Election Crime Bureau

Made possible by the Lindell Offense Fund

Risks Inherent with VPN Connections Used to Manage Election Systems

Election officials and machine vendors love to make the claim that their systems are “air-gapped” and “not connected to the internet”.  Such assertions are intended to give the general public a false sense of security regarding the use of electronic voting systems. When pressed by technically savvy investigators, these same individuals will often begrudgingly admit that their election systems do have remote connections but these connections are secured via Virtual Private Networks (VPNs).

Use of VPN's in Election Systems

Election infrastructure utilizes VPNs in four primary documented configurations:
  • EMS-to-County Network Links: Workstations connect to internal county networks. If any device on that network is internet-connected, the EMS is effectively exposed to lateral movement.
  • State Voter Registration Access: Local workstations connect to statewide databases for real-time updates and queries.
  • Cellular Modem Transmission: Precinct tabulators use cellular “mobile private networks” to transmit unofficial election-night results. While described as FIPS-compliant tunnels, they function as VPNs spanning from the precinct to a central server.
  • Vendor Remote Access: Election vendors (such as ES&S) have historically used tools like pcAnywhere for remote maintenance on EMS workstations.
NIST and the Center for Internet Security (CIS) classify these connected technologies as having the highest risk profile. NIST warns that an EMS connected to any network device with internet access is an exploitable path for delivering malware to voting machine memory cards.

Failure Modes and Effects Analysis

Since election systems have been designated as “critical infrastructure” by the federal government, enhanced security analysis rigor is warranted.  A typical analytical method applied by engineers to critical systems is that of a Failure Modes and Effects Analysis (FMEA). 
 
A FMEA is a structured risk assessment methodology used to identify discrete potential failures within a system and map mitigating controls to each threatIn an FMEA, every identified failure mode is evaluated across three primary dimensions, which are typically scored on a scale from 1 to 10:
  • Severity (S): The potential impact or consequence if the failure occurs, ranging from minor operational disruptions to catastrophic damage.
  • Occurrence (O): The likelihood that the specific failure will materialize.
  • Detection (D): The difficulty of detecting the failure before it causes harm.
Once these dimensions are scored, the methodology uses them to calculate a Risk Priority Number (RPN) by multiplying the three factors together (RPN = S × O × D).
 
This calculation provides a standardized way to evaluate and prioritize risks. For example, an RPN between 1 and 100 is considered a low priority, while an RPN over 500 designates a critical threat that requires immediate remediation
The following table details the lifecycle failure modes for VPNs applied to election system management.
#
Component
Failure Mode
Potential Effect
S
O
D
RPN
1
VPN Appliance
Unpatched CVE Exploitation
Remote code execution; access to EMS/Voter DB
9
8
7
504
2
Credential Mgmt
Stolen/Weak Credentials
Unauthorized network access as an official
9
7
7
441
3
Vendor Access
Unauthorized Remote Access
Covert modification of ballot definitions
10
5
8
400
4
Cellular/Private Net
Misconfiguration
Results intercepted/manipulated in transit
9
5
8
360
5
Split Tunneling
Simultaneous Internet Path
Malware exfiltrates data via unmonitored path
8
6
8
384
6
MFA Absence
Single-factor Auth Bypass
Attacker authenticates as legitimate official
9
6
6
324
7
Logging/Monitor
Logs not retained/reviewed
Post-incident forensics impossible
8
7
9
504
8
Certificate Mgmt
Expired/Self-signed Certs
MITM attack intercepts election traffic
8
4
6
192
9
Lateral Movement
Pivot from County Net to EMS
Ballot programming or result data altered
10
5
7
350
10
Endpoint Health
Compromised Workstation
Malware traverses VPN tunnel to the EMS
10
5
7
350
11
Insider Threat
Authorized User Abuse
Unauthorized configuration changes
9
3
8
216
12
DNS Hijacking
Malicious Name Resolution
Traffic redirected to spoofed EMS/harvesting
7
4
7
196
13
Service Availability
VPN Outage/DDoS
Delayed results reporting; eroded confidence
6
5
4
120
14
Supply Chain
Trojanized Firmware
Persistent covert access by state actors
10
3
10
300

Critical Risks

FMEA risks of ~400 or higher are typically deemed “critical risks”.  Election systems using VPN connections feature five Critical Risks worthy of highlighting.
CRITICAL RISK 1: CVE Exploitation and Monitoring (RPN 504)

Advanced Persistent Threat (APT) groups actively “chain” VPN vulnerabilities (such as those in Pulse Secure, Fortinet, and Ivanti) with Windows flaws like Zerologon (CVE-2020-1472). These chains allow attackers to compromise Active Directory and pivot to election-support systems. The high detection score (9) is driven by the termination of EI-ISAC funding in 2026, which removes the centralized threat alerting necessary for jurisdictions to see active campaigns.

CRITICAL RISK 2: Credential Theft (RPN 441)

Credential-based attacks do not require sophisticated exploits. Attackers harvest credentials via phishing or purchase them on criminal markets. In 2024, Man-in-the-Middle (MITM) attacks accounted for 23% of identity-related incidents, often bypassing standard MFA through real-time phishing proxies.

CRITICAL RISK 3: Vendor Remote Access (RPN 400)

Historical precedents highlight this risk; ES&S admitted to installing pcAnywhere on EMS workstations sold between 2000 and 2006. The subsequent theft of that software’s source code compromised those deployments. Modern risks include persistent vendor accounts that are not deprovisioned after maintenance.

CRTICAL RISK 4: Split Tunneling (RPN 384)

Split tunneling allows an election workstation to maintain a simultaneous connection to the open internet and the protected EMS. This creates an unmonitored “backdoor” where malware can be downloaded via the internet path and then traverse the VPN tunnel to reach the EMS and infect voting machine memory cards.

CRITICAL RISK 5: Lateral Movement and Endpoint Compromise (RPN 350)

NIST and the National Academies of Sciences have identified electronic ballot alteration as a credible threat when voting systems are networked. If an EMS is connected to a county network that has even one internet-facing device, the EMS is effectively connected to the internet.

Risk Multipliers

The overall risk posture is elevated by several systemic issues:
  • Aging Infrastructure: Systems are frequently 10+ years old, running unsupported software that cannot be patched against modern CVEs.
  • Reduced Oversight: The cessation of CISA election support and EI-ISAC funding leaves local officials without real-time threat intelligence.
  • Certification Gaps: Research has identified over 35 U.S. voting systems online in 2019 despite claims of air-gapping. Furthermore, some cellular modem add-ons (such as those from ES&S) have been documented as failing to meet U.S. Election Assistance Commission certification guidelines.

Conclusion

VPN connections in election infrastructure represent a concentrated, well-documented attack surface that has been actively exploited against government networks by nation-state APT groups using publicly available tooling. The five highest-RPN failure modes — unpatched CVE exploitation, stolen credentials, vendor remote access abuse, cellular modem misconfiguration, and split tunneling — are all technically remediable through known controls. The primary barrier is implementation discipline at the county and state level, which has become harder to enforce with the elimination of federal election-security support infrastructure. For election integrity investigators and legal proceedings, the FMEA framework provides a structured methodology for establishing that identified VPN configurations represent objectively documentable deviations from reasonable security practice — independent of whether exploitation can be proven in any specific election.

Citations

  1. Election Systems and Their Network Connections – Any given piece of election technology fits into one of three classes of “connectedness” based on ho…
  2. NSA, CISA Release Guidance on Selecting and Hardening Remote … – The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) release…
  3. Managing Remote Connections – Essential Guide to Election Security – VPNs encrypt and transmit data, allowing a user to securely connect to the internet or access a remo…
  4. Attackers chain Windows, VPN flaws to target US government … – APT groups have been spotted chaining flaws in Windows and VPN services to target US government agen…
  5. FMEA RPN – Risk Priority Number. How to Calculate and Evaluate? – Severity, Occurrence, and Detection indexes are derived from the failure mode and effects analysis: …
  6. FMEA Ratings — Severity, Occurrence & Detection SOD Tables (1–10) – Risk Priority Number (RPN) is calculated by multiplying three FMEA ratings: Severity (S) × Occurrenc…
  7. CISA halts support for states on election security, U.S. official confirms – The federal government has paused its support for cyber and physical security activities that state …
  8. Security Recommendations | NIST – Election officials are encouraged to take the following steps to ensure their voting systems are iso…
  9. Transmission of Unofficial Election Results FAQs – In a few states it is a legal practice to use cellular modems to transmit unofficial election result…
  10. [PDF] How It Works: Private Network for Unofficial Results Transmission – In a number of states, it is a legal practice to use cellular modems to transmit unofficial election…
  11. Top Voting Machine Vendor Admits It Installed Remote-Access … – The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the compan…
  12. Vendor admits election systems included remote software | TechTarget – Election system security put into question again as a vendor admitted to Sen. Ron Wyden that it had …
  13. Risk Priority Number – an overview | ScienceDirect Topics – In this method, three factors, Occurrence (O), Detection (D), and Severity (S), are used to test fai…
  14. FMEA Risk Priority Number Interactive Calculator – Instructions Video – … Severity (S), Occurrence (O), and Detection (D). The formula is RPN = S × O × D, where each fact…
  15. Vulnerabilities exploited in VPN products used worldwide – The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vul…
  16. Ivanti VPN Vulnerability: What You Need to Know – Palo Alto Networks – Chinese state-sponsored hackers have targeted recently announced vulnerabilities in Ivanti VPN produ…
  17. The hidden risks of VPN split tunnelling (and how to manage them) – Split tunnelling can boost VPN performance, but at what cost? Learn the security risks, real-world s…
  18. Split Tunneling – BlackFog – Split tunneling allows organizations to divide internet connections into two separate streams. This …
  19. What is VPN Split Tunneling? – Fortinet – VPN split tunneling allows traffic to be routed through a VPN and a local network at the same time. …
  20. Man-in-the-middle attack: Definition + types – Norton – A man-in-the-middle attack involves a cybercriminal placing themselves in the middle of two parties …
  21. What Is a Man-in-the-Middle (MITM) Attack? – Palo Alto Networks – A man-in-the-middle (MitM) attack is a form of cyber eavesdropping where a threat actor intercepts c…
  22. Defending Against Man-in-the-Middle Attacks | MITM – Snyk – State-sponsored attackers have used MITM tactics to intercept proprietary data via compromised VPN t…
  23. Election Security and Cybersecurity – Election security encompasses the technical, procedural, and regulatory measures applied to protect …
  24. How Secure Are U.S. Electronic Voting Systems? | Econofact – Vulnerabilities in voting equipment can be reduced by implementing best practices, including paper r…
  25. How to prevent Man-in-the-Middle Attacks | Post-Quantum Security … – This article covers man-in-the-middle (MITM) attacks, detailing how they work, common techniques lik…
  26. Cyber threats to elections – Canadian Centre for Cyber Security – Leading up to and during an election, cyber threat actors may launch cyber attacks to: disrupt elect…
  27. Election Security – EPIC – Electronic Privacy Information Center – Election systems include public election websites, voter registration systems, voting systems that a…
  28. [PDF] Managing Cybersecurity Supply Chain Risks in Election Technology – A Handbook for Elections Infrastructure Security, developed to describe the general threats that exi…
  29. Public Citizen Calls on Largest Voting Machine Vendor to Stop … – WASHINGTON, D.C. – Election Systems and Software (ES&S) must stop selling vote counting machines wit…
  30. Chapter: 5 Ensuring the Integrity of Elections – Voting equipment failures or inadequate supplies could prevent vote collection. After votes have bee…
  31. Election Security | Brennan Center for Justice – Our aging voting infrastructure leaves the U.S. election system vulnerable to attack and causes long…
  32. ‘Online and vulnerable’: Experts find nearly three dozen U.S. voting … – Election officials have claimed that voting machines do not connect to the internet, but a team of e…
  33. Election commission orders top voting machine vendor to … – Politico – This isn’t the first time Election Systems & Software has faced accusations of making fabricated or …
  34.