Election companies stop sharing cyber data with DHS

America's top vendors fear that data they submit on cyberattacks and vulnerabilities may be used against them. CISA has not provided them assurances.

President Donald Trump signs the Cybersecurity and Infrastructure Security Agency Act on Nov. 16, 2018 in the Oval Office. (White House / Joyce N. Boghosian)

It was a July-hot day in April when I sat down for coffee with a former senior official. We were sipping iced lattes when the person told me that companies that make voting machines and other election technology don’t want to share their data with the Department of Homeland Security’s cybersecurity arm.

So began a series of emails, texts, and phone calls. Sensitive conversations often with people who did not want to be named. What I found was a constellation of voices across the country — election vendors, officials, and experts — who fear that the Trump administration will weaponize their information on cyber attacks and vulnerabilities to uphold lies and undermine future elections.

This is not without some irony. On November 16, 2018, President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act into law, thereby creating CISA inside the Department of Homeland Security. In 2020, Trump would resent the agency and in 2025, he would raze the programs which debunked his false messaging that the 2020 election was stolen. The Trump administration has proposed $491 million in cuts to CISA, eliminating “weaponization and waste” and “programs focused on so-called misinformation and propaganda.”

To begin, understand that election companies voluntarily share data on cyber intrusions and weaknesses with CISA — it is not mandatory. Less than 10 years ago, these companies were as concerned about how being attacked looked as the attack itself. Government officials spent years trying to lift the stigma of falling victim to cyberthreats large and small, placing the focus on preparation and recovery. The gradual shift came with old-fashioned relationship-building.

Those relationships proved mutually beneficial: Disclosing incidents to CISA provided the agency with a larger picture of cyber and physical threats, allowing it to warn other entities. The agency also provided useful services — conducting assessments on vulnerabilities, helping build up cyber defenses, and educating on emerging threats to critical infrastructure, to which elections were designated after Russia’s interference in 2016.

Now the voluntary nature of the relationship is working in the opposite direction, causing companies to think twice and back away from disclosures. It could leave CISA blind to new threats and trends, upending the motto of “Defend Today, Secure Tomorrow,” and potential imperil election infrastructure.

Election companies

“Whom I'm telling and what I'm telling is certainly a shrinking universe,” an executive at one of the largest election system companies in the United States told me. They make voting machines, tabulators, and other important items.

That universe does not currently include CISA. The company has even changed some of its internal policies, according to the executive who asked not to be named for fear of retribution. “Our internal corporate policies on incident response and cyber security previously said, ‘We shall share this information,’ and then there was a list of appropriate individuals within the industry, which largely was Homeland Security [and sharing/analysis centers]. We have actually changed our internal corporate policies to say ‘may’ rather than ‘shall’ share.”

When the Trump administration cut dozens of positions inside CISA earlier this year, it terminated relationships that took years to grow. The person does not know who would receive the company’s data on cyber incidents, let alone what the recipient would do with the information.

That was not the case during Trump’s first term. “I knew where the information was going, I knew what purposes it was serving, and I knew the protections around the data,” the executive said. “I know none of that currently. And without knowing that, I don’t have the confidence to share information.”

Our conversation came after an internal letter from CISA sent shock waves through the election community in March. I obtained the letter, in which Chief External Affairs Officer Erin Buechel Wieczorek (who has been with CISA since 2018) responded to election officials in Kansas and Minnesota. The officials had wanted to know if their information would remain within the agency.

Here is what she told them: “Whether there is access to information shared with CISA by those outside of CISA. We owe you more information on this question.”

A portion of CISA’s March 2025 letter, which did not assuage election officials’ concerns about whether the agency will share data outside of CISA.

That has been CISA’s only answer to date. When I reached out to the agency to ask the same question, I did not receive a response.

Would the executive trust CISA if personnel vowed not to share the company’s data? “Currently, no,” the person told me. And so far, no one at CISA has reached out to try to regain their trust.

The person thought CISA may be waiting for the Senate’s confirmation of Sean Plankey as director. Plankey was previously the Director of Cyber Policy at the National Security Council in Trump’s first term, and the Navy’s Deputy Chief Information Officer, per LinkedIn. “He has the right experience,” the person said. “I’m willing to meet him and hear his vision for the agency.”

But the executive added that the other top election companies hold similar concerns about the security of their sensitive data. Those companies did not respond to my requests for comment.

Election officials

“Actions speak louder than words, and when the federal government fired their seasoned experts, they showed us that they were not serious about helping election officials run quality elections,” Arizona’s Secretary of State, Adrian Fontes, told me in a written statement. “CISA was a pillar we relied on for election security and integrity. And now it has been conscripted into an agenda of chaos that is leading to distrust in our government. It’s a real shame. We don’t have time to play games.”

Another election official in a swing state, speaking on the condition of anonymity, conveyed a litany of misgivings and anxieties. He was especially disheartened by Trump ordering his cabinet to investigate former CISA leader Chris Krebs, claiming that the man whom he had previously hired “falsely and baselessly denied that the 2020 election was rigged and stolen,” that he “weaponized and abused his Government authority.”

Trump’s action left the official unsettled. “In my experience, [Krebs] was a man of integrity who provided high quality service. He was not afraid to say the truth. And to have an executive memorandum directly targeting him and the company that he now works for is insane. And in general, it looks like the federal government is being weaponized against people who were in any way detractors, who were in any way less than cheerleaders for the current administration.”

The official was concerned that more people could be targeted in “fake witch hunts” — and that voter registration databases could be shared with DOGE personnel.

“You can’t share with entities that are going to be reckless with it,” the official said, describing the potential for negligence as well as the intentional release of information. “There’s that possibility as well to take sanitized data and just put it out there and make claims that there’s been some compromise of the system.”

A DOGE staffer named Edward “Big Balls” Coristine is a senior adviser at CISA, according a Reuters investigation. The news agency reported that he previously provided services to a cybercrime group that bragged about stealing data and cyberstalking an FBI agent.

The official added that key positions inside CISA remain unfilled. Advisers used to go on security tours of the state’s election facilities, recommending improvements like additional door locks and video cameras. The official says that those advisers had to back out of security tours this winter, in the midst of the program. “Our CISA partners were told you can no longer go and be on these election security tours.”

The official went on to describe how deeply the relationships have been severed. “Basically every single one of our local representatives has either quit or been fired… We have no cybersecurity advisers anymore. They’re all gone.”

If a foreign adversary conducted a cyberattack on the state’s systems, the official doesn’t know who would notify them of the incident. That increases the danger and the damage. “Basically anytime someone gets hit with ransomware, you’ve got a very small window of time to respond before things get real bad. And now that we have no more cybersecurity advisers, who’s gonna call us? At the very least, I don’t know them and none of my customers know them. So there’s gonna be some additional delay of, ‘Who the hell are you? Are you really with CISA? Are you someone who’s a scammer trying to trick us?’ And that is going to cause more ransomware to be effective.”

In its short history, CISA has been a vehicle for sharing information to thwart further attacks, said Larry Norden, Vice President of the Elections and Government Program at the Brennan Center for Justice. “States and localities need to be giving thought now. If they're not going to CISA, what do they have to replace that?”

He said he has spoken to Republicans and Democrats at state and local levels. “All that I've heard is ‘I would be hesitant to share confidential information with CISA at this time.’”

He also discussed Trump’s executive order on voting. “He ordered another report on the security of election systems. And so I can imagine that there’s fear that the information provided could be used to attempt to bolster false conspiracy theories.”

The Brennan Center called the executive order a clear violation of federal law and the Constitution, warning that it could disenfranchise millions of U.S. citizens, compromise their personal data, and derail how states administer elections. Numerous lawsuits have been filed, the Brennan Center being one of them.

Taking back Dominion

Ultimately, this story centers around a single question: If a president has denied the results of an election once, can he be trusted in future elections that do not go the way he wants?

The White House did not immediately respond to a request for comment. Last year, casting his vote in Florida, Trump told reporters, “If I lose an election, if it’s a fair election, I’d be the first one to acknowledge it.”

His track record of accepting election results has consistently hinged on the word “if.” As he told CBS News last August, “If it’s going to be a fair and free election, the answer is absolutely I will… you will never see anybody more honorable than me.”

An election security expert who spent decades in the federal government cast doubt on that, taking a similar view as the election company and officials. “Would [Trump] take a line out of an analysis that a voting machine vendor did on their own systems and misrepresent it to push the idea that an election that he disliked was vulnerable or insecure or hacked? The answer to that is 100 percent yes he will.”

That brings us to Dominion Voting Systems, one of the largest three election system companies in the country.

In 2023, a court authorized the release of expert analysis on Dominion’s flaws and vulnerabilities to cyberattacks, “how attackers could exploit the flaws we found to change votes or potentially even affect election outcomes in Georgia.”

There was no actual evidence that flaws or vulnerabilities were exploited. And literally all technology is vulnerable to cyberattack, which is why paper ballots are important in elections, “because we can go back to the paper and audit and recount those to confirm that the counts were accurate,” the election security expert said. “But most voters don't understand how all these systems work.”

The mischaracterizations were so grave that Dominion filed a $1.6 billion defamation lawsuit against Fox News and its parent company. Documents revealed that executives and hosts knew their claims of rigged elections were false, but they went on broadcasting them anyway. Fox settled for $787.5 million.

Trump and his allies used the TV reports and expert analysis to question the integrity of Georgia’s elections. He shared an array of false assertions, including a One America News Network story that claimed without evidence that Dominion “deleted 2.7 million Trump votes nationwide.”

OANN later settled in a lawsuit brought by a former Dominion executive, and a larger lawsuit remains in play. Trump’s own CISA, under the now-targeted Chris Krebs, refuted the claim of deleted votes. That statement has been taken down from CISA’s site.

What I have heard again and again from people in the election space is that it’s difficult to compromise the integrity of an election but easy to erode trust with words.

Comments

[Robert Davey]

Nothing better illustrates Trump’s insanity than his creation of the cybersecurity agency and then his repudiation of it because he didn’t like its expertly informed judgments.