Use of VPN's in Election Systems
- EMS-to-County Network Links: Workstations connect to internal county networks. If any device on that network is internet-connected, the EMS is effectively exposed to lateral movement.
- State Voter Registration Access: Local workstations connect to statewide databases for real-time updates and queries.
- Cellular Modem Transmission: Precinct tabulators use cellular “mobile private networks” to transmit unofficial election-night results. While described as FIPS-compliant tunnels, they function as VPNs spanning from the precinct to a central server.
- Vendor Remote Access: Election vendors (such as ES&S) have historically used tools like pcAnywhere for remote maintenance on EMS workstations.
Failure Modes and Effects Analysis
- Severity (S): The potential impact or consequence if the failure occurs, ranging from minor operational disruptions to catastrophic damage.
- Occurrence (O): The likelihood that the specific failure will materialize.
- Detection (D): The difficulty of detecting the failure before it causes harm.
# | Component | Failure Mode | Potential Effect | S | O | D | RPN |
|---|---|---|---|---|---|---|---|
1 | VPN Appliance | Unpatched CVE Exploitation | Remote code execution; access to EMS/Voter DB | 9 | 8 | 7 | 504 |
2 | Credential Mgmt | Stolen/Weak Credentials | Unauthorized network access as an official | 9 | 7 | 7 | 441 |
3 | Vendor Access | Unauthorized Remote Access | Covert modification of ballot definitions | 10 | 5 | 8 | 400 |
4 | Cellular/Private Net | Misconfiguration | Results intercepted/manipulated in transit | 9 | 5 | 8 | 360 |
5 | Split Tunneling | Simultaneous Internet Path | Malware exfiltrates data via unmonitored path | 8 | 6 | 8 | 384 |
6 | MFA Absence | Single-factor Auth Bypass | Attacker authenticates as legitimate official | 9 | 6 | 6 | 324 |
7 | Logging/Monitor | Logs not retained/reviewed | Post-incident forensics impossible | 8 | 7 | 9 | 504 |
8 | Certificate Mgmt | Expired/Self-signed Certs | MITM attack intercepts election traffic | 8 | 4 | 6 | 192 |
9 | Lateral Movement | Pivot from County Net to EMS | Ballot programming or result data altered | 10 | 5 | 7 | 350 |
10 | Endpoint Health | Compromised Workstation | Malware traverses VPN tunnel to the EMS | 10 | 5 | 7 | 350 |
11 | Insider Threat | Authorized User Abuse | Unauthorized configuration changes | 9 | 3 | 8 | 216 |
12 | DNS Hijacking | Malicious Name Resolution | Traffic redirected to spoofed EMS/harvesting | 7 | 4 | 7 | 196 |
13 | Service Availability | VPN Outage/DDoS | Delayed results reporting; eroded confidence | 6 | 5 | 4 | 120 |
14 | Supply Chain | Trojanized Firmware | Persistent covert access by state actors | 10 | 3 | 10 | 300 |
CRITICAL RISK 1: CVE Exploitation and Monitoring (RPN 504)
Advanced Persistent Threat (APT) groups actively “chain” VPN vulnerabilities (such as those in Pulse Secure, Fortinet, and Ivanti) with Windows flaws like Zerologon (CVE-2020-1472). These chains allow attackers to compromise Active Directory and pivot to election-support systems. The high detection score (9) is driven by the termination of EI-ISAC funding in 2026, which removes the centralized threat alerting necessary for jurisdictions to see active campaigns.
CRITICAL RISK 2: Credential Theft (RPN 441)
Credential-based attacks do not require sophisticated exploits. Attackers harvest credentials via phishing or purchase them on criminal markets. In 2024, Man-in-the-Middle (MITM) attacks accounted for 23% of identity-related incidents, often bypassing standard MFA through real-time phishing proxies.
CRITICAL RISK 3: Vendor Remote Access (RPN 400)
Historical precedents highlight this risk; ES&S admitted to installing pcAnywhere on EMS workstations sold between 2000 and 2006. The subsequent theft of that software’s source code compromised those deployments. Modern risks include persistent vendor accounts that are not deprovisioned after maintenance.
CRTICAL RISK 4: Split Tunneling (RPN 384)
Split tunneling allows an election workstation to maintain a simultaneous connection to the open internet and the protected EMS. This creates an unmonitored “backdoor” where malware can be downloaded via the internet path and then traverse the VPN tunnel to reach the EMS and infect voting machine memory cards.
CRITICAL RISK 5: Lateral Movement and Endpoint Compromise (RPN 350)
NIST and the National Academies of Sciences have identified electronic ballot alteration as a credible threat when voting systems are networked. If an EMS is connected to a county network that has even one internet-facing device, the EMS is effectively connected to the internet.
Risk Multipliers
- Aging Infrastructure: Systems are frequently 10+ years old, running unsupported software that cannot be patched against modern CVEs.
- Reduced Oversight: The cessation of CISA election support and EI-ISAC funding leaves local officials without real-time threat intelligence.
- Certification Gaps: Research has identified over 35 U.S. voting systems online in 2019 despite claims of air-gapping. Furthermore, some cellular modem add-ons (such as those from ES&S) have been documented as failing to meet U.S. Election Assistance Commission certification guidelines.
Conclusion
VPN connections in election infrastructure represent a concentrated, well-documented attack surface that has been actively exploited against government networks by nation-state APT groups using publicly available tooling. The five highest-RPN failure modes — unpatched CVE exploitation, stolen credentials, vendor remote access abuse, cellular modem misconfiguration, and split tunneling — are all technically remediable through known controls. The primary barrier is implementation discipline at the county and state level, which has become harder to enforce with the elimination of federal election-security support infrastructure. For election integrity investigators and legal proceedings, the FMEA framework provides a structured methodology for establishing that identified VPN configurations represent objectively documentable deviations from reasonable security practice — independent of whether exploitation can be proven in any specific election.
Citations
- Election Systems and Their Network Connections – Any given piece of election technology fits into one of three classes of “connectedness” based on ho…
- NSA, CISA Release Guidance on Selecting and Hardening Remote … – The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) release…
- Managing Remote Connections – Essential Guide to Election Security – VPNs encrypt and transmit data, allowing a user to securely connect to the internet or access a remo…
- Attackers chain Windows, VPN flaws to target US government … – APT groups have been spotted chaining flaws in Windows and VPN services to target US government agen…
- FMEA RPN – Risk Priority Number. How to Calculate and Evaluate? – Severity, Occurrence, and Detection indexes are derived from the failure mode and effects analysis: …
- FMEA Ratings — Severity, Occurrence & Detection SOD Tables (1–10) – Risk Priority Number (RPN) is calculated by multiplying three FMEA ratings: Severity (S) × Occurrenc…
- CISA halts support for states on election security, U.S. official confirms – The federal government has paused its support for cyber and physical security activities that state …
- Security Recommendations | NIST – Election officials are encouraged to take the following steps to ensure their voting systems are iso…
- Transmission of Unofficial Election Results FAQs – In a few states it is a legal practice to use cellular modems to transmit unofficial election result…
- [PDF] How It Works: Private Network for Unofficial Results Transmission – In a number of states, it is a legal practice to use cellular modems to transmit unofficial election…
- Top Voting Machine Vendor Admits It Installed Remote-Access … – The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the compan…
- Vendor admits election systems included remote software | TechTarget – Election system security put into question again as a vendor admitted to Sen. Ron Wyden that it had …
- Risk Priority Number – an overview | ScienceDirect Topics – In this method, three factors, Occurrence (O), Detection (D), and Severity (S), are used to test fai…
- FMEA Risk Priority Number Interactive Calculator – Instructions Video – … Severity (S), Occurrence (O), and Detection (D). The formula is RPN = S × O × D, where each fact…
- Vulnerabilities exploited in VPN products used worldwide – The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vul…
- Ivanti VPN Vulnerability: What You Need to Know – Palo Alto Networks – Chinese state-sponsored hackers have targeted recently announced vulnerabilities in Ivanti VPN produ…
- The hidden risks of VPN split tunnelling (and how to manage them) – Split tunnelling can boost VPN performance, but at what cost? Learn the security risks, real-world s…
- Split Tunneling – BlackFog – Split tunneling allows organizations to divide internet connections into two separate streams. This …
- What is VPN Split Tunneling? – Fortinet – VPN split tunneling allows traffic to be routed through a VPN and a local network at the same time. …
- Man-in-the-middle attack: Definition + types – Norton – A man-in-the-middle attack involves a cybercriminal placing themselves in the middle of two parties …
- What Is a Man-in-the-Middle (MITM) Attack? – Palo Alto Networks – A man-in-the-middle (MitM) attack is a form of cyber eavesdropping where a threat actor intercepts c…
- Defending Against Man-in-the-Middle Attacks | MITM – Snyk – State-sponsored attackers have used MITM tactics to intercept proprietary data via compromised VPN t…
- Election Security and Cybersecurity – Election security encompasses the technical, procedural, and regulatory measures applied to protect …
- How Secure Are U.S. Electronic Voting Systems? | Econofact – Vulnerabilities in voting equipment can be reduced by implementing best practices, including paper r…
- How to prevent Man-in-the-Middle Attacks | Post-Quantum Security … – This article covers man-in-the-middle (MITM) attacks, detailing how they work, common techniques lik…
- Cyber threats to elections – Canadian Centre for Cyber Security – Leading up to and during an election, cyber threat actors may launch cyber attacks to: disrupt elect…
- Election Security – EPIC – Electronic Privacy Information Center – Election systems include public election websites, voter registration systems, voting systems that a…
- [PDF] Managing Cybersecurity Supply Chain Risks in Election Technology – A Handbook for Elections Infrastructure Security, developed to describe the general threats that exi…
- Public Citizen Calls on Largest Voting Machine Vendor to Stop … – WASHINGTON, D.C. – Election Systems and Software (ES&S) must stop selling vote counting machines wit…
- Chapter: 5 Ensuring the Integrity of Elections – Voting equipment failures or inadequate supplies could prevent vote collection. After votes have bee…
- Election Security | Brennan Center for Justice – Our aging voting infrastructure leaves the U.S. election system vulnerable to attack and causes long…
- ‘Online and vulnerable’: Experts find nearly three dozen U.S. voting … – Election officials have claimed that voting machines do not connect to the internet, but a team of e…
- Election commission orders top voting machine vendor to … – Politico – This isn’t the first time Election Systems & Software has faced accusations of making fabricated or …