In a joint announcement last week, U.S. security agencies addressed a rising tactic among malicious actors: manipulating public perception through false claims of election infrastructure breaches.
"The FBI and CISA have no information suggesting any cyberattack on U.S. election infrastructure has prevented an election from occurring, changed voter registration information, prevented an eligible voter from casting a ballot, compromised the integrity of any ballots cast, or disrupted the ability to count votes or transmit unofficial election results in a timely manner," the agencies stated.
While voter registration information is sometimes obtained by unauthorized parties, the FBI and CISA emphasized that this does not mean election systems were breached. However, these misleading narratives serve one key purpose: to erode public trust in democratic institutions.
Misinformation suggesting that the access or sale of voter data is evidence of a cyberattack is a commonly used tactic to mislead the public. In reality, most U.S. voter registration data is publicly accessible through legal channels, which is often overlooked in the panic that follows such claims. This deliberate manipulation of facts sows doubt, exploiting fears about digital vulnerabilities in the election process.
It's important to understand that access to voter registration data does not equate to a security breach. It doesn’t change election results or prevent eligible voters from participating. The real concern lies in how this data is misrepresented to suggest more significant vulnerabilities within the election system.
For example, in October 2023, the District of Columbia Board of Elections (DCBOE) confirmed that its full voter roll was accessed during a data breach at a third-party provider. While the ransomware group RansomedVC attempted to sell this information, DCBOE emphasized that most of the voter data is publicly available. Similarly, another recent claim about a voter database being obtained from a New York county surfaced on a cybercrime forum. Even so, these incidents are often sensationalized to imply much more than what actually occurred.
Beyond the access to voter data, foreign influence operations have become a major concern. For example, Iranian threat actors recently targeted emails and WhatsApp accounts linked to U.S. presidential campaigns, attempting to interfere with the upcoming election. In a more extensive operation, U.S. officials recently disrupted a large-scale Russian campaign using fake domains, AI-generated content, influencers, and social media platforms. This campaign aimed to manipulate U.S. elections, increase division within the country, and promote pro-Russian policies while reducing support for Ukraine.
While these activities are concerning, they should not be confused with claims of widespread voter fraud. Extensive research shows that actual voter fraud, including impersonation, is extremely rare. Between 2000 and 2014, only 31 credible cases of voter impersonation were identified out of over 1 billion ballots cast. Similarly, a study from Arizona State University found just 10 cases of impersonation fraud between 2000-2012, with none detected from 2012-2016 across five scrutinized states.
Even in cases where unauthorized access to voter information is reported, it's essential to keep in mind that much of this data is publicly available in most states. This does not indicate a breach, nor does it compromise the integrity of the election process. By understanding this distinction, we can avoid falling into the trap of believing every alarming claim of election interference.