Crappy Email Security Could Be the Next Big Threat to American Elections: Report

People use electronic voting machines to cast their ballot in the midterm elections at Neighborhood Congregational Church in Laguna Beach, California on election day in 2018.
People use electronic voting machines to cast their ballot in the midterm elections at Neighborhood Congregational Church in Laguna Beach, California on election day in 2018.
Photo: Robyn Beck (Getty Images)

Given the embarrassing catastrophe that was the 2016 presidential election, staving off cyberattacks and foreign influence campaigns is a top priority for election officials nationwide as we get closer to November. Apparently, though, no one thought to apply that same level of scrutiny to their emails. Who’d have thought phishing scams would be the downfall of democracy?


Research firm Area 1 Security published a report Sunday (via the Wall Street Journal) that tracked more than 10,000 local officials and found that more than half used email systems with “rudimentary or non-standard” anti-phishing safeguards. Only 18.6% of election administrators employed “advanced anti-phishing cybersecurity controls,” and more than 600 officials simply used their personal email addresses to conduct election-related business.

(Sadly, the report didn’t mention whether any of them used cringey handles, like, say, or

Area 1 Security also found that six jurisdictions in Maine, Michigan, Missouri, and New Hampshire relied on an unpatched version Exim, free email software that has been targeted by Russian hackers in the past. As the Journal notes, the National Security Agency released a federal warning in May about the Russian intelligence service known as the GRU and how it had been exploiting flaws in this software to launch cyberattacks and disable security settings since 2019. These backdoors were patched in later versions of Exim, but it seems even election officials drag their feet and click “update later” when that annoying prompt pops up.

Thankfully, security experts say that counties don’t typically connect their email systems with the same networks responsible for counting votes or housing registration information, so these kinds of vulnerabilities wouldn’t necessarily allow bad actors to hack in and influence vote tallies.

However, a security breach at any level in the election infrastructure can deal a devastating blow to voter confidence. We saw it happen in 2016 when Russian hackers broke into the election systems of two Florida counties. Email system vulnerabilities leave election officials open to ransomware, phishing-based campaigns, and other malicious software delivered via email, the Journal reports, which not only disrupt their ability to do their job but can also tank the public’s confidence in election results.


“The biggest danger in my view is not actual vote changing,” said J. Michael Daniel, CEO of the non-profit cybersecurity group the Cyber Threat Alliance, in an interview with the outlet. “That’s actually really hard to do at scale in a way that would actually have a significant impact. But what you would be concerned about is undermining people’s confidence. It starts to raise these questions about what you can trust.”


Given that Russian hackers previously made phishing attempts on high-profile targets in 2018, there’s a good chance state-sponsored actors could make a similar attack on the 2020 presidential election. However, counties already have their hands full scrambling to accommodate social distancing measures and other health precautions since, you know, there’s a literal pandemic going on. And the $400 million in election assistance allocated as part of Congress’s stimulus deal falls far short of the billions of dollars that experts predict state and local officials need to keep voters safe at the polls.

In short, resources are spread thin, even given the estimated $1.2 billion in federal funds for election security that states have received in the four years since the last presidential election, per the Journal.


“Unquestionably, we are better off than we were in 2016,” Daniel told the outlet. “But better off does not mean that we are where we need to be.”

So I guess we’ll just have to keep our fingers crossed. Anyone know if the witches on TikTok could hex some hackers if we asked them nicely?


[Wall Street Journal]



Again with the Russia... Anyone who’s paid attention to the history of voting in this country shouldn’t be confident in the system as a matter of principle, especially not with our modern hackable pieces of junk...

I am committed to helping Ohio deliver its electoral votes to [George W. Bush].

—Diebold CEO (not GRU agent) Walden O’Dell, 2004.

And never underestimate good old fashioned incompetence. Just look at the disaster coming out of New York’s 12th thanks to slapdash orders and a system not even remotely prepared for it.

...up to 1 in 5 mail-in ballots were declared invalid before even being opened...

Ballots that arrived to the BOE before or on June 23, Election Day, with or without a postmark are valid. Ballots that arrived by the cutoff of June 30 with a postmark of June 23 or earlier are valid. Ballots that arrived before June 30 but have no postmark or a postmark of the 24th, which many had, likely due to what the BOE called “USPS error,” Patel said — those are invalid, automatically.

Count every vote* (Restrictions apply. See terms and conditions. Offer not valid in all locations.)