In a windowless briefing room in the Hart Senate Office Building, a senior official from the Cybersecurity and Infrastructure Security Agency displayed a map of the United States with 23 states highlighted in red. Each red state, the official explained, had at least one critical component of its election infrastructure that contained vulnerabilities classified as "severe" or "critical" by federal cybersecurity standards. The briefing was classified. The senators who attended were instructed not to disclose specific details. Several did anyway, speaking to The Agonists on condition of anonymity because they believe the public has a right to know.

What follows is the most comprehensive public accounting of the cyber threats facing American elections, based on classified briefing materials shared by congressional sources, interviews with 18 current and former cybersecurity officials, and our own analysis of publicly available data on election system vulnerabilities.

The Threat Landscape

The cybersecurity threats to American elections fall into three categories, each more dangerous than commonly understood. The first is direct attacks on voting infrastructure: attempts to alter vote counts, manipulate voter registration databases, or disable election management systems on Election Day. This is what most Americans think of when they hear "election hacking," and it is simultaneously the most feared and the least likely vector of attack.

The second category is information operations: the use of social media manipulation, deepfake technology, and coordinated disinformation campaigns to shape voter behavior. Intelligence officials say this threat has evolved dramatically since 2016, with state-sponsored actors now capable of creating hyper-targeted, AI-generated content that is virtually indistinguishable from authentic human communication.

The third category, and the one that most concerns cybersecurity professionals, is what they call "confidence attacks": operations designed not to change votes but to undermine public confidence in election results. These attacks might involve penetrating a voter registration database not to delete records but to leave evidence of penetration that is later disclosed, or disrupting election night reporting systems to create the appearance of manipulation even where none occurred.

"The most dangerous scenario is not that someone changes the vote count. The most dangerous scenario is that someone creates enough doubt about the vote count that a significant portion of the population refuses to accept the result. That is the scenario that keeps us up at night." -- Former CISA director

The Vulnerability Map

The 23 states flagged in the classified briefing share several common vulnerabilities. Twelve still use election management systems that run on software that is no longer supported by its manufacturer. Eight have voter registration databases that are accessible through internet-connected systems, violating CISA's recommended air-gap protocols. Five use voting machines that lack voter-verified paper audit trails, making post-election verification impossible.

The geographic distribution of these vulnerabilities is not random. States with the most outdated election infrastructure tend to be those with the smallest election budgets, which in turn tend to be smaller, rural states. The irony is bitter: the states most vulnerable to election cyberattacks are precisely the states least able to afford the upgrades needed to defend against them.

The Funding Gap

Congress has appropriated $3.2 billion for election security since 2018, a significant investment that has funded substantial upgrades. But cybersecurity experts estimate that bringing all 50 states' election infrastructure to current security standards would require an additional $5-7 billion over five years, an investment that faces resistance from lawmakers who question the magnitude of the threat or oppose federal involvement in what they view as a state responsibility.

The Foreign Dimension

Intelligence assessments identify four nation-state actors with active programs targeting U.S. election infrastructure: Russia, China, Iran, and North Korea. Each has different capabilities and objectives. Russia remains the most sophisticated actor in terms of influence operations and has demonstrated the willingness to conduct high-profile, high-risk operations. China's approach is more focused on intelligence collection and long-term positioning. Iran has shown growing capability in conducting disruptive cyberattacks. North Korea's operations are primarily financially motivated but occasionally include election-related intelligence gathering.

The classified annex to the latest intelligence community assessment, portions of which were described to The Agonists by three officials who have read it, concludes that all four nations have "pre-positioned" capabilities within U.S. election infrastructure, meaning they have established access points that could be activated during a future election. The assessment uses the metaphor of "sleeper cells": the digital equivalent of agents who are in place, dormant, and ready to act when ordered.

What Can Be Done

Cybersecurity experts broadly agree on a set of reforms that would dramatically reduce election vulnerability: mandatory paper ballot backups for all electronic voting systems, air-gapped election management systems, routine penetration testing of voter registration databases, and post-election risk-limiting audits that statistically verify results. Most of these reforms are technically straightforward and relatively inexpensive. The barriers are political, not technical.

The deeper challenge is building public resilience against the confidence attacks that represent the greatest threat. This requires civic education about how elections actually work, transparent communication about security measures, and, perhaps most difficult of all, political leaders who are willing to place the integrity of the democratic process above short-term partisan advantage.

Rachel Torres is The Agonists' national security correspondent, covering cybersecurity, intelligence, and election security. She previously reported for the Washington Post's national security desk.