Election Cybersecurity in Texas

Election cybersecurity in Texas encompasses the technical, procedural, and regulatory measures applied to protect voting systems, election administration infrastructure, and the integrity of electoral processes across the state's 254 counties. Texas operates one of the largest and most decentralized election systems in the United States, with local county election administrators managing equipment procurement, voter registration databases, and results tabulation. This page covers the scope of that infrastructure, the regulatory framework governing its security, the threat scenarios that affect it, and the decision boundaries that determine jurisdiction and responsibility.

Definition and scope

Election cybersecurity refers to the application of information security controls to systems and processes that support the conduct of elections — including voter registration systems, electronic poll books, voting machines, election management systems (EMS), and results reporting networks. In Texas, this infrastructure is distributed across county governments, with the Texas Secretary of State serving as the chief election officer responsible for certifying voting systems and providing guidance to local officials.

Texas law governs election administration primarily through the Texas Election Code, which establishes procedures for equipment certification, chain-of-custody requirements for voting equipment, and audit obligations. Voting systems used in Texas must receive certification from the Secretary of State following testing against standards set by the U.S. Election Assistance Commission (EAC), which administers the Voluntary Voting System Guidelines (VVSG).

At the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) designates election infrastructure as critical infrastructure under the Elections Sector, a subsector of Government Facilities. This designation, established in January 2017 under Presidential Policy Directive 21, enables federal support for state and local election security without federal control over election administration.

The Texas Department of Information Resources (DIR) does not hold direct authority over county election offices, which are not classified as state agencies under Texas Government Code Chapter 2054. County election administrators operate under separate statutory authority and are not uniformly subject to DIR's cybersecurity framework mandates. For the broader regulatory architecture governing Texas public-sector cybersecurity, see Regulatory Context for Texas Cybersecurity.

How it works

Election cybersecurity in Texas operates through a layered structure involving federal, state, and county-level responsibilities.

Federal layer: CISA provides risk assessments, penetration testing, and incident response support to state election offices on a voluntary basis. The CISA Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), operated by the Center for Internet Security (CIS), distributes threat intelligence to election officials. As of 2023, CISA reports that over 2,900 election jurisdictions participate in EI-ISAC across the country.

State layer: The Texas Secretary of State's office coordinates with CISA, certifies voting systems, and issues guidance to county election officials. The office conducted post-election audits and participated in the Election Infrastructure Subsector Government Coordinating Council framework.

County layer: The 254 county election administrators implement physical and logical security controls for voting equipment, maintain chain-of-custody documentation, and coordinate with the Texas Secretary of State on incident reporting.

The process from certification to election day follows this structure:

  1. Voting system certification — Vendors submit systems to EAC-accredited test labs; Texas Secretary of State conducts independent review before state certification.
  2. Pre-election logic and accuracy testing — County officials test all voting equipment before each election cycle.
  3. Physical security controls — Equipment storage, tamper-evident seals, and access logs are maintained under Texas Election Code requirements.
  4. Network isolation — Voting machines in Texas are not connected to the internet during elections; results are transferred via physical media or air-gapped networks.
  5. Post-election audits — Texas conducts hand-count audits of randomly selected voting system results as a verification mechanism.

The Texas Secretary of State's Voting System Security page documents certification requirements and audit procedures.

Common scenarios

Three primary threat scenarios affect Texas election infrastructure:

Voter registration database compromise: The Texas voter registration database, maintained by the Secretary of State's office, represents a high-value target. Unauthorized access or manipulation of registration records could affect voter eligibility determinations. The EI-ISAC and CISA provide database monitoring tools and network detection sensors to participating states.

Phishing and social engineering against election officials: County election administrators are frequent targets of spear-phishing campaigns, particularly during election cycles. CISA's #Protect2024 initiative specifically addresses phishing threats to election workers. Texas phishing and social engineering threats follow patterns common across public-sector targets — credential harvesting via spoofed government domains is the predominant vector.

Disinformation and infrastructure rumor campaigns: A distinct category of election cybersecurity threat involves the spread of false information about election infrastructure security. CISA and the Election Assistance Commission have published joint fact sheets addressing false narratives about voting machine connectivity and result manipulation.

Ransomware against county IT systems: County governments managing election infrastructure share IT environments with other county functions. A ransomware attack against a county network — even one not directly targeting election systems — can disrupt election administration. Texas has experienced ransomware incidents affecting county-level government systems, which is addressed in greater detail at Texas Ransomware Threats and Response. County election offices are part of the broader Texas Cybersecurity for Local Governments landscape.

Decision boundaries

Jurisdiction over voting systems: The Texas Secretary of State holds exclusive authority over voting system certification under the Texas Election Code. DIR does not certify or regulate election equipment.

Federal vs. state authority: CISA's role is advisory and support-oriented; federal law does not grant CISA or any federal agency direct authority to mandate security controls on Texas election infrastructure. The Help America Vote Act (HAVA), administered by the EAC, provides federal funding to states for election security improvements — Texas has received HAVA funds for election security upgrades — but compliance is tied to funding acceptance, not mandatory regulation.

State agencies vs. county election offices: County election administrators are not subject to mandatory DIR security assessments or Texas Government Code §2054.1125 incident reporting timelines. Their cybersecurity obligations derive from the Texas Election Code, county policies, and voluntary CISA frameworks rather than DIR's cybersecurity standards.

Scope limitations: This page addresses election cybersecurity within Texas's geographic and statutory jurisdiction. Federal election law, multi-state coordination obligations under HAVA, and the internal security practices of federal election agencies fall outside this page's coverage. Private voting system vendors are subject to EAC certification requirements but not directly to Texas state cybersecurity law. For the full landscape of cybersecurity obligations affecting Texas public-sector entities, the Texas Security Authority provides the broader framework.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Key Dimensions and Scopes of Texas Cybersecurity Regulations & Safety Texas Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Texas Cybersecurity: Frequently Asked Questions