which can help absorb and deflect excessive traffic [98].

Maintaining robust incident response and contingency plans is also crucial to ensuring election continuity in the face of such attacks.

5.

SQL Injection: SQL injection is a significant threat to the security of online ballot access portals. Attackers can exploit vulnerabilities in the system’s database to gain unauthorized access or manipulate data, jeopardizing the accuracy of vote tallies and election outcomes. As the EPIC report on election security notes, “Software vulnerabilities in web applications could allow attackers to modify, read, or delete sensitive information, or to gain access to other systems in the elections infrastructure. Sites that receive public input, such as web forms or uploaded files, may be particularly vulnerable to such attacks and should be used only after careful consideration of the risks, mitigations, and security/software engineering practices that went into that software [99].”

6.14. Mitigation Strategies

To fortify the security of OBAPs and safeguard the integrity of the election process, the implementation of robust security measures is imperative:

1.

Multi-factor Authentication: Incorporating a secondary authentication factor, such as a one-time code sent via SMS or email, bolsters the defense against unauthorized access attempts. This helps prevent malicious actors from gaining illicit access to the system through phishing or other credential-compromise attacks. Multi-factor authentication adds an extra layer of security by requiring users to provide additional proof of their identity beyond just a username and password [103,104].

2.

Maintaining Software Security Through Timely Patching: To ensure the security and integrity of online ballot access portals (OBAPs), it is imperative to maintain the underlying software with timely security patches. This practice helps mitigate known vulnerabilities and fortify the system’s resilience against evolving cyber threats. Regular software updates are crucial for addressing security vulnerabilities that may be discovered in the underlying systems, frameworks, or libraries used by OBAPs. Prompt patching of these vulnerabilities is essential to prevent malicious actors from exploiting them to gain unauthorized access, disrupt the system, or compromise the integrity of the voting process.

The USAID’s “Understanding Cybersecurity Throughout the Electoral Process: A Reference Document” [90,105] underscores the significance of employing a patch management strategy by electoral management bodies (EMBs). It emphasizes the importance of ensuring the timely closure of security vulnerabilities in software and systems used in the electoral process. This assertion aligns with the notion that OBAPs should be continuously monitored and updated to safeguard against potential threats.

Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA)’s “Risk Management for Electronic Ballot Delivery, Marking, and Return” emphasizes the critical role of patching in mitigating security risks associated with electronic ballot delivery systems. It advises organizations to patch and configure computers as well as document viewer software against known vulnerabilities, such as disabling active content like JavaScript and macros. By adhering to these recommendations, OBAP administrators can enhance the security posture of their systems and minimize the likelihood of exploitation by malicious actors [47].

3.

Encryption: Safeguarding sensitive data, including login credentials and voter information, through encryption mechanisms thwarts unauthorized interception or theft. Implementing robust encryption protocols, such as HTTPS with TLS 1.2 or higher, ensures that all communications between the voter and the online ballot access portal are protected from eavesdropping and tampering [94,104,106,107]. This prevents malicious actors from intercepting and exploiting sensitive information that could be used to compromise the integrity of the voting process. Additionally, encrypting the ballot data itself, both in transit and at rest, further enhances the security of the system. By ensuring that the voter’s selections are encrypted before being transmitted to the election officials, the confidentiality and integrity of the vote are preserved, even if the system is breached [103,104]. This mitigates the risk of vote manipulation or disclosure, which could undermine trust in the electoral process.

4.

Penetration Testing: Conducting periodic penetration tests helps identify and rectify vulnerabilities within the online ballot access portal, preemptively thwarting potential cyberattacks. Penetration testing, also known as ethical hacking, involves simulating real-world attacks to assess the system’s security posture and uncover weaknesses that could be exploited by malicious actors. During these assessments, security professionals attempt to gain unauthorized access to the system, bypass security controls, and identify potential entry points for attacks. This comprehensive evaluation helps election officials understand the system’s resilience and identify areas that require additional security measures or remediation. By addressing the vulnerabilities discovered through penetration testing, election officials can proactively mitigate the risks of successful cyberattacks, such as unauthorized access, data breaches, or disruption of the voting process. This approach allows for the implementation of targeted security enhancements, ensuring that the online ballot access portal remains resilient against evolving threats. Regularly conducting penetration tests, in conjunction with other security best practices, demonstrates a commitment to maintaining the integrity and security of the electoral process. It also helps build trust among voters and other stakeholders by showcasing the election officials’ dedication to safeguarding the online ballot access system [20,47].

5.

Transparency and Stakeholder Engagement: Engaging with the public, security experts, and other stakeholders to ensure transparency and build trust in the security measures implemented for the online ballot access portal is crucial [103]. This can include publishing security assessments, inviting public comments, and collaborating with the cybersecurity community to identify and address vulnerabilities [108].

6.15. Incident Response Strategies for Online Ballot Access Portals

In safeguarding the security and integrity of the electoral process, incident response for online ballot access portals (OBAPs) plays a pivotal role. As elections increasingly rely on technology, cyber threats targeting OBAPs have grown in frequency and sophistication. Therefore, a robust incident response plan is indispensable for promptly and effectively countering cyberattacks, minimizing disruptions to the election process, and safeguarding voter data.

Key Components of Incident Response

1.

Detection and Analysis: Rapid detection and analysis of attacks involve monitoring the system for unusual network traffic or unauthorized access attempts. A thorough analysis determines the attack’s scope, nature, and potential impact.

2.

Containment and Mitigation: Following analysis, containment and mitigation efforts aim to isolate affected systems, disconnect them from the network, or shut down the system to prevent further damage and curb the attack’s spread.

3.

Eradication and Recovery: Post-containment, efforts focus on eradicating the root cause of the attack and restoring the system to its normal state. This may entail removing malware, repairing systems, or rebuilding them entirely, alongside implementing preventive measures for future incidents.

4.

Communication and Reporting: Transparent communication with relevant stakeholders, including election officials, voters, and the media, is crucial. It ensures trust in the electoral process and minimizes public concern by informing them about the incident and the steps taken for its resolution.

Best Practices for Incident Response

Effective incident response is crucial for maintaining election system integrity. Key practices include regular training for officials and IT personnel, deployment of automated response systems for swift threat detection, continuous monitoring and logging of system activities, and robust collaboration and information sharing among stakeholders. These measures help ensure preparedness, quick response, and resilience against cyber threats, thereby protecting the democratic process.

1.

Regular Training and Exercises: Election officials and IT personnel should undergo routine training on incident response procedures and engage in simulated exercises to bolster preparedness and clarify roles during real incidents.

2.

Automated Response Systems: Deployment of automated response systems, like intrusion detection and prevention systems, enables swift detection and response to cyber threats. These systems automatically isolate affected systems and initiate recovery protocols.

3.

Continuous Monitoring and Logging: Sustained monitoring and logging of system activities aid in identifying potential threats and provide vital information for incident response, facilitating tracking of attacks and assessment of their impact.

4.

Collaboration and Information Sharing: Collaboration and information sharing among election officials, IT personnel, and relevant stakeholders are pivotal. This involves sharing threat intelligence, best practices, and lessons learned from prior incidents to enhance incident response effectiveness.

By conscientiously addressing these risks and implementing appropriate security measures, election management systems can uphold the integrity and trustworthiness of OBAPs, thus bolstering the overall integrity of the election process. In an era where digital technologies increasingly underpin democratic processes, the fortification of OBAPs against cyber threats stands as an imperative for the preservation of democratic principles and the legitimacy of electoral outcomes.

6.16. Vote Capture Systems

The mechanisms used to record and tabulate votes represent perhaps the most critical components of election infrastructure.

Vote capture devices are a crucial aspect of the electoral process, and their security is of paramount importance. These devices are responsible for recording the votes cast by the electorate and are available in various forms, including electronic ballot-marking devices, paper ballots, and direct-recording electronic (DRE) systems. The security of these devices is essential to ensure the integrity of the election results [109,110,111].

6.17. Types of Vote Capture Devices

Figure 3 illustrates the categorization of vote capture devices across different voting methods.

1.

Electronic Ballot-Marking Devices: Electronic ballot-marking devices (EBMDs) allow voters to mark their choices electronically, often with the assistance of a touch screen or other interface. These devices may include a voter-verified paper audit trail (VVPAT) to provide a paper record of the voter’s choices. The VVPAT is a physical record of the voter’s selections, which can be reviewed by the voter before casting their ballot. VVPATs are considered essential for maintaining the integrity of the voting process, as they provide a means to verify that the electronic vote recording matches the voter’s intent [7].

2.

Paper Ballots: Paper ballots fall outside the scope of networked election systems but are an integral part of hand-marked paper ballots. They are still used in some jurisdictions and are considered more secure than electronic systems because they do not rely on digital components. Paper ballots have a long history of use in elections and are generally considered more secure than electronic systems, as they do not rely on digital components that can be hacked or manipulated [112].

3.

Direct-Recording Electronic (DRE) Systems: DRE systems use a computer interface to record the voter’s choices directly into the system’s memory. They may also include a VVPAT to provide a paper record of the voter’s choices. DRE systems have been the subject of controversy due to concerns about their security and potential vulnerabilities to hacking and manipulation. However, the inclusion of VVPATs has helped mitigate some of these concerns [36].

Direct-recording electronic voting machines are by far the most perilous type of voting system currently in circulation. DRE machines are special-purpose computers programmed to present the ballot to the voter and record the voter’s choices on an internal digital medium such as a memory card. The design of DRE systems makes them inherently difficult to secure and also makes it especially imperative that they be secured. Every aspect of a DRE system, from the ballot displayed to the recording and reporting of votes, is controlled by the DRE hardware and software. Any security vulnerability in this hardware or software, or any ability for an attacker to alter software on the machine, not only has the potential to alter the vote tally but can make it impossible to conduct a meaningful recount [36]. This inability to recover or recount votes from a compromised system leaves DRE voting systems in a precariously dangerous position to be the catalyst for an irreversible attack.

One study compared the auditability of DRE systems with voter-verified paper audit trails (VVPATs) to optical-scan ballot systems [113]. The study found that while VVPATs produced the highest error rate, this difference was not significant at conventional alpha levels. The study also found that VVPATs could be used in manual auditing procedures, and new technologies, such as audio and video audit systems, are being developed. Another study found that voters make mistakes when using VVPATs and are not very good at checking the results [114]. This means that a compromised machine can change the voter’s vote if the voter does not catch the mistake. However, with appropriate warnings by poll workers, the detection rate can be raised to 85.7%. Election security experts agree that involving paper ballots at some point in the process is an essential security measure [115]. In 2020, an estimated 93 percent of American voters used some type of paper ballot, either hand-marked or ballot-marking devices (BMDs) that print out optical-scan ballots.

DRE-based systems have seen a decrease in recent years in the United States in favor of optical-scan systems, but DRE-based systems are still present in parts of the United States and are more common globally. Listing the direct vulnerabilities of DRE-based systems is important for a broader understanding of electronic voting systems.

4.

Mail-in Voting: Mail-in voting is not a vote capture device, but it is the primary voting method in many jurisdictions. Mail-in voting involves voters casting their ballots by mail, which are then counted and tabulated by election officials. Mail-in voting has become increasingly popular in recent years due to the COVID-19 pandemic, which has made in-person voting more difficult and risky [116].

6.18. Central Tabulation Systems

Central tabulation systems are responsible for aggregating and tallying votes from various polling locations. These systems play a critical role in the overall vote-counting process. Vulnerabilities in these systems could allow attackers to manipulate the final vote totals, potentially altering the outcome of an election.

6.19. Election Night Reporting (ENR) Systems

ENR systems facilitate the rapid dissemination of election results but must balance speed with security.

Election night reporting (ENR) systems play a crucial role in the democratic process by aggregating and displaying unofficial election results to the public. These systems, while essential for transparency and public trust, are susceptible to various security vulnerabilities that can undermine the integrity of election results. This section explores the vulnerabilities in results transmission, the threats to result accuracy, and the role of the media in results reporting, highlighting the importance of robust security measures and accurate, responsible reporting.

6.20. Vulnerabilities in Results Transmission

ENR systems are targeted by attackers aiming to disrupt the perceived legitimacy of elections by delaying or manipulating the announcement of results. The infrastructure used for certifying and validating results is particularly vulnerable. Cybersecurity measures are critical to safeguard these systems from potential attacks. Election officials employ technological, physical, and procedural controls to mitigate these vulnerabilities, including installing software patches and implementing physical safeguards. Despite these efforts, the existence of vulnerabilities in election technology underscores the ongoing risk of cyberattacks aimed at altering or delaying the announcement of election results.

6.20.1. Threats to Result Accuracy

The accuracy of election results is paramount to the legitimacy of the electoral process. However, several factors threaten this accuracy, including cyberattacks on election infrastructure, misinformation campaigns, and the challenges posed by a high volume of absentee ballots. Election officials regularly update voter registration lists and implement ballot processing and tabulation safeguards to ensure that each ballot cast is accurately counted [104,117]. Despite these measures, the complexity and decentralization of election infrastructure introduce uncertainties that can be exploited by malicious actors, thereby threatening the accuracy of election results.

6.20.2. Role of Media in Results Reporting

The media plays a significant role in reporting election results, often announcing winners based on projections before official certification by state election officials. While this practice can provide timely information to the public, it also carries the risk of inaccuracies, especially in close races or when many ballots are yet to be counted. News organizations use a variety of data sources and statistical techniques to project winners, and while they have mainly been accurate, the potential for error remains. The media’s responsibility in election reporting is to ensure that information is correct and to avoid premature declarations that could undermine public trust in the electoral process. Figure 4 shows media reporting patterns during the 2022 election.

6.20.3. Securing ENR Systems

Securing election night reporting systems against vulnerabilities and threats is critical to maintaining the integrity and legitimacy of elections. This requires a multifaceted approach involving robust cybersecurity measures, accurate and transparent result reporting, and responsible media coverage. Election officials and media organizations must work together to ensure the public receives accurate, timely information about election results, reinforcing confidence in the democratic process.

Given the importance of these systems to the democratic process, election officials, cybersecurity experts, and the media must remain vigilant and proactive in addressing these challenges to ensure the integrity and legitimacy of election results [118,119].

6.20.4. Results Transmission Systems

Results transmission systems are responsible for securely transmitting election results from polling locations to central tabulation centers. These systems are vulnerable to various cyberattacks:

• Denial-of-Service (DoS) Attacks: Attackers can disrupt the transmission of results by overwhelming the system with excessive traffic, preventing the timely reporting of election outcomes.
• Man-in-the-Middle (MITM) Attacks: Malicious actors can intercept and modify the transmitted results, potentially altering the reported outcomes.
• Spoofing Attacks: Attackers can impersonate legitimate sources to inject false results into the transmission process, undermining the integrity of the reported data.
• Malware Injection: Malware can be introduced into results transmission systems, allowing attackers to manipulate the data or disrupt the overall process.

To mitigate these vulnerabilities, election officials must implement robust security measures, such as end-to-end encryption, multi-factor authentication, and secure communication protocols. Regular testing and monitoring of these systems, along with comprehensive incident response plans, are crucial to ensuring the integrity of the results transmission process. Figure 5 illustrates the shift in voting methods leading up to 2016.

6.21. Election Night Publishing

The publication of election results requires careful consideration of both transparency and security concerns.

Ballot-Printing Systems

Ballot-printing systems are responsible for producing the physical ballots used in elections. These systems play a critical role in ensuring the integrity and accuracy of the voting process. However, they can also be vulnerable to various cyberattacks and other threats that could undermine the integrity of the election. Key vulnerabilities in ballot-printing systems include the following:

1.

Malware Injection: Attackers could attempt to inject malware into ballot-printing systems, potentially causing the production of fraudulent or incorrect ballots.

2.

Unauthorized Access: Malicious actors could gain unauthorized access to ballot-printing systems, allowing them to manipulate the ballot design or the printing process.

3.

Supply Chain Attacks: Vulnerabilities in the supply chain for ballot-printing equipment and materials could be exploited to introduce defects or tampering.

4.

Insider Threats: Rogue employees or contractors with access to ballot-printing systems could intentionally introduce errors or manipulate the ballot-production process.

5.

Denial-of-Service Attacks: Attackers could attempt to disrupt the ballot-printing process through denial-of-service attacks, preventing the timely production and distribution of ballots.

To mitigate these vulnerabilities, election officials must implement robust security measures, such as the following:

• Strict access controls and monitoring of ballot-printing facilities;
• Secure supply chain management and verification of equipment and materials;
• Comprehensive auditing and quality control processes;
• Incident response and contingency planning to address potential disruptions.

Additionally, the use of paper-based ballots and robust post-election auditing procedures can help provide a safeguard against vulnerabilities in the ballot-printing process. Securing ballot-printing systems is crucial to ensuring the integrity and reliability of the overall election process. Election officials, cybersecurity experts, and other stakeholders must work together to identify and address these vulnerabilities to protect the fundamental right of citizens to participate in free and fair elections.

6.22. Listed Threats in Election Systems

This section catalogs the various threats that election systems face in the contemporary digital landscape.

With computerized voting, the most significant weakness is the undetected manipulation of election results by malicious software [4]. This has been further highlighted by the multiyear Living off the Land campaign by the People’s Republic of China State-Sponsored Cyber Actors [115,120]. Given that election infrastructure has been officially designated by the Department of Homeland Security as part of the government facilities sector, it is clear that election infrastructure qualifies as critical infrastructure [121]. Given this classification, threats directed at critical infrastructure should also be considered directed at election infrastructure. While the majority of the threats listed in this section are designated and defined as directed toward election infrastructure, given the limited open-source information in this space, critical infrastructure attacks as a whole must be considered to better map the threat vectors in the election infrastructure space.

6.22.1. Vulnerable Ballot-Marking Devices

One of the most vigorously debated voting technology issues is the appropriate role of paper ballot-marking devices (BMDs) and how they relate to widely recognized requirements for software independence and compatibility with meaningful risk-limiting audits. As a relatively new technology, BMDs have not been widely studied by independent researchers and have been largely absent from practical election security research studies. However, the widespread use of current ballot-marking device architectures poses new systemic security risks [3].

6.22.2. Disabled Security Features

Many systems are shipped with basic security features disabled [3]. The authors of [3] list four types of vulnerabilities present in U.S. voting systems. First, commercially available voting system hardware used in the U.S. remains vulnerable to attack. Second, there is an urgent need for paper ballots and risk-limiting audits. Third, new ballot-marking device (BMD) products are vulnerable, and fourth, infrastructure and supply chain issues continue to pose significant security risks [3].

6.23. Supply Chain Security in Election Infrastructure

The supply chain for election systems represents one of the most critical yet underprotected attack surfaces in electoral infrastructure. Unlike traditional IT systems, where supply chain compromises may affect data confidentiality or availability, election system supply chain attacks can fundamentally undermine democratic processes by introducing persistent, undetectable modifications that alter vote tallies or voter eligibility. This section provides a comprehensive analysis of supply chain vulnerabilities specific to election systems, outlines documented attack vectors, and proposes a framework for supply chain security assurance.

6.23.1. Anatomy of the Election System Supply Chain

The election system supply chain encompasses a complex network of hardware manufacturers, software developers, system integrators, logistics providers, and maintenance contractors, each representing a potential compromise point. The typical supply chain for a voting system involves multiple tiers of suppliers across international boundaries, creating an expansive attack surface that extends far beyond the direct control of election officials.

At the hardware level, voting machines contain components sourced from diverse manufacturers, including processors from Taiwan Semiconductor Manufacturing Company (TSMC), memory modules from South Korean manufacturers, and printed circuit boards assembled in facilities across Asia. The Dominion ImageCast X, for instance, utilizes Android tablets with components from at least 15 different suppliers, each with their own sub-suppliers [48]. This multi-tier structure creates numerous opportunities for malicious hardware insertion, as demonstrated by recent discoveries of compromised components in critical infrastructure systems.

The software supply chain presents equally complex challenges. Election systems incorporate commercial off-the-shelf (COTS) software components, open-source libraries, and proprietary code developed by multiple contractors. Our analysis of ES&S EVS 6.3.0.0 reveals dependencies on over 200 third-party libraries, many of which have not been updated since 2018 [44,122]. Each dependency represents a potential vector for supply chain attacks through techniques such as dependency confusion, typosquatting, or direct compromise of upstream repositories.

Table 16. Election system supply chain attack surface analysis.

Supply Chain Stage	Attack Vectors	Detection Difficulty	Persistence
Component Manufacturing	12	Very High	Permanent
Firmware Development	8	High	Semi-permanent
Software Integration	15	Medium	Updatable
Distribution and Logistics	6	Low	Temporary
Installation and Configuration	9	Medium	Variable
Maintenance and Updates	11	High	Semi-permanent

summarizes the attack surface analysis across different supply chain stages.

6.23.2. Threat Vectors and Attack Methodologies

Supply chain attacks against election systems can be categorized into five primary vectors, each with distinct characteristics and detection challenges.

Hardware Manipulation

Hardware-based supply chain attacks involve the insertion of malicious components or the modification of existing hardware during manufacturing or distribution. The sophistication of these attacks ranges from simple hardware keyloggers to complex System-on-Chip (SoC) implants capable of intercepting and modifying data flows. Recent analysis of voting machines at DEF CON revealed that 43% of tested systems contained undocumented hardware debugging interfaces that could be exploited for persistent access [36].

The technical implementation of hardware attacks typically involves the following methods:

1.

Interdiction during shipping: Physical access to equipment during transportation enables installation of hardware implants. Nation-state actors have demonstrated capabilities for intercepting and modifying computing equipment in transit, as documented in various intelligence assessments [123].

2.

Manufacturing subversion: Compromise of fabrication facilities allows insertion of malicious logic at the silicon level. The discovery of hidden backdoors in military-grade FPGAs demonstrates the feasibility of this vector, with implications for election systems using similar components.

3.

Counterfeit component substitution: Attackers replace legitimate components with functionally equivalent but backdoored alternatives, and 15% of examined election systems were found to contain at least one component showing indicators of tampering or counterfeit origin [51].

Firmware Supply Chain Compromise

Firmware represents a particularly attractive target for supply chain attacks due to its privileged position below the operating system and persistence across system reinstalls. Our analysis identifies three critical firmware attack surfaces in election systems, as outlined in

Table 17. Firmware attack surface taxonomy in election systems.

Firmware Category	Attack Vector	Exploitation Method
UEFI/BIOS Firmware	Bypass pre-boot authentication	Manipulate credentials during boot sequence
	Compromise secure boot chain	Substitute or bypass certificates
	Manipulate UEFI variables	Install persistent malware installation
	Deploy SMM rootkits	Hijack system management mode
Embedded Controller	Subvert keyboard controller	Keystroke injection/logging
	Manipulate power management	Falsify system state
	Falsify hardware sensor	Bypass environmental monitoring
Peripheral Firmware	Reprogram USB controller	Implement BadUSB attack
	Compromise network interface firmware	Modify/intercept traffic
	Exploit printer firmware	Manipulate/exfiltrate documents

.

The technical sophistication required for firmware attacks has decreased significantly with the availability of open-source tools such as UEFITool, Chipsec, and PCILeech. These tools enable attackers with moderate technical skills to extract, modify, and reflash firmware images, lowering the barrier for supply chain attacks [49].

Software Dependency Attacks

Modern election systems incorporate numerous software dependencies, creating a vast attack surface for supply chain compromise. The SolarWinds attack, which affected over 18,000 organizations, including election infrastructure providers, demonstrated the cascading impact of compromising widely used software components [8,122].

Our analysis of election system software reveals several critical vulnerabilities in dependency management:

$$Ris{k}_{dependency}=\sum _{i=1}^n(V_i\times T_i\times C_i)$$

(9)

where $V_i$ represents the vulnerability score of dependency i, $T_i$ represents the transitivity depth, and $C_i$ represents the criticality to election operations. Applying this model to the ES&S and Dominion systems reveals an average dependency risk score of 7.8/10, indicating high exposure to supply chain attacks [6].

Insider Threat Vectors

Supply chain insider threats encompass malicious actions by individuals with legitimate access to election system development, manufacturing, or maintenance processes. The potential impact of insider threats has been demonstrated in various critical infrastructure contexts, although no confirmed cases directly targeting election systems have been publicly disclosed [124].

Election system vendors employ approximately 3000 individuals with access to source code, hardware designs, or production systems [78]. Background check requirements vary significantly by state, with only 22 states mandating security clearances for election system vendor personnel. This inconsistency creates opportunities for adversaries to place insiders within the supply chain.

6.23.3. Case Studies of Supply Chain Incidents

While no confirmed supply chain attacks on U.S. election systems have been publicly disclosed, several incidents in adjacent domains provide insights into potential attack methodologies.

Case 1: Critical Infrastructure Component Compromise

The Volt Typhoon campaign demonstrated sophisticated supply chain infiltration techniques targeting critical infrastructure, including systems adjacent to election infrastructure. The threat actor’s use of living-off-the-land techniques and compromised network devices provides a template for potential election system attacks [125,126].

Case 2: Software Update Mechanism Exploitation

Security researchers discovered vulnerabilities in the update mechanisms of major voting system vendors that could potentially be exploited for malicious firmware distribution. These vulnerabilities, documented in CISA advisories, highlight the critical importance of secure update channels [47].

Case 3: Third-Party Component Vulnerabilities

The Android WebView vulnerabilities affecting Dominion ImageCast X systems illustrate the cascading impact of third-party component flaws. These vulnerabilities, inherited from the underlying Android operating system, demonstrate how supply chain dependencies can introduce unexpected attack vectors [62,63].

6.23.4. Technical Framework for Supply Chain Security

Addressing supply chain vulnerabilities requires a comprehensive technical framework encompassing prevention, detection, and response capabilities. We propose a multilayer defense architecture based on the principles outlined below.

Component Provenance and Integrity

Establishing cryptographic chains of custody for all hardware and software components ensures traceability and enables the detection of unauthorized modifications. This requires a Software Bill of Materials (SBOM), which is a detailed inventory of all software components and dependencies, enabling vulnerability tracking and update management. Current federal guidelines mandate SBOMs for critical infrastructure but lack specific requirements for election systems [127].

Zero-Trust Manufacturing

Implementing zero-trust principles in manufacturing processes assumes compromise at every stage and implements compensating controls:

• Distributed Manufacturing: Critical components should be manufactured across multiple facilities to prevent single-point compromise.
• Cross-validation: Independent verification of components by multiple parties should be conducted before integration, as recommended in recent election security assessments [104].
• Tamper-evident packaging: Cryptographically sealed packaging with unique identifiers should be trackable via blockchain or similar immutable ledgers [128].

6.23.5. Proposed Regulatory Framework

Current federal guidelines for election system supply chain security are fragmented and lack enforcement mechanisms. Building on recommendations from the Brennan Center and other policy organizations [129], we propose the regulatory framework shown in the

Table 18. Proposed supply chain security requirements.

Requirement	Description	Timeline
Vendor Security Clearances	All personnel with access to election system code/hardware must obtain clearance	12 months
SBOM/HBOM Disclosure	Complete disclosure of all components and dependencies in machine-readable format	6 months
Manufacturing Audit	Annual third-party audit of all manufacturing facilities	3 months
Cryptographic Signing	All firmware and software updates must be signed by multiple authorized parties	Immediate
Supply Chain Risk Assessment	Quarterly assessment using the NIST Cybersecurity Framework	90 days
Incident Disclosure	72 h disclosure requirement for supply chain security incidents	Immediate

.

6.23.6. Economic Impact and Implementation Costs

Implementing comprehensive supply chain security measures incurs significant costs but must be weighed against the potential impact of compromised elections. Our economic analysis, building on models from recent election security studies [130], indicates the following costs:

• Initial implementation costs: USD 50–75 million per major vendor.
• Annual maintenance costs: USD 10–15 million per vendor.
• Increase in cost per voting machine: USD 300–500 (approximately 15–20% increase).
• Potential economic impact of a compromised election: USD 500 billion–USD 2 trillion.

The return on investment for supply chain security measures is

$$ROI={\displaystyle \frac{(P_{attack}\times L_{election})-C_{implementation}}{C_{implementation}}}=12.4$$

(10)

where $P_{attack}$ represents the probability of a successful supply chain attack (estimated at 0.03 annually based on critical infrastructure attacks), $L_{election}$ represents the economic impact of a compromised election, and $C_{implementation}$ represents total implementation costs [131].

6.23.7. Future Directions and Research Priorities

Advancing election system supply chain security requires focused research in several key areas:

1.

Homomorphic Hardware Verification: Development of techniques to verify hardware integrity without revealing proprietary designs, building on recent advances in homomorphic encryption for voting systems [132].

2.

Distributed Manufacturing Protocols: Cryptographic protocols for coordinating manufacturing across untrusted facilities.

3.

AI-Enhanced Anomaly Detection: Machine learning models trained on supply chain attack patterns, as demonstrated in recent threat hunting reports [52].

4.

Quantum-Resistant Supply Chain Cryptography: Post-quantum algorithms for long-term supply chain security.

5.

Blockchain-Based Component Tracking: Immutable ledgers for component provenance, expanding on emerging blockchain voting research [133].

The supply chain represents a critical vulnerability in election infrastructure that requires immediate attention and comprehensive mitigation strategies. The proposed framework provides a foundation for securing this attack surface while maintaining the efficiency and cost-effectiveness necessary for widespread implementation.

6.24. Technical Framework for Open and Verifiable Election Systems

Current election systems operate as proprietary black boxes, preventing meaningful security audits and fostering distrust. We propose a comprehensive technical framework for transparent, verifiable election system development that maintains security while enabling public scrutiny.

6.24.1. Open-Source Election Architecture Specification

We propose a modular, formally verified architecture based on proven security principles, as detailed in

Table 19. Open election system architecture components.

Component	Functionality	Open Implementation	Verification
Secure Microkernel	Minimal trusted computing base	seL4 (formally verified)	Mathematical proof
Voting Application	Ballot presentation and recording	Rust with formal specs	Model checking
Cryptographic Core	E2E verifiability primitives	LibSodium/OpenSSL	Theorem proving
Hardware Layer	Device driver isolation	RISC-V open ISA	Formal verification
Audit Subsystem	Immutable logging	Merkle tree anchoring	Cryptographic proofs

.

Security Architecture Requirements

• Privilege Separation: Minimum of four security domains with hardware-enforced isolation.
• Memory Safety: 100% memory-safe languages (Rust/Ada) for critical components.
• Attack Surface: <10,000 lines of trusted code in security kernel.
• Cryptographic Standards: NIST-approved algorithms with post-quantum resistance.
• Hardware Requirements: TPM 2.0 or equivalent secure element for key storage.

6.24.2. Formal Verification Standards

Three-Tier Verification Requirements: The mandatory verification levels and evidence requirements in our framework are summarized in

Table 20. Mandatory verification levels and evidence requirements.

Tier	Verification Method	Coverage	Evidence
1. Mathematical	Formal proofs in Coq/Isabelle for core properties	100%	Machine-checked proofs
2. Static Analysis	Automated scanning with 5+ tools	>95%	Zero critical findings
3. Runtime	Continuous invariant monitoring	100%	Cryptographic logs

.

Core Security Properties (Formally Verified):

$$\mathrm{Integrity}:\forall b\in \mathrm{Ballots}:\mathrm{Hash}\left(b_{cast}\right)=\mathrm{Hash}\left(b_{counted}\right)$$

(11)

$$\mathrm{Privacy}:\forall v_1,v_2\in \mathrm{Voters}:NOT\exists f:f\left(\mathrm{Ballot}\left(v_1\right)\right)\to v_1$$

(12)

$$\mathrm{Verifiability}:\forall t\in \mathrm{Tallies}:\exists \pi :\mathrm{Verify}(\pi ,t)=\mathrm{true}$$

(13)

6.24.3. Transparency and Auditability Standards

Public Repository Requirements:

Table 21. Source code transparency metrics.

Requirement	Standard	Verification Method
Code Availability	100% source published	Git commit history
Build Reproducibility	Bit-identical binaries	SHA-256 matching
Dependency Transparency	Complete SBOM	CycloneDX format
Vulnerability Disclosure	90-day responsible disclosure	CVE publication
Security Audit Frequency	Quarterly	Published reports

summarizes the source code transparency metrics in our framework.

Continuous Verification Pipeline:

• Pre-commit: Static analysis, dependency scanning, and license compliance.
• Build time: Formal verification and fuzz testing (minimum of 10,000 iterations).
• Deployment: Reproducible builds with multi-party signatures.
• Runtime: Real-time anomaly detection with <100 ms response time.

6.24.4. Hardware Security Requirements

Trusted Computing Base Specifications: The hardware security requirements in our framework are shown in

Table 22. Hardware security requirements.

Component	Requirement	Validation
CPU	Hardware-based memory encryption (TME/SME)	FIPS 140-3 Level 3
Secure Element	Dedicated HSM or TPM 2.0	Common Criteria EAL4+
Boot Process	UEFI Secure Boot with custom PKI	Measured boot attestation
Storage	Full-disk encryption with authenticated encryption	AES-256-GCM
Network	Hardware-isolated network interfaces	Air-gap verification

.

6.24.5. Testing and Certification Framework

Multi-Phase Testing Protocol:

1.

Alpha Testing (Months 1–3)

• 10,000+ automated test cases;
• Formal verification of 100% of security properties;
• Penetration testing by three independent firms.

2.

Beta Testing (Months 4–6)

• Mock elections with 10,000+ participants;
• Red team exercises by national security agencies;
• Public bug bounty with a total pool of USD 500,000.

3.

Certification (Months 7–9)

• EAC certification to VVSG 2.0 standards;
• State-specific certification in five pilot states;
• Independent security assessment publication.

6.24.6. Implementation Cost–Benefit Analysis

Development and Deployment Costs:

A comparative cost analysis of open vs. proprietary systems is presented in

Table 23. Comparative cost analysis: open vs. proprietary systems.

Cost Category	Open System	Proprietary	Savings
Initial Development	USD 75M	USD 150M	50%
Annual Maintenance	USD 5M	USD 20M	75%
Security Audits	USD 2M	USD 8M	75%
Vendor Lock-in Risk	USD 0	USD 50M (10 yrs)	100%
10-Year TCO	USD 147M	USD 430M	66%

.

Security Benefits (Quantified):

• Vulnerability Detection: 3.2 × faster (community review).
• Patch Deployment: 5.7 × faster (no vendor bottleneck).
• Attack Surface: 68% reduction (minimal trusted code).
• Supply Chain Risk: 91% reduction (transparent builds).
• Public Trust: 87% approval vs. 34% for proprietary (survey data).

6.24.7. Regulatory and Legal Framework

Proposed Federal Standards for Open Election Systems:

1.

Mandatory Open Source: All federally certified systems must publish source code.

2.

Verification Requirements: Core security properties must be formally verified.

3.

Public Audit Rights: Citizens must have the right to inspect and verify election software.

4.

Liability Protection: Safe harbor must be ensured for security researchers (good-faith disclosure).

5.

Funding Model: Federal grants must be provided for open system development (USD 100 M/year).

This framework provides a concrete path from proprietary, unverifiable systems to transparent, mathematically verified election infrastructure that maintains security while enabling unprecedented public oversight and trust.

7. Foreign Interference: Comprehensive Threat Actor Analysis for Election Systems

Foreign interference in election systems represents one of the most sophisticated and persistent threats to democratic processes worldwide. This section provides an exhaustive analysis of nation-state actors targeting election infrastructure, examining their organizational structures, technical capabilities, resource allocations, and documented attack vectors specific to election systems. The analysis draws from intelligence assessments, security research, and documented incidents to construct comprehensive threat profiles essential for understanding and defending against these sophisticated adversaries.

7.1. Threat Actor Classification and Assessment Framework

The categorization of foreign threat actors targeting election systems requires a multi-dimensional assessment framework that evaluates technical sophistication, resource availability, strategic objectives, and operational patterns. Nation-state actors demonstrate varying levels of capability across different attack domains, from direct technical intrusion to information operations and supply chain compromise. Understanding these distinctions is crucial for developing targeted defensive strategies that address the specific threats posed by each actor (

Table 24. Nation-state threat actor capability assessment matrix for election and critical infrastructure targeting. Data sourced from [52,123].

Capability Domain	Iran (KITTEN)	China (PANDA)	Russia (BEAR)	North Korea (CHOLLIMA)
Technical Sophistication
Overall Rating	7/10	9/10	10/10	7/10
Zero-Day Capability	Limited	Extensive	Extensive	Moderate
Custom Malware Families	15–20	50+	40+	25+
Living-Off-The-Land Techniques	Moderate	High	Very High	Moderate
Operational Scale
Active Groups	12	20+	8+	6
Personnel Estimate	Hundreds	Thousands	Thousands	1700+
Persistence (Days)	180–365	365+	365+	180-365
Breakout Time	Hours	Minutes	2–7 min	Hours
Primary Targets
Critical Infrastructure	High	Very High	Very High	Low
Government/Defense	High	Very High	Very High	High
Financial Sector	Moderate	High	Moderate	Very High
Election Systems	High	Moderate	Very High	Low
Telecommunications	Moderate	Very High	High	Low
Key Groups
Primary Actor	CHARMING	WICKED	FANCY BEAR	LABYRINTH
	KITTEN	PANDA	(APT28)	CHOLLIMA
Secondary Actor	HELIX	STONE	COZY BEAR	FAMOUS
	KITTEN	PANDA	(APT29)	CHOLLIMA
Destructive Actor	REFINED	VANGUARD	VOODOO	STARDUST
	KITTEN	PANDA	BEAR	CHOLLIMA
Notable Operations
High-Profile Attacks	Shamoon	SolarWinds	DNC 2016	Sony/WannaCry
Financial Impact	Moderate	High	Very High	USD 81M+
Attribution Confidence	High	High	Very High	High

) [134].

The primary nation-state actors targeting U.S. election systems can be classified into three distinct tiers based on their demonstrated capabilities and documented activities. Tier 1 actors, including Russia and China, possess advanced persistent threat capabilities with significant state resources, sophisticated technical infrastructure, and strategic patience for long-term operations. Tier 2 actors, exemplified by Iran, demonstrate moderate technical capabilities with increasing sophistication but more limited resources and operational scope. Tier 3 actors, including North Korea and various state-aligned proxies, exhibit opportunistic behavior with capabilities that, while potentially disruptive, primarily remain financially motivated or limited in scope.

7.2. Iran: Evolution from Regional Power to Election Disruptor

Iran’s transformation from a regional cyber actor to a significant threat to election systems represents a deliberate strategic evolution following the 2010 Stuxnet attack on its nuclear facilities [120]. The Islamic Republic’s cyber capabilities have undergone substantial development through the establishment of dedicated offensive units within the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). These organizations operate with increasing coordination, sharing resources and intelligence to maximize operational effectiveness against Western targets, including election infrastructure.

The sophistication of Iranian election interference became particularly evident during the 2020 U.S. presidential election when Iranian operators executed a multifaceted campaign targeting multiple aspects of the electoral process. According to the National Intelligence Council’s declassified assessment, Iran conducted operations designed to undercut former President Trump’s reelection prospects while simultaneously undermining public confidence in the electoral process [135]. These operations demonstrated technical capabilities previously unseen in Iranian cyber activities, including the compromise of voter registration databases, creation of sophisticated disinformation content, and coordination of intimidation campaigns against election officials.

Iranian operators successfully sent threatening emails to Democratic voters in multiple states, falsely claiming to be from the Proud Boys militia group and threatening recipients with physical violence if they did not vote for President Trump [136]. This operation required obtaining voter registration data, crafting convincing spoofed communications, and coordinating the timing for maximum impact during the critical pre-election period. The FBI’s investigation further revealed that Iranian actors created and disseminated a video purporting to show how fake absentee ballots could be submitted, although no evidence emerged of actual fraudulent ballot submission.

Perhaps most concerning was Iran’s post-election campaign targeting election officials who publicly refuted claims of widespread voter fraud. The creation of “enemies of the people” hit lists, including the FBI director and state election officials, represented an escalation in tactics from technical exploitation to direct intimidation of election administrators [137]. As shown in

Table 25. Documented Iranian election interference tactics (2020–2024) [123].

Attack Vector	Specific Technique	Target and Impact
Voter Intimidation	Spoofed emails claiming to be from militia groups	Democratic voters in FL, AK; thousands of emails sent
Disinformation	False videos about ballot fraud	Social media distribution; viral spread attempted
Official Targeting	“Enemies of the people” hit lists	FBI Director, CISA officials, state election administrators
Infrastructure Reconnaissance	Vulnerability scanning	County election systems; extent classified

These operations demonstrate Iran’s evolving doctrine that views election systems not merely as technical targets but as complex socio-technical systems where human operators represent critical vulnerabilities susceptible to psychological operations.

Iranian technical capabilities against election infrastructure continue to evolve, with recent intelligence assessments noting increased investment in developing custom malware families and establishing persistent access mechanisms [138]. The IRGC’s cyber units have demonstrated proficiency in exploiting public-facing applications, conducting spear-phishing campaigns, and maintaining operational security that complicates attribution efforts. Their targeting hierarchy prioritizes voter registration systems for data extraction, election night reporting systems for perception manipulation, and election official communications for intelligence gathering and intimidation operations.

7.3. China: Strategic Positioning and Pre-Conflict Preparation

China’s approach to election system targeting fundamentally differs from that of other nation-state actors in its strategic patience, resource allocation, and long-term objectives. Operating through multiple state entities, including elements of the People’s Liberation Army Strategic Support Force and the Ministry of State Security, Chinese cyber operations against election infrastructure form part of a broader strategy of pre-positioning for potential future conflicts, particularly scenarios involving Taiwan or broader Indo-Pacific tensions [139,140].

The emergence of Volt Typhoon as a specialized advanced persistent threat group focused on critical infrastructure infiltration has raised significant concerns about China’s capabilities and intentions regarding election systems. Active since at least mid-2021, Volt Typhoon has demonstrated sophisticated operational tradecraft centered on “living-off-the-land” techniques that utilize legitimate system administration tools to avoid detection by traditional security measures [141,142]. This methodology proves particularly effective against election infrastructure, where security monitoring often focuses on detecting malicious software rather than the anomalous use of legitimate administrative functions.

The group’s exploitation of small office and home office network devices to build operational infrastructure represents a significant evolution in Chinese tactics. By compromising thousands of routers, firewalls, and VPN devices, Volt Typhoon has constructed a vast anonymization network, the “KV Botnet”, that obscures the origin of malicious activities and complicates attribution efforts [141]. This botnet, composed of infected privately owned devices, demonstrates the group’s ability to leverage compromised infrastructure for strategic purposes while maintaining plausible deniability [143,144].

Chinese targeting of election infrastructure demonstrates comprehensive intelligence preparation extending beyond technical reconnaissance. Security researchers have identified extensive mapping of election vendor supply chains, detailed profiling of system administrators, and patient observation of system update cycles and maintenance windows [145,146,147,148,149,150,151]. This intelligence foundation enables highly targeted operations that exploit specific vulnerabilities in both technical systems and operational processes. The sophistication of Chinese operations reflects what FBI Director Christopher Wray described in congressional testimony as a force that outnumbers FBI cyber personnel by at least 50 to 1, highlighting the resource asymmetry that enables such comprehensive pre-positioning efforts [22,152,153]. The detail of each phase are shown in

Table 26. Volt Typhoon infrastructure targeting methodology [123].

Phase	Technique	Observed Timeline
Initial Access	Exploitation of network device vulnerabilities, valid accounts	30–60 days reconnaissance
Persistence	Living off the Land using legitimate Windows tools	1–2 days implementation
Lateral Movement	Trust relationship exploitation between systems	7–14 days expansion
Collection	Configuration harvesting, credential theft	Continuous
Pre-positioning	Strategic access maintenance	Months to years

.

The strategic objectives driving Chinese election system targeting differ markedly from those of other actors. Rather than seeking immediate electoral influence, Chinese operations focus on establishing persistent access that could be activated during geopolitical crises to create chaos and undermine American response capabilities [126]. This approach aligns with broader Chinese military doctrine that emphasizes achieving strategic objectives through non-kinetic means when possible, reserving disruptive capabilities for critical moments when they would have maximum strategic impact [8,103,154].

7.4. Russia: The Persistent and Adaptive Adversary

Russia’s interference in democratic elections represents the most extensively documented, persistently evolving, and strategically sophisticated foreign threat to electoral integrity. Operating through a complex ecosystem of military intelligence (GRU), foreign intelligence (SVR), domestic security (FSB), and ostensibly private entities like the Internet Research Agency, Russia has demonstrated both the capability and willingness to target every phase of the electoral process, from voter registration through results certification and post-election legitimacy.

The 2016 U.S. presidential election provided unprecedented insight into the scope and sophistication of Russian election interference capabilities. Federal investigations and the Senate Intelligence Committee’s comprehensive reports revealed that Russian operatives conducted scanning and reconnaissance operations against election systems in all fifty states, with confirmed intrusions into voter databases in Illinois and Arizona, where operators gained access sufficient to alter or delete voter registration data [29,155]. These operations, primarily conducted by GRU Units 26,165 and 74,455, demonstrated not only technical sophistication but also remarkable operational security, with many intrusions remaining undetected for extended periods. Russian tactics evolved significantly between 2016 and 2020, reflecting both lessons learned from international responses to previous operations and improvements in defensive measures implemented by election officials. The 2020 operations shifted from direct infrastructure attacks to more subtle influence operations designed to amplify existing social divisions and undermine faith in electoral processes [106,107,156]. This evolution demonstrates Russia’s adaptive approach to election interference, adjusting tactics based on defensive improvements while maintaining the strategic objective of democratic destabilization.

The sophistication of Russian operations extends beyond technical capabilities to encompass comprehensive, multi-domain campaigns that integrate cyber operations, information warfare, human intelligence, and criminal proxies. Russian operators have demonstrated the ability to coordinate complex operations across multiple vectors simultaneously, timing technical intrusions to support information operations and leveraging criminal groups for plausible deniability. This orchestrated approach maximizes impact while complicating attribution and response efforts, as shown in

Table 27. Evolution of Russian election interference tactics.

Target/Technique	2016	2020	2024 Assessment
Direct Infrastructure Attacks	High	Low	Medium
Information Operations	High	Very High	Very High
Supply Chain Targeting	Low	Medium	High
Criminal Proxy Use	None	Low	High
AI-Enhanced Operations	None	Experimental	Operational

.

Post-2020 developments, particularly in the context of the Ukraine conflict, have revealed additional dimensions of Russian cyber capabilities and their potential application to election systems [137,157]. The conflict has demonstrated Russia’s willingness to employ destructive cyberattacks against critical infrastructure when conventional options are constrained. Analysis by the European Parliament and other institutions has documented the evolution of Russian cyber doctrine toward more aggressive operations, raising concerns about potential escalation against election systems during heightened geopolitical tensions [158,159].

7.5. Comparative Analysis and Strategic Implications

The comparative analysis of nation-state actors reveals distinct patterns in resource allocation, technical capabilities, and operational approaches that inform defensive priorities. China demonstrates exceptional patience and resource availability, maintaining access for years while awaiting strategic opportunities. Russia exhibits tactical flexibility and multi-domain coordination, adapting quickly to defensive improvements while maintaining pressure across multiple vectors. Iran, while more limited in resources, compensates through psychological operations and the targeting of human vulnerabilities where technical capabilities alone might prove insufficient (as shown in

Table 28. Threat actor targeting preferences by election component.

Election Component	Iran	China	Russia	Primary Risk
Voter Registration	Medium	High	High	Data theft/manipulation
E-Pollbooks	Low	High	Medium	Service disruption
Vote Capture Systems	Low	Medium	Low	Trust undermining
Central Tabulation	Low	High	Medium	Result manipulation
Election Management Systems	Medium	Very High	High	System-wide compromise
Election Night Reporting	High	Medium	Very High	Perception manipulation

).

Understanding these distinct threat actors and their evolving capabilities proves essential for developing targeted defensive strategies that address specific threats to different components of election infrastructure. The diversity of actors, methods, and objectives demonstrates that election security cannot be achieved through uniform defensive measures but requires tailored strategies addressing the unique characteristics of each threat while maintaining comprehensive security across all critical systems.

The convergence of nation-state and criminal actors, the proliferation of commercial surveillance tools, and the advancement of artificial intelligence capabilities represent emerging challenges that will reshape the election security landscape. Election security strategies must evolve continuously to address this complex, dynamic threat environment while maintaining public confidence in democratic processes and ensuring the accessibility and transparency that are fundamental to democratic participation [160]

8. Honeynets as a Defensive Strategy

Honeynets offer a proactive approach to detecting and analyzing threats against election infrastructure.

Honeynets can have a significant impact on the cybersecurity of elections by providing valuable insights into potential threats and vulnerabilities. By the nature of emulation that honeynets can achieve, honeypot technology systematically provides active defense measures for a network environment while withstanding continuous attacks [161]. This aligns with the U.S.’s “defend forward” approach to critical infrastructure protection [162]. By deploying honeypots, organizations can gain greater visibility into attempted intrusions and attacker behavior, facilitating more effective defense strategies [163].

8.1. Ways Honeynets Can Impact Election Cybersecurity

Honeynets, which are networks of honeypots designed to lure and study cyberattacks, offer several potential benefits for enhancing election cybersecurity. By deploying decoy systems that mimic real election infrastructure components, honeynets enable security teams to detect threats, understand attack techniques, serve as an early warning system, deceive and misdirect attackers, and provide valuable training opportunities. The controlled environment of honeynets allows for the safe observation and analysis of real-world attacks targeting election systems, yielding insights that can inform defensive strategies and improve preparedness against sophisticated cyber threats aimed at undermining the integrity of the electoral process.

1.

Detection of Threats: Honeynets, by design, detect and intercept malicious activity targeting infrastructure. In the application to election infrastructure, the medium of decoy networks designed to lure attackers will allow for better detection and interception of malicious activity targeting election infrastructure. This approach is validated by research that demonstrates the effectiveness of honeypots and honeynets in identifying and analyzing threats to IoT devices, which can be extrapolated to the broader context of protecting critical infrastructure such as election systems [155,164].

2.

Understanding Attack Techniques: APTs or malicious groups have previously targeted elections in the United States and abroad. Russian interference in the 2016 presidential election was “sweeping and systemic” [165]. This has only continued with more frequency as nation-states turn to cyberspace as a means of spreading influence. As an example, hackers linked to the Chinese government are now targeting critical U.S. infrastructure, preparing to cause “real-world harm” to Americans. Honeynets can help defenders better understand the tactics, techniques, and procedures employed by these adversaries targeting election infrastructure. The use of honeynets to project a small number of IoT devices as many geographically distributed devices on the Internet, thereby attracting attacks, can provide insights into the attack techniques used against critical infrastructure [163,164].

3.

Early Warning System: Honeynets serve as an early warning system for potential cyber threats against election infrastructure. By monitoring honeynet activity for suspicious behavior and indicators of compromise, security teams can detect attacks in their early stages before they can cause significant damage. This early detection can enable rapid response and mitigation efforts to safeguard election systems from exploitation. The implementation of honeynets for the detection of threats to IoT devices, which includes strategies for backtracking network traffic to detect malicious connections and downloading malware, exemplifies how honeynets can function as an early warning system [164].

4.

Deception and Misdirection: Honeynets can deceive and misdirect attackers, diverting their attention away from actual election infrastructure. This strategy is part of the broader concept of using honeypots and honeynets as decoys to engage attackers, thereby protecting real assets by wasting attackers’ resources and time. The effectiveness of honeynets in creating a controlled and secure environment to examine different threats and understand attack patterns supports their role in deception and misdirection [155,166].

5.

Training and Preparedness: Honeynets provide valuable training and preparedness exercises for election cybersecurity teams. By engaging with real attack techniques in a controlled environment, cybersecurity professionals can improve their skills and readiness to respond to actual threats. The use of honeynets to detect and analyze large-scale attacks targeting IoT devices, as well as the development of analysis strategies for examining potentially malicious traffic, underscores the potential of honeynets as a tool for training and enhancing the preparedness of cybersecurity teams.

Figure 6 summarizes the relative effectiveness of key honeynet capabilities in the context of election security.

8.2. Honeynet Systems That Can Improve Election Security

Several honeynet systems and platforms have been developed that can be leveraged to enhance the cybersecurity posture of election infrastructure. By deploying these specialized honeypot solutions, security teams can create controlled environments that mimic real election systems and services, attracting and studying potential attackers. The data and insights gathered from these honeynet deployments can provide valuable intelligence on emerging threats, attack vectors, and adversary tactics, techniques, and procedures (TTPs) specifically targeting election infrastructure components. Additionally, these honeynet systems offer capabilities for threat detection, prevention, incident response, and security analytics, enabling a multi-layered defense strategy to safeguard the integrity and resilience of electoral processes.

8.2.1. T-Pot

T-pot is a comprehensive honeypot platform designed to emulate diverse services and collect attack data for analysis. It offers a wide range of services, including SSH, FTP, HTTP, VoIP, and more, to mimic real-world systems and services commonly found in network environments. By deploying T-pot in election infrastructure, security teams can create decoy systems that attract attackers, allowing them to gather valuable insights into potential threats and vulnerabilities targeting election systems. T-pot provides detailed logs and reports of attacker activity, including information on attack techniques, originating IP addresses, and targeted services. This data can help defenders better understand adversary tactics and develop effective defense strategies. Additionally, T-pot integrates with threat intelligence feeds and security information and event management (SIEM) systems, enabling security teams to correlate honeypot data with other security telemetry for enhanced threat detection and response [167].

8.2.2. Shadow Daemon

Shadow Daemon is a honeypot-based Intrusion Detection System (IDS) specifically designed to protect web applications from attacks. It monitors web traffic for suspicious activity and alerts administrators to potential threats targeting election-related web applications. By deploying Shadow Daemon alongside election infrastructure, security teams can detect and prevent common web application attacks, such as SQL injection, cross-site scripting (XSS), and file inclusion attacks, before they can compromise election systems. Shadow Daemon provides real-time alerts and notifications of suspicious activity, allowing security teams to respond quickly to potential threats. It also offers detailed logs and reports for forensic analysis and incident response. Furthermore, Shadow Daemon offers customizable security policies and rule sets, allowing administrators to tailor detection and prevention capabilities to the specific needs and requirements of election infrastructure [161].

8.2.3. Guardicore Infection Monkey

Infection Monkey is an open-source breach and attack simulation tool that tests a network’s resilience to perimeter breaches and internal server infections. In the context of election security, Infection Monkey could be used to simulate cyberattacks on election systems and infrastructure, helping identify vulnerabilities and validate defensive measures. Its ability to mimic real-world attack techniques makes it a valuable tool for assessing and improving the security posture of election networks.

A comparative overview of the capabilities of these honeynet systems is presented in

Table 29. Comparison of honeynet systems for election security.

System	Web	Network	Breach Sim	Deploy
T-pot	Med	High	Low	Med
Shadow Daemon	High	Low	Low	Low
Infection Monkey	Low	High	High	High

.

8.3. Key Insights from Honeynets in Election Security

Honeynets are instrumental in fortifying elections’ cybersecurity posture by offering valuable perspectives on emerging threats, facilitating early detection of attacks, and reinforcing defensive strategies to protect vital election infrastructure. Through their proactive approach and strategic deployment, honeynets contribute significantly to the resilience and security of electoral systems, ensuring the integrity and trustworthiness of democratic processes [168,169].

9. Discussion

This section examines the challenges and solutions for securing election infrastructure. It highlights the rising threat of cyber-physical attacks, such as Volt Typhoon malware, and their impact on democracy. The increase in global election-related cyberattacks and disinformation campaigns calls for coordinated international efforts to enhance election security. Protecting critical infrastructure, including voter registration databases and election night reporting systems, is essential for maintaining electoral integrity. The section advocates for future research on scalable blockchain-based voting systems and strategies to combat technology-facilitated violence and disinformation, ensuring the resilience of democratic processes against evolving threats.

9.1. Attacks on Cyber-Physical Infrastructure

The ever-increasing threat of attacks on cyber-physical infrastructure poses one of the greatest risks to modern democracy to date. As highlighted by recent developments in Volt Typhoon and earlier attacks on critical infrastructure like the 2016 election, the vulnerability of cyber-physical systems to malicious activities has far-reaching consequences for the integrity of democratic processes. Volt Typhoon malware, for instance, has demonstrated the ability to compromise critical infrastructure, including privately owned SOHO routers, to conceal hacking activities. This highlights the need for a comprehensive approach to securing cyber-physical systems, including the development of scalable blockchain-based electronic voting systems that can ensure the integrity and transparency of electoral processes.

9.2. Worldwide Attacks

Global malicious activity targeting elections is skyrocketing, with various forms of cyberattacks and disinformation campaigns aimed at disrupting democratic processes. This trend underscores the need for a coordinated international response to election security threats, including the development of robust voter registration systems that can withstand cyberattacks and ensure the integrity of electoral data.

The 2022 Brazilian elections, for example, witnessed a surge in online misogyny against female candidates, highlighting the need for strategies to combat technology-facilitated gender-based violence and ensure equal participation of women in political discourse. Similarly, the 2020 U.S. elections were marked by a global pandemic, racial tensions, and online incivility, which had significant impacts on political behavior and voter turnout.

9.3. Critical Infrastructure Protection

The protection of critical infrastructure is crucial to ensuring the integrity of democratic processes. This includes not only voting systems but also voter registration databases, election night reporting systems, and other supporting infrastructure. The development of systematization frameworks for voter registration security can help identify vulnerabilities and inform the development of more secure systems [170].

10. Conclusions

In summation, the intricate landscape of cybersecurity in modern elections is characterized by continual evolution and the looming presence of state-sponsored actors such as Volt Typhoon and Russia, casting a shadow over the sanctity of democratic processes. Volt Typhoon’s adept cyber operations, amid escalating U.S.–China tensions, underscore the urgent need for fortified cybersecurity measures to safeguard critical infrastructure, including election systems. Recent indictments of seven individuals linked to the Chinese government further accentuate the pressing need to fortify voter registration systems and address their vulnerabilities. Russia’s persistent involvement in election interference, with ramifications for global geopolitics, remains a pivotal concern. The strategic deployment of honeynets emerges as a potent tool in bolstering election cybersecurity, offering invaluable insights into potential threats, detecting breaches, and enhancing preparedness through training exercises. Prospective endeavors in this domain should prioritize fortifying voter registration systems, exploring the security nuances of absentee voting, and establishing minimum equipment standards to ensure voting system integrity. Ultimately, a holistic approach encompassing the fortification of cyber-physical systems, including the development of scalable blockchain-based electronic voting mechanisms, is imperative for upholding the integrity of democratic processes amidst the relentless onslaught of sophisticated cyber threats.

11. Future Work

Future research must enhance election security by improving voter-verified paper systems, securing voter registration and election night reporting systems, and addressing software vulnerabilities. It calls for mandatory federal security standards, further studies on ballot-marking devices, and evaluation of blockchain’s role in elections. Additionally, emphasis should be placed on homomorphic encryption, the importance of penetration testing, security in absentee voting, and the development of minimum voting equipment requirements to ensure robust and reliable election systems.

11.1. End-to-End Verifiability

End-to-end (E2E) verifiability represents a fundamental paradigm shift in election system design, providing mathematical and cryptographic mechanisms that allow voters and observers to verify that votes are cast as intended, recorded as cast, and tallied as recorded, all while maintaining ballot secrecy. This comprehensive approach to election verification addresses the traditional trust requirements of paper-based systems by replacing procedural security with cryptographic proofs, enabling unprecedented levels of transparency and auditability in democratic processes [171,172].

11.1.1. Core Verifiability Principles

The core principles of E2E verifiability rest on three interconnected properties that collectively ensure election integrity. First, cast-as-intended verification enables voters to confirm that their encrypted ballot accurately represents their selections before submission, typically through challenge-response protocols or Benaloh challenges, where voters can spoil and decrypt test ballots to verify the encryption process. Second, recorded-as-cast verification provides voters with cryptographic receipts that allow them to verify their votes were correctly included in the election tally without revealing how they voted, often implemented through bulletin boards where encrypted ballots are publicly posted with unique identifiers. Third, tallied-as-recorded verification allows anyone to independently verify that the published encrypted ballots were correctly tallied to produce the announced results, typically through zero-knowledge proofs or homomorphic tallying procedures that demonstrate correctness without decrypting individual ballots.

Modern E2E-verifiable systems implement these principles through sophisticated cryptographic protocols that carefully balance transparency with privacy. Systems such as Helios, Prêt à Voter, Scantegrity, and STAR-Vote employ various techniques, including mix networks for anonymization, threshold cryptography for distributed trust, and zero-knowledge proofs for verification without revelation. These systems generate publicly auditable evidence of correct execution at each stage of the election process, creating an evidence trail that can be independently verified by multiple parties without compromising voter privacy or enabling coercion.

11.1.2. Voter-Verified Paper Audit Trails

Voter-verified paper audit trails (VVPATs) serve as a critical bridge between traditional paper-based voting systems and modern electronic voting technologies, providing a physical record that voters can inspect to confirm their selections before casting their ballot. This paper trail creates an independent, human-readable record of voter intent that exists separately from electronic tallies, enabling meaningful post-election audits and recounts while maintaining the efficiency benefits of electronic vote counting.

The implementation of VVPAT systems typically involves a printer attached to electronic voting machines that produces a paper record visible to the voter through a transparent window before being deposited into a sealed ballot box. This approach addresses fundamental concerns about the unverifiability of purely electronic voting systems by ensuring that voters have direct, personal confirmation that their vote was recorded correctly, at least on paper. The paper trail serves multiple critical functions: it provides a backup in case of electronic system failure, enables risk-limiting audits that can detect and correct electronic tabulation errors, and offers psychological reassurance to voters who may distrust purely electronic systems.

However, VVPAT systems face several implementation challenges that affect their practical effectiveness. Studies have shown that many voters do not actually verify their paper receipts, potentially allowing systematic errors or malicious alterations to go undetected. Additionally, discrepancies between electronic and paper records raise complex legal and procedural questions about which record should be considered authoritative. The mechanical complexity of printer systems introduces new failure modes, including paper jams, ink depletion, and calibration issues that can disrupt voting processes. Furthermore, the mere presence of VVPATs does not guarantee election integrity without robust post-election audit procedures that examine a statistically significant sample of paper ballots.

The evolution of VVPAT technology continues to address these limitations through innovations such as ballot-marking devices that produce machine-scannable paper ballots filled out according to voter selections made via electronic interfaces, thereby combining the accessibility and error-prevention benefits of electronic interfaces with the auditability of hand-marked paper ballots. Integration with risk-limiting audit protocols ensures that paper trails are not merely ceremonial but serve as functional components of election verification, while improved voter education and interface design aim to increase the rate at which voters actually verify their paper records.

11.1.3. Achieving Verifiability Without Compromising Anonymity

The fundamental challenge in designing verifiable voting systems lies in the apparent contradiction between two essential requirements: providing voters with evidence that their vote was correctly processed while preventing any mechanism that could link voters to their ballot choices. This tension between verifiability and anonymity has driven the development of sophisticated cryptographic protocols that achieve both properties simultaneously through careful protocol design and mathematical guarantees.

Modern E2E-verifiable systems resolve this apparent paradox through several innovative approaches. Cryptographic commitments allow voters to receive receipts that cryptographically bind to their choices without revealing them, using techniques such as Pedersen commitments or ElGamal encryption, which provide computational hiding while maintaining binding properties. These receipts contain enough information for voters to verify their ballot’s inclusion in the final tally but appear as random data to anyone else, preventing vote buying or coercion. Mix networks and re-encryption shuffles break the link between voters and their encrypted ballots by passing them through multiple mixing servers that shuffle and re-encrypt the ballots, making it computationally infeasible to trace any output ballot back to its input while maintaining verifiable correctness through zero-knowledge proofs.

The separation-of-duties principle ensures that no single entity has access to both voter identities and ballot contents. This is typically achieved through threshold cryptography, where decryption keys are split among multiple trustees such that a predetermined number must cooperate to decrypt results. Temporal separation further enhances privacy by ensuring that the association between voters and their encrypted ballots exists only momentarily during vote casting, with subsequent processing operating solely on anonymous encrypted ballots. Cut-and-choose protocols allow voters to verify the correct operation of the encryption process without revealing their actual choices by preparing multiple ballots where all but one are opened for verification, confirming the system’s honest behavior while keeping the actual ballot secret.

11.1.4. Existing E2E-Verifiable Systems and Implementations

Several E2E-verifiable voting systems have progressed from academic research to real-world deployment, providing valuable insights into the practical challenges and benefits of cryptographic voting protocols. These implementations range from small-scale academic elections to government-sanctioned pilots, each contributing to the growing body of evidence about the feasibility and limitations of E2E-verifiable voting.

Helios, one of the most widely deployed E2E-verifiable systems, has been used for numerous organizational elections, including university governance, professional associations, and academic committees. The system implements homomorphic tallying for simple elections and mix networks for more complex ballot structures, providing a web-based interface that generates cryptographic proofs of correct tallying. The International Association for Cryptologic Research has used Helios for its board elections since 2010, demonstrating the system’s stability and acceptance within the cryptographic community. However, Helios’s remote voting model makes it unsuitable for high-stakes public elections due to client-side security concerns and the lack of coercion resistance.

Scantegrity and its successor Scantegrity II represent successful implementations of E2E verifiability in supervised, in-person voting environments. Deployed in the Takoma Park, Maryland, municipal elections in 2009 and 2011, Scantegrity used invisible ink confirmation codes on optical-scan ballots to provide voters with verifiable receipts without revealing their choices. This deployment demonstrated that E2E verifiability could be integrated with existing election infrastructure and procedures, although voter participation in the verification process remained limited, with fewer than 2% of voters checking their receipts online.

The STAR-Vote system, developed for Travis County, Texas, combines E2E verifiability with VVPATs and risk-limiting audits to create a comprehensive verifiable voting solution. Although not yet deployed due to funding constraints, STAR-Vote’s design incorporates lessons learned from earlier systems, including improved usability features and integration with existing election administration procedures. The system uses a two-phase voting process, where voters first make selections on an electronic interface, then receive and cast a printed ballot that serves both as a VVPAT and as the official record for tabulation.

Recent implementations have explored blockchain-based E2E-verifiable systems, such as Voatz, which has been piloted for overseas military voters in several U.S. states. While these systems claim to provide E2E verifiability through blockchain immutability, security analyses have revealed significant vulnerabilities and a lack of true E2E verifiability properties, highlighting the importance of rigorous academic review and standardized evaluation criteria. The Moscow blockchain voting system, used in the 2019 city council elections, similarly demonstrated that blockchain alone does not guarantee E2E verifiability without proper cryptographic protocols for ballot privacy and verifiable tallying.

These real-world implementations have revealed critical insights about the deployment of E2E-verifiable systems, including the importance of voter education and usability testing, the need for graceful degradation when verification mechanisms fail, the challenge of integrating cryptographic protocols with existing legal frameworks, and the tension between mathematical security and procedural simplicity. Future deployments must address these lessons while continuing to advance the technical capabilities and practical usability of E2E-verifiable voting systems.

11.1.5. Voter Registration System

More work is needed on the security of the voter registration system and election night reporting systems; for example, how likely is it that an attack occurs in which state election night reporting systems are taken out and replaced with fakes [4].

11.1.6. Complex System Externalities

Many of the systems that elections rely on are much more complex than just voting. It is critical to understand how likely it is that some obscure piece of software present in a voting system provides a point of entry for malware [4,173].

11.1.7. Federal Standards

There is currently a lack of mandatory federal security standards for security infrastructure [3].

11.1.8. Ballot-Marking Devices

As a relatively new technology, ballot-marking devices have not been widely studied by independent researchers and have been largely absent from practical election security research. More work is needed in this area for more comprehensive studies [3].

11.1.9. Blockchain in Elections

The application of blockchain technology to electoral systems represents a promising yet contentious area of research that requires substantial additional investigation before widespread implementation can be considered. While blockchain’s inherent properties of immutability, transparency, and decentralization appear well-suited to addressing many traditional election security concerns, the translation of these theoretical benefits into practical, scalable voting systems remains largely unproven.

Current blockchain-based voting proposals typically leverage the technology’s distributed ledger architecture to create tamper-evident records of cast ballots. Several pilot programs and small-scale implementations have been conducted, including notable examples in West Virginia, Utah, and various Estonian municipalities. These systems generally promise enhanced voter accessibility through remote voting capabilities, improved auditability through transparent transaction logs, and reduced opportunities for post-election manipulation through cryptographic verification mechanisms. However, these implementations have faced significant criticism from security researchers, who point to fundamental tensions between blockchain’s transparency requirements and ballot secrecy, as well as concerns about the additional attack surfaces introduced by digital voting interfaces.

The primary challenge facing blockchain election systems lies in reconciling competing requirements that are essential to democratic processes. Elections must simultaneously ensure voter privacy, prevent coercion and vote buying, maintain transparency for public trust, enable comprehensive auditing, and remain accessible to all eligible voters regardless of technical expertise. Current blockchain architectures struggle to satisfy all these requirements simultaneously. For instance, the immutability that makes blockchain attractive for preventing tampering also complicates the correction of legitimate errors or the accommodation of legal challenges to ballots.

Future research must address several critical areas before blockchain can be considered viable for large-scale elections. These include developing robust methods for voter authentication that preserve anonymity, creating mechanisms for handling disputed or provisional ballots within an immutable system, establishing frameworks for regulatory compliance and legal recourse, and ensuring system resilience against both technical failures and coordinated attacks. Additionally, researchers must conduct comprehensive threat modeling that accounts for nation-state adversaries, develop formal verification methods for blockchain-based voting protocols, and establish standardized evaluation criteria that allow meaningful comparison between different blockchain voting proposals and traditional paper-based systems.

11.1.10. Homomorphic Encryption

Homomorphic encryption represents a groundbreaking cryptographic technique that enables mathematical operations to be performed directly on encrypted data, producing encrypted results that, when decrypted, match the outcomes of operations performed on the plaintext. This remarkable property positions homomorphic encryption as a potentially transformative technology for election security, offering the possibility of conducting entire electoral processes, from vote casting through tallying, without ever exposing individual ballot contents.

The fundamental appeal of homomorphic encryption in electoral contexts stems from its ability to preserve voter privacy while maintaining computational functionality. In a homomorphically encrypted voting system, each ballot could be encrypted at the point of casting, with vote tallying performed entirely on the encrypted ballots. Only the final aggregate results would need to be decrypted, ensuring that individual vote choices remain permanently concealed while still allowing for mathematical verification of the tallying process. This approach could theoretically eliminate many traditional attack vectors, including insider threats from election officials who might otherwise have access to unencrypted ballot data.

Despite its theoretical promise, the practical application of homomorphic encryption to elections faces substantial technical and logistical challenges. Current fully homomorphic encryption schemes suffer from significant computational overhead, with operations on encrypted data requiring orders of magnitude more processing power than their plaintext equivalents. This performance penalty becomes particularly problematic in large-scale elections involving millions of voters, where the computational requirements for homomorphic tallying could prove prohibitive. Additionally, the complexity of implementing homomorphic encryption raises concerns about system verifiability and the ability of election observers to meaningfully audit the process.

Future research in this domain should prioritize several key areas to advance the viability of homomorphic encryption for electoral applications. Performance optimization remains paramount, with researchers exploring techniques such as somewhat homomorphic encryption schemes that support limited operations but offer better efficiency, hardware acceleration through specialized processors designed for homomorphic operations, and hybrid approaches that strategically combine homomorphic encryption with other privacy-preserving techniques. Additionally, work is needed to develop user-friendly verification methods that allow voters to confirm that their ballots were correctly encrypted and counted without requiring deep cryptographic knowledge, to establish standards for key management and ceremonial procedures that prevent single points of failure, and to create formal security proofs that address the unique threat model of electoral systems, including coercion resistance and receipt-freeness.

The intersection of homomorphic encryption with other emerging technologies also warrants investigation. Combining homomorphic encryption with secure multi-party computation could enable distributed vote tallying without any single party having access to decryption keys, while integration with zero-knowledge proofs could allow voters to verify their eligibility without revealing their identity. As quantum computing advances threaten traditional cryptographic systems, research into post-quantum homomorphic encryption schemes becomes increasingly critical for ensuring the long-term security of any election system built on these foundations.

11.1.11. Pentesting

Pentesting, or penetration testing, is a simulated cyberattack against a computer system, network, or web application to assess its security. In the context of election security, pentesting can help identify vulnerabilities in voting systems and infrastructure, allowing for proactive measures to strengthen defenses. Future work could focus on the importance of pentesting in election security, highlighting its role in identifying vulnerabilities and strengthening defenses.

11.1.12. Absentee Voting

Absentee voting is a critical component of modern election systems that allows voters to cast their ballots remotely. However, it also introduces additional security challenges, such as ensuring the authenticity and confidentiality of absentee ballots. Future work could explore the security challenges and opportunities in absentee voting, examining the role of technologies like blockchain and homomorphic encryption in enhancing the security and transparency of absentee voting processes [116].

11.1.13. Assessing Minimum Voting Equipment Requirements

The security and reliability of voting equipment are critical to the integrity of elections. Future work could explore various aspects of location-specific characteristics, such as the availability and mobility of voting systems, accessibility and reassurance for voters with disabilities, and recoverability and identification mechanisms to detect flaws and restore voting data [4]. This research could inform the development of minimum voting equipment requirements, ensuring that voting systems meet the necessary standards for security, accessibility, and reliability.