EAC governance system is an insulated “circle of trust” that lacks independent oversight needed for the security of critical infrastructure (US)

When these elements are combined—foreign manufactured platforms, vendor centric designs, VSTLs and CIS operating inside the same ecosystem, and state/local officials willing to violate logging and record retention laws—the EAC’s security mission becomes structurally incapable of detecting or correcting the most damaging risks.

• CISA’s EI data show pervasive phishing weaknesses (73% of assessed EI entities), long patching delays (median >90 days for critical/high vulnerabilities), and extensive use of unsupported software, exactly the conditions in which sophisticated foreign adversaries and criminal groups excel at gaining and maintaining covert access.
• Because the same small circle designs, configures, certifies, and later investigates these systems, any successful intrusion that leverages supply chain tampering, out of band management, weak configurations, or deleted logs can be misattributed to “operator error” or simply declared unprovable, preserving vendor reputations and EAC narratives at the expense of verifiable election integrity.

This closed, conflicted circle of trust is itself a demonstrated security risk, and any credible reform of EAC security analysis must begin by replacing it with truly independent, adversarial, and supply chain aware scrutiny.