Skip Navigation
Expert Brief

Project 2025’s Plan for Cybersecurity Agency Threatens Election Security

Gutting the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will leave our democracy more vulnerable to attack from malign actors at home and abroad.

Published: August 1, 2024
View the entire Project 2025 series

Few things are more important to our democracy than protecting election infrastructure from attack. U.S. elections have been targeted by foreign cyberattacks, and the scope and sophistication have grown aggressively in the past decade. In 2018, President Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act, creating an agency under the Department of Homeland Security to lead the national effort to understand, manage, and reduce risks for critical infrastructure, including election infrastructure.

CISA does not run elections, and its relationships with election officials around the country are voluntary — they can use services they find helpful and ignore those they don’t. Since 2018, the agency has played a critical role in building a more resilient election system. Election officials of all political stripes have expressed gratitude for CISA’s support in navigating ever-evolving security threats, adopted the agency’s recommendations, and sought out assessments and services. This partnership is a significant reason why elections are far more secure today than a decade ago.

CISA has received widespread bipartisan praise and support for its work to protect critical infrastructure. But in the aftermath of the 2020 election, then-President Trump fired the agency director he appointed, Christopher Krebs, for promoting accurate information and declaring that the 2020 election was secure.

Project 2025 builds on these actions and uses them to justify disrupting the entire agency’s vital work. Despite growing threats to elections and other critical infrastructure, Project 2025 suggests gutting CISA, splitting up its core responsibilities, and moving what’s left of its critical infrastructure functions to the Department of Transportation — a department with limited security expertise in this area. If implemented, the agenda would make election infrastructure more vulnerable at a time when advances in artificial intelligence, rising global tensions, and other factors are increasing the risk of cyber and physical threats.

Project 2025 makes four recommendations for CISA that would drastically reduce its ability to safeguard American elections.

First, it recommends significantly limiting CISA’s role in supporting election security, suggesting that “CISA should help states and localities assess whether they have good cyber hygiene in their hardware and software in preparation for an election — but nothing more.”

Second, it states that “CISA should not be significantly involved closer to an election.”

Third, it stipulates that “CISA should refrain from duplicating cybersecurity functions done elsewhere at the Department of Defense, FBI, National Security Agency, and U.S. Secret Service.”

Finally, it calls for CISA to end “counter-mis/disinformation efforts.”

These proposals reflect a fundamental misunderstanding of election security threats and CISA’s role and value in safeguarding election infrastructure. If implemented, they would severely undermine the progress the United States has made in the last decade to protect its election infrastructure from attack.

Restricting CISA’s role to assessing “cyber hygiene” would significantly roll back valuable services and support that election officials rely on to keep elections safe and secure.

CISA’s primary methods for supporting election infrastructure fall into three categories: information sharing to promote communication and coordination on threats across the federal, state, and local levels; no-cost training in which security experts recommend best practices and run exercises on the evolving threat landscape; and no-cost, voluntary services including security assessments, incident management assistance, and scanning of election systems for vulnerabilities.

Limiting CISA’s role to “nothing more” than assessing the cyber hygiene of hardware and software would take away the agency’s information-sharing and training support altogether, and it would cut a wide range of no-cost, voluntary services that election officials rely on to protect election infrastructure. For example, through the agency’s “Last Mile” initiative, CISA has developed more than 380 customized incident-response products for more than 2,000 election jurisdictions across the country. These products recognize that, even if election technology has good cyber hygiene, bad actors can still exploit vulnerabilities; election officials need support in hardening election infrastructure, but also responding effectively if attackers nonetheless get through the first line of defense. Limiting CISA’s work to mere assessment would also eliminate critical cybersecurity services that the agency proactively develops or funds for state and local officials’ use, including endpoint security and malicious domain blocking services.

Equally concerning, Project 2025 takes far too narrow a view of CISA’s security expertise. The agency does more than help state and local governments with cybersecurity — it also helps protect critical infrastructure from physical attacks. This expertise has become increasingly important as election workers face a rising risk of threats, intimidation, and political violence. Over the past four years, CISA’s Protective Security Advisors have conducted physical security assessments for election officials across the country, helping them identify risks and implement mitigations to keep election workers and voters safe.  

The vast majority of election offices simply do not have the resources or capability to be effective frontline national security figures as they now must be. These offices often have little or no dedicated security expertise and are often dependent on other offices in their county for IT support. Nearly half of election offices operate with one or fewer full-time employees, and nearly a third operate with no full-time staff at all. CISA’s expertise and support are needed to fill this gap.  

CISA becomes more critical closer to an election. Forcing it to step back would lead to more vulnerabilities and hinder the response to security threats.

To state the obvious, an adversary looking to disrupt U.S. elections is most likely to attack immediately before, during, or after an election. The period when voters are casting ballots and election officials are counting them is when state and local election officials most need CISA’s expertise and support.

As mentioned above, a critical service that CISA offers is continuous monitoring of election systems to detect vulnerabilities. This monitoring is most beneficial during the election period, when risks are highest and security breaches would be most damaging.

If security threats arise during an election, CISA’s communication structures are needed to share critical information with state and local election officials. Moreover, election officials may need to implement new security precautions in response to those threats, and CISA’s support would be needed to guide fast and effective mitigation efforts. Again, many election offices simply do not have the capacity to address these matters on their own, especially with their limited staff dedicated to overseeing election operations.

Forcing CISA to take a step back when its services are most valued would push many election officials into the dark and severely hamper states’ collective ability to respond to national security threats.

CISA plays a proactive and singular role in safeguarding election infrastructure that no other agency would be equipped to fill.

Project 2025 misunderstands CISA’s role in protecting critical infrastructure. The agency’s responsibilities are fundamentally different from the duties of the Department of Defense, FBI, National Security Agency, and U.S. Secret Service. These other departments and agencies may also track security threats, but CISA goes beyond that, using its security expertise to help state and local jurisdictions prevent, detect, and effectively respond to infrastructure vulnerabilities. CISA’s purpose is to make this infrastructure more resilient to security risks.

While federal law enforcement agencies like the FBI and the Secret Service also work on security breaches, their primary role in response is to investigate and eventually build a case to prosecute, not to help victims recover and increase their resilience to future attacks.  

CISA’s limited role in providing accurate information on electoral processes has been mispresented for political reasons.

Finally, Project 2025 targets — and misrepresents — CISA’s role in promoting accurate information on electoral processes, such as how, when, and where to vote. CISA’s relatively limited work here has focused on two efforts. First, CISA has managed an “Election Security Rumor vs. Reality” webpage that shares accurate information on electoral processes. Second, CISA has forwarded third-party reports of false election information to social media platforms. While both efforts are important for promoting accurate election information, they represent a very small component of CISA’s election security work compared to the outsize political attention paid to these efforts.

Importantly, CISA never asked social media companies to do anything with the posts. It simply flagged them for the companies’ awareness, something the Supreme Court noted when it recently dismissed a lawsuit targeting CISA’s role in forwarding false information about the electoral process for social media platforms. The Court ruled that the plaintiffs lacked a legal right to bring the case in the first place, but its opinion also rejected findings that CISA was censoring information or coercing social media platforms into moderating certain election information.

As an election security expert, CISA has a proper and valuable responsibility to boost accurate electoral process information. The agency has deep expertise about election systems and the steps election officials can take to secure these systems, as well as an interest in ensuring voters have access to accurate information about election processes and systems. Media and social media platforms are often ill-equipped to sift through and curate election information; they rely on the expertise of subject-matter experts like CISA. And election officials value this work. In a 2023 Brennan Center survey, 85 percent of local election officials said it is very or somewhat beneficial for CISA to dispel false information about the electoral process by promoting accurate information on election administration and technology.

• • •

By limiting the services CISA provides local jurisdictions and forcing the agency to step back from election security in the weeks before an election, Project 2025’s plan for the agency would leave election workers and voters more vulnerable to physical threats and violence and simultaneously make it far more difficult for election officials to secure our election infrastructure and recover from attacks when they happen.

As advances in AI threaten to make cyberattacks more damaging and easier for adversaries to launch, Project 2025 would restrain the federal agency best positioned to prevent these attacks, jeopardizing not just election security but all critical infrastructure that our economy and democracy depend on.