Stop Panicking About Federal Election Security (Do This Instead)

Stop Panicking About Federal Election Security (Do This Instead)

The mainstream media is obsessed with a dangerous myth: the belief that American democracy lives or dies by the grace of federal cybersecurity agencies in Washington, D.C.

For years, the consensus narrative has been simple, linear, and utterly wrong. The story goes that by disrupting federal agencies, firing key administrators at the Cybersecurity and Infrastructure Security Agency (CISA), and questioning national standards, political figures "dismantled" the nation's election security.

This narrative is not just lazy; it is actively dangerous. It treats national security like a corporate IT department where a change in executive leadership leaves the entire network vulnerable to a single hacker.

That is not how American elections work. In fact, the obsession with a centralized, federalized defense shield is the single greatest threat to our voting systems. The loudest critics of political interference in federal agencies are the ones missing the actual mechanics of how votes are secured, counted, and verified.

The real, unvarnished truth is that federal disruption did not ruin our election security. It forced us to look at the only system that actually works: radical, low-tech decentralization.


The Monoculture Trap of Federal Centralization

In cybersecurity, centralization is a vulnerability, not a strength.

I have watched bloated federal agencies burn millions of dollars on high-level administrative playbooks, theoretical threat models, and endless coordination meetings that do absolutely nothing to secure a physical voting booth in rural Wisconsin. When you try to build a unified, top-down federal security apparatus for elections, you are accidentally designing a monoculture of defense.

A monoculture means everyone uses the same software, follows the same federal directives, and relies on the exact same threat-intelligence feeds. For an advanced nation-state adversary—like Russia, China, or Iran—a monoculture is a dream come true. They do not have to figure out 10,000 different local systems. They only have to find one single vulnerability in the federal standard, one compromised node in a shared national database, or one blind spot in CISA’s central warning network.

Consider the structural reality of American voting. The United States does not have a national election. It has over 10,000 individual, localized elections run by independent counties and municipalities, each operating under distinct state laws, using different voting machines, and employing varying counting procedures.

This extreme, chaotic fragmentation is not an administrative failure. It is our absolute best security defense.

  • No Single Point of Failure: There is no master switch. There is no central server containing the votes of all Americans that a hacker in St. Petersburg can infiltrate.
  • Asymmetrical Infrastructure: A hacker cannot write a single script to alter the vote count because the county next door is using entirely different scanners, database architectures, and reporting protocols.
  • Physical Air Gapping: Voting machines are, by design and law, not connected to the public internet. To change a meaningful number of votes digitally, an adversary would need physical access to thousands of separate, locked local election offices across different state jurisdictions.

When critics wring their hands over the erosion of federal oversight, they are mourning a bureaucratic illusion. Washington does not run elections. Local clerks, temporary workers, and volunteer poll watchers do.


The Low-Tech Triumph: Paper Beats Pixels

The most critical upgrade in election security over the last decade did not come from sophisticated cyber defense tools or federal agency directives. It came from a return to the most basic, analog technology available: paper.

In 2016, a significant portion of the country voted on paperless Direct Recording Electronic (DRE) voting machines. These systems were a security disaster. If a touch-screen machine has no physical paper trail, any software bug, malicious code, or hardware glitch can alter the tally permanently, leaving no way to verify what the voter actually intended.

Today, that vulnerability has been largely eliminated. In the 2024 election, roughly 98 percent of all votes were cast using systems that generate a voter-verified paper trail, up from just 82 percent in 2016.

[Voter Marks Paper Ballot] ──> [Optical Scanner Counts Vote] ──> [Paper Ballot Locked in Secure Bin]
                                                                        │
                                                                 (Audited by Hand)

This is the real security engine. The voter marks a paper ballot—either by hand or via a ballot-marking device—reviews the physical paper to confirm it is correct, and feeds it into an optical scanner. The scanner counts the digital tally, but the paper ballot remains locked in a secure, physical bin.

If an adversary hacks the scanner's software, the digital tally might be wrong. But the physical paper record cannot be hacked from a laptop across the globe. Post-election audits, where officials hand-count the physical paper ballots from random precincts and compare them to the machine counts, will immediately expose any digital manipulation.

This is not a high-tech solution. It is a low-tech fail-safe. Yet, the media continues to focus on federal cybersecurity funding and high-level defense protocols, ignoring the fact that a locked box of paper and a bipartisan group of local citizens with magnifying glasses is infinitely more secure than any firewall.


The CISA Drama: Distraction vs. Reality

Let us address the elephant in the room: the firing of CISA leadership and the systematic attack on the agency's authority.

To hear the media tell it, these moves left the nation's critical systems defenseless. But this perspective fundamentally misunderstands the constitutional and operational boundaries of federal power.

The President of the United States has zero constitutional authority over how states run, secure, or certify their elections. CISA is an advisory body. It does not own the voting machines. It does not run the voter registration databases. It cannot force a single county clerk in Texas or Georgia to change their passwords, upgrade their software, or audit their systems. CISA offers advice, threat sharing, and voluntary vulnerability scans.

When the federal government attempts to overstep this advisory role and treat local election systems as federal "critical infrastructure" in a heavy-handed way, it creates friction. It breeds distrust among state officials who guard their constitutional authority fiercely.

When Washington bureaucrats try to run the show, local officials stop treating security as an operational priority and start treating it as a compliance exercise. They fill out federal forms and check administrative boxes instead of securing their actual physical perimeters.

By disrupting the centralized federal authority, the political chaos did something unexpected: it shattered the false sense of security that a federal shield was protecting everyone. It forced state legislatures and local governments to realize that if they wanted their systems secured, they had to do it themselves.

The result? Since 2020, we have seen an explosion of state-level initiatives. Many states launched "cyber navigator" programs—hiring dedicated, state-funded security experts to travel from county to county, working directly with local clerks to shore up actual vulnerabilities rather than reading theoretical whitepapers from Washington.


The True Vulnerability: The Local Resource Gap

If you want to find where our elections are actually vulnerable, stop looking at CISA's budget. Look at the local county clerk's budget.

While we spend years debating federal appointments in the capital, the real, boring work of election security is starved of resources. Many local election offices are run by part-time clerks who also manage the county's marriage licenses, property records, and dog registrations. They do not have IT departments. They do not have dedicated security budgets.

Area of Concern The Federal Bureaucratic Illusion The Local Operational Reality
Cybersecurity Complex multi-agency threat intelligence sharing portals. A county clerk clicking a phishing link because they lack basic email security training.
System Integrity High-level federal certifications for voting machine software. Lack of physical security, poor lock control, or unmonitored security cameras in ballot storage rooms.
Personnel National security clearances for election administrators. High turnover rates, harassment of volunteer poll workers, and lack of training for temporary staff.

Imagine a scenario where a state-of-the-art adversary wants to disrupt an election. They do not need to hack a voting machine. They do not need to bypass federal encryption standards.

They simply find a poorly funded county in a swing state, send a basic spear-phishing email to the local clerk's outdated inbox, gain access to the county's voter registration system, and delete or alter 5% of the voter records.

On election day, thousands of voters show up and are told they are not registered. The polling places descend into chaos. Long lines form, tempers flare, and the media reports massive "election irregularities." The adversary did not change a single vote, but they successfully destroyed public confidence in the outcome.

No amount of federal posturing or high-level threat sharing prevents that scenario. Only direct, localized funding for basic IT infrastructure, email security, and staff training does.

The single greatest failure of the post-2016 election security movement was directing billions of dollars toward federal agencies and academic research hubs instead of funneling it directly to the local jurisdictions that actually run the precincts.


Stop Chasing the Illusion of Perfect Security

The pursuit of absolute, impenetrable digital security for elections is a fool’s errand. If a system is digital, it can be compromised.

The goal should not be to build a perfect, unhackable system under federal guidance. The goal must be to build a system that is resilient to failure—a system that assumes compromise will happen and has the physical, verifiable mechanisms to catch and correct those failures before the results are certified.

This means we must stop treating election security as a partisan talking point about who controls federal agencies. We must accept the inherent limitations of technology, embrace the messy decentralization of our system, and double down on the physical processes that keep it honest.

If we want to secure our democracy, we must stop looking to Washington for a savior. We must focus entirely on the local level, funding the boring, unsexy, physical defenses that actually protect the ballot box.

The strength of American democracy is not its centralized strength. It is its decentralized chaos. It is time we start treating it that way.

AR

Adrian Rodriguez

Drawing on years of industry experience, Adrian Rodriguez provides thoughtful commentary and well-sourced reporting on the issues that shape our world.