Securing state and local elections: The critical role of data protectionSecuring state and local elections: The critical role of data protection
While Americans still use paper ballots, most other parts of the process take place online. Candidate websites, voter registration databases and other political resources may be vulnerable to cyber attacks. To mitigate these risks, agencies must fortify their cybersecurity frameworks with zero-trust principles, encryption, security service edge (SSE) solutions, and mobile endpoint detection and response (EDR).
January 29, 2025

Elections in the United States are often tumultuous and heated events. They’re also the cornerstone of a functional democracy. Every citizen deserves security, privacy and the knowledge that their vote matters. A robust data protection strategy can help ensure fair and free elections.
While Americans still use paper ballots, most other parts of the process take place online. Candidate websites, voter registration databases and other political resources may be vulnerable to cyber attacks. To mitigate these risks, agencies must fortify their cybersecurity frameworks with zero-trust principles, encryption, security service edge (SSE) solutions, and mobile endpoint detection and response (EDR). These tools could help build trust in the election results—and, by extension, in the democratic process.
The current state of election data security
The American electoral process is itself in good shape. From casting votes to counting ballots, there are extensive safeguards every step of the way. Between poll workers and government officials, there are thousands of people who help oversee the process. Credible evidence of voter fraud is vanishingly rare.
However, just about every other facet of an American election has potential data security holes:
Voter registration databases vary considerably from state to state. For example, some databases keep social security numbers private but make names and addresses public. Many states also allow third parties to compile this information. There’s no way to tell how well these databases are encrypted.
Candidate websites are vulnerable to the same technical exploits and social engineering attempts as any other online resource. As private entities, these websites don’t have to meet any special government standard. Their cybersecurity posture is an unknown quantity.
Canvassers for grassroots political organizations are usually volunteers using their personal mobile devices. They often have access to privileged information, but don’t know the names or phone numbers of the organization’s other members. That makes them tempting targets for phishing attacks.
Mobile apps from political action committees (PACs), major political parties and even the U.S. government represent a potential attack vector. Malicious copycat apps on the Apple App Store and Google Play Storeare a recurring issue. Threat actors can also compromise legitimate apps.
News organizations may unwittingly spread misinformation or disinformation. Foreign cyber criminalsoften masquerade as legitimate journalists, using familiar website templates and misleading URLs. Some news sites also allow unvetted posts from third-party contributors.
Cybersecurity techniques to mitigate election risks
Zero-trust principle
Between social engineering, credential stuffing and keylogging, it’s not that difficult for a savvy attacker to steal a username and password. The zero-trust principle assumes that any login could be from a compromised account. Systems with zero-trust solutions might require multi-factor authentication (MFA) codes, log users out periodically or restrict their access if they use unfamiliar devices or IP addresses.
For a real-life example of what happens when politicians fail to implement zero-trust solutions, consider President Donald Trump’s infamous Twitter hijack back in 2020. Trump’s username was public, his password was easy to guess, and he didn’t employ any form of MFA.
Encryption
Encryption can protect almost any sensitive data, whether it’s stored locally or in the cloud. Suppose a threat actor infiltrates an elections website and downloads an unencrypted voter database. They would have immediate access to any names, addresses, phone numbers, email addresses, party registrations and social security numbers within it. An encrypted database, on the other hand, would take millions, if not billions, of years to crack.
SSE solutions
SSE platforms protect data in a variety of ways, from quarantining malicious websites to securing email access. One of the most important functions of an SSE solution is to monitor and thwart data breaches in real time. By analyzing user behavior, an SSE platform can point out irregularities that might indicate a compromised account. From there, an administrator can oust potential intruders before they can do any harm.
Mobile EDR
Mobile devices are relatively easy to compromise. A threat actor could smish a poll worker with a convincing text message, exploit a vulnerability in a canvasser’s mobile operating system (OS) or simply steal a candidate’s smartphone from a public place. Not only do mobile devices contain valuable information on their own, but they also provide easy access to an organization's cloud data. A mobile EDR solution can protect both agency-issued and personal smartphones, warning users about social engineering attempts and limiting network access for high-risk devices.
Election security funding
In August 2024, Congress granted $55 million in election security funds to all U.S. states and territories. For many underfunded state and local elections, this was a sorely needed windfall.
Over the next few years, each state will have to decide where to invest the money. That means determining which voter data is the most sensitive—and which is currently vulnerable to cyber threats. To accomplish this, each state’s election board should create a position that is essentially a managed security service provider (MSSP) for the state. This cybersecurity expert could act as a liaison between major political campaigns and the government, holding all parties to a comprehensive set of best practices.
States should also balance their resources between large, high-profile elections and small, local ones. Prominent campaigns with charismatic candidates may attract cyber attacks and misinformation, particularly if they draw national attention. However, elections in sparsely populated areas simply don’t have as many resources at their disposal, potentially giving threat actors the upper hand.
Perhaps the single most useful thing that election boards can do in the near future is lock down mobile security. Staff members should log into their accounts each time they start a new session, with MFA for additional security. They should know how to spot common social engineering scams. Their OSes and apps must be fully up-to-date, particularly those with access to cloud data.
Cybersecurity’s role in defending democracy
The United States will have a major midterm election in 2026 and another presidential contest in 2028. That means we have only a few years to improve data protection for the electoral process. Setting up regular cybersecurity audits for the in-person voting process would be a good place to start. As we conduct more of our civic lives online, digital IDsalso present some intriguing options.
The only certainty is that threat actors will also spend this time refining their techniques. While some of them simply want money, others are actively trying to destabilize Western democracies. Cybersecurity already protects our personal information. Soon, it may also protect our rights and freedoms.