The designation of U.S. election systems as critical infrastructure is rooted in the broader federal critical‑infrastructure framework that emerged in the late 1990s and early 2000s, particularly after the USA PATRIOT Act formalized the concept and definition of “critical infrastructure” following the 9/11 attacks. In January 2017 under the Obama Administration, then‑DHS Secretary Jeh Johnson formally classified election infrastructure—including voter registration databases, voting machines, election‑management IT systems, and related facilities—as a subsector of the Government Facilities critical‑infrastructure sector, placing it alongside sectors such as the power grid and financial system. The move was a direct response to mounting evidence of foreign cyber probing and intrusions into state and local election systems during the 2016 cycle, especially attacks on voter‑registration databases in multiple states.[1]
Substantively, the designation does not federalize or transfer legal control of elections away from states and localities; instead, it makes election systems an official national‑security priority and unlocks a set of support tools and protective regimes. As critical infrastructure, election officials gain prioritized access to DHS and CISA services such as enhanced threat intelligence, incident response, risk and vulnerability assessments, penetration testing, and cybersecurity best‑practice guidance, similar to support offered to other critical sectors. The designation also integrates elections into the National Infrastructure Protection Plan structure, with a dedicated Election Infrastructure Subsector, a Government Coordinating Council, and the Election Infrastructure Information Sharing and Analysis Center (EI‑ISAC) to facilitate 24/7 information sharing about threats and incidents. DHS contracted with the Non-Government Organization (NGO) Center for Internet Security (CIS) to stand up and operate the EI-ISAC on behalf of state, local, tribal, and territorial election offices.
Legally and politically, the critical‑infrastructure label carries several important implications. First, it signals to foreign adversaries that attacks on U.S. election systems are viewed through the same lens as attacks on other vital national assets, helping to undergird emerging norms of cyber deterrence. Second, it strengthens confidentiality and protection for certain sensitive security‑related information that election officials share with DHS, including through regimes like Protected Critical Infrastructure Information (PCII), which can be shielded from public disclosure, regulatory use, and some litigation. Third, it has been a point of contention in federal‑state relations: some state officials objected that the designation could become a vehicle for federal overreach into constitutionally state‑run elections, while others welcomed the additional resources and coordination it brought. Together, these historical and legal developments make the critical‑infrastructure designation a central pillar of the post‑2016 election‑security architecture in the United States.