Midterm elections are on the horizon and so are predictable, hazardous threats. This is not the time for wishful thinking. Election infrastructure faces a mixed portfolio of risk: violent domestic actors, malign foreign influence amplified by generative AI, targeted harassment and harassment-by-mail, and cyber operations designed to disrupt communications and logistics.

The physical threat picture remains dominated by lone offenders and small groups motivated by election grievances. Federal agencies warned during the last national cycle that domestic violent extremists with election related grievances represent the most likely near term physical threat to candidates, election workers, and public venues tied to the vote. Those warnings are not academic. Threats have included doxing, swatting, suspicious mailings and direct violent plots.

Foreign influence campaigns are active and adaptive. Private sector analysts found coordinated operations tied to Russia, Iran and other actors that used fabricated sites, staged videos, and AI generated material to push divisive narratives and target campaigns and voters. The toolset now includes generative models that lower the cost of producing convincing audio and video fakes. The combined effect is faster, cheaper disinformation that can be tailored to local audiences. Don’t treat foreign influence as an abstraction. Treat it as an operational multiplier for domestic unrest.

Cyber threats will not necessarily try to flip ballots. They will try to clog information, slow administrative systems, and create plausible excuses for contested results. Ransomware and distributed denial of service attacks against county and state operations can delay access to online services and voter information, and they will be amplified online to erode trust. That said, federal agencies have repeatedly emphasized that known ransomware incidents to date have not compromised the integrity of vote casting or tabulation when fallback processes are used. Expect adversaries to count on confusion and speed to magnify impact.

Election workers and offices are frontline targets. In 2024 there were multiple incidents of suspicious packages sent to election offices across many states, some containing unknown powders that forced evacuations and disrupted operations. Threats and harassment drove resignations and forced officials to adopt new safety measures. Protecting people on the ground needs to match the attention paid to servers and phones.

Insider risk and supply chain vulnerability are quieter vectors that deserve blunt attention. Large urban jurisdictions typically have redundancies. Smaller counties often operate with thin staff, limited cybersecurity budgets, and legacy systems. That gap is a direct operational vulnerability. CISA and partners publish practical toolkits and training that can materially reduce risk. Use them. Prioritize simple wins: segmented networks, offline backups of voter rolls, inventory and physical controls for ballot equipment, and basic phishing resistance training.

Operational priorities for election administrators and supporting private sector partners

  1. Harden communications and public messaging. Establish trusted, preannounced channels for official information and practice transparent, repeatable messaging to counter rumor and disinformation. Public communications plans are mitigation as much as information.

  2. Protect people. Threat reporting, rapid law enforcement coordination, panic protocols, and reasonable physical security for offices and polling places reduce the chance that harassment turns into disruption. Treat threats to workers as attacks on the operation.

  3. Prepare for degraded tech. Run tabletop exercises that assume internet outages, a ransomware incident affecting administrative systems, or targeted DDoS on public portals. Ensure paper backups, procedures for provisional ballots, and manual chain of custody processes are practiced and executable.

  4. Audit and close simple cyber gaps. Patch management, multi factor authentication, routine phishing exercises, and vendor supply chain checks are low cost and high benefit. Ensure vendors for tabulation hardware and voter rolls meet known security baselines.

  5. Monitor external influence and disinformation. Establish a rapid review and takedown coordination path with platforms, and prioritize alerts on deepfake content and coordinated campaigns. Work with local media to amplify official verifications.

What private organizations and citizens should do now

  • Businesses that host public information or provide cloud, telecom or DNS services must treat election-related spikes in traffic and targeted DDoS as mission critical. Preposition mitigation and escalation paths.

  • Media and social platforms must maintain rapid verification lanes. Labeling and removing clearly false content is important but expect adversaries to test platform tolerance and exploit any delay.

  • Citizens should verify official sources before amplifying alarming claims. When you see claims about compromised ballots or hacked systems verify with state or county election officials first. Disruption feeds on speed and uncertainty.

Bottom line: the threat environment is elevated but manageable if leaders act now. Expect attempts at harassment, localized physical attacks, targeted cyber operations, and sophisticated influence campaigns that use AI techniques. The defensive posture that will matter most combines practical physical protection, basic cyber hygiene, redundant procedures, and a disciplined public communications strategy. Calm, competent, and rehearsed responses remove the leverage adversaries need to turn technical incidents into political crises. If you are responsible for any part of the voting ecosystem, assume the adversary will pick the path of least resistance and close that path today.