Election systems security presents challenges and opportunities

During the 2000 presidential election, Florida’s “hanging chads” kept a nation in suspense. Twenty-six years later, paper-based challenges seem quaint compared to the tech threats confronting current-day campaigns.

The 2026 midterm elections will present more complex challenges, thanks largely to AI giving attackers an edge—and forcing defenders for political campaigns and federal, state, and local governments to catch up.

Andrew Jones, co-founder and CPO at Adaptive Security, told IT Brew that AI’s evolving capabilities can put the good guys at a disadvantage.

“These same technical tools can also be used by attackers to do things like manipulate elections, or deceive consumers, or deceive governments,” he said. “The technology is definitely there, and given the rise of AI, it’s given attackers more tools to be efficient and effective with these attacks.”

Old hat. The issue is a longstanding one. In 2024, former CISA head Jen Easterly told the crowd at the Black Hat conference to “be prepared for” and “expect” attacks on elections: “Things will go wrong…I can guarantee that.”

The rise of agentic AI, Appknox CSO Rishika Mehrotra told IT Brew, has led to streamlined threats from attackers. In elections, where it’s essential to get things right the first time and as quickly as possible, even the semblance of error can have dire ramifications.

“In 2024, we saw a lot of deepfakes, voice recordings, and stuff which were AI-generated, and they were primarily created to create misinformation, and mislead voters,” Mehrotra said. “Now the conversation we are seeing is more around, can the election system itself be hacked? What can AI do in terms of the interconnected systems? There are thousands of vendors, platforms, APIs, which come together…what can really potentially happen on that side of things?”

Dangerous surroundings. Attackers are focused on more than just election systems, targeting weak links in campaigns with a variety of tactics, including deepfakes, to access valuable troves of information that political organizations can have access to.

Influence campaigns aimed at elections can undermine trust and don’t even need to fully succeed to cause disruption, as Bobby Ford, chief strategy and experience officer at defense platform Doppel, told IT Brew in June.

“It is still beneficial for me to compromise your system and to steal your data, but I don’t even have to go that far anymore,” Ford said. “All I need to do is plant a deepfake, or launch a deepfake, and I can impersonate whoever it is that’s running for office…If I can sow that seed of doubt…I don’t need to have an intrusion on your system, I can just influence the campaign that way.”

Luckily, Mehrotra said, election systems are quite secure.

“They are significantly more resilient, and have been over the last decade or so,” Mehrotra told IT Brew. “The industry has also learned a great deal from previous election cycles, so the first principles of security exist within the critical infrastructure—and I honestly believe that they are much more resilient than we probably may want to believe today in the AI era.”

Approach. Managing a plethora of threats like that requires a diversity of tactics. Jones told IT Brew that education and security hygiene both serve a purpose in addressing the issue and should be used by IT teams to help their organizations. In that way, election systems and campaigns are like any other organization.

“The right way to solve this problem is to have a bunch of different interventions,” Jones said. “You don’t just solve this with training alone or simulation alone, there’s a need to solve it in a variety of different ways.”