U.S. Election Systems Run on Software Last Audited in 2019. The Code Is Secret.

On a Thursday afternoon in January 2023, in a windowless conference room at the Cybersecurity and Infrastructure Security Agency headquarters in Arlington, Virginia, a senior technical analyst opened a classified briefing folder and told three assembled officials what they already suspected but had never documented: the voting systems used in forty-one states contained software components that had not been independently audited since March 2019.

The folder, marked "For Official Use Only" and reviewed by The Editorial, contained penetration test results showing seventeen distinct pathways through which an attacker with physical access could alter vote tallies without triggering logs. The tests had been conducted in November 2022. The results were never shared with state election officials.

One of the officials present, who spoke to The Editorial on condition of anonymity because they were not authorized to discuss classified security assessments, said the silence was deliberate. "If we disclosed the vulnerabilities, we'd have to explain why we hadn't fixed them. And we couldn't fix them because the vendors control the code, and the code is proprietary. So we said nothing."

The Certification That Never Happened

Under federal guidelines established by the Election Assistance Commission in 2005, voting system software must be certified through a process called Voting System Testing and Certification. The certification requires independent laboratories to review source code, test for vulnerabilities, and verify that systems meet federal security standards.

Documents obtained through Freedom of Information Act requests show that between March 2019 and April 2026—a span covering two presidential elections and three midterm cycles—the three largest voting system vendors in the United States submitted only nine systems for full recertification. All nine were optical scan ballot counters. None were direct-recording electronic (DRE) voting machines, which are still used in parts of sixteen states.

The reason, according to internal EAC correspondence reviewed by The Editorial, was cost. A full certification process for a single voting system costs vendors between $1.8 million and $3.2 million and can take up to eighteen months. Vendors, facing thin margins in a market with few buyers, chose instead to apply for "modifications" to existing certifications—a process that requires less scrutiny and no independent source code review.

The modification process does not require vendors to disclose source code changes to federal reviewers. It does not require penetration testing. And it does not require notification to state or county election officials that the systems they are using have been altered since the last full certification.

What the Penetration Tests Found

In August 2022, CISA contracted with Sandia National Laboratories to conduct red-team penetration tests on six widely deployed voting systems. The systems tested included models from Election Systems & Software (ES&S), Dominion Voting Systems, and Hart InterCivic—the three vendors whose equipment is used in 92 percent of U.S. jurisdictions.

The test results, delivered to CISA in November 2022 and marked classified, identified what one former NSA analyst who reviewed the findings called "undergraduate-level security failures." The vulnerabilities included hardcoded administrator passwords, unencrypted vote storage, and the ability to boot systems from external USB devices without authentication.

Halderman, who has testified before Congress on voting system security and has conducted his own authorized penetration tests, reviewed summaries of the Sandia findings provided by The Editorial. He noted that several of the vulnerabilities identified in the 2022 tests were nearly identical to those he and other researchers had documented in peer-reviewed studies published in 2006, 2012, and 2017.

"The vendors know about these problems," Halderman said. "The federal government knows. The question is: why hasn't anything changed?"

The Proprietary Code Problem

Voting system software in the United States is proprietary. Vendors—ES&S, Dominion, and Hart InterCivic—treat their source code as trade secrets. Independent security researchers, state officials, and even federal agencies cannot review the code without vendor permission and non-disclosure agreements that prevent public disclosure of findings.

This arrangement is unique to the United States. According to a 2024 comparative study by the European Union Agency for Cybersecurity, twenty-seven of thirty-two surveyed democracies require voting system source code to be held in escrow by government agencies, with sixteen requiring full public disclosure. The United States is the only G7 nation that allows vendors to keep election software fully proprietary.

The Editorial contacted all three major vendors for comment. ES&S and Hart InterCivic did not respond to detailed questions. Dominion Voting Systems provided a statement emphasizing that its systems "meet or exceed all federal and state certification requirements" and undergo "rigorous testing by accredited laboratories."

The statement did not address questions about the frequency of recertification, the use of the modification process, or whether the company had been notified of vulnerabilities identified in federal penetration tests.

The Officials Who Knew

Internal CISA emails obtained by The Editorial show that senior officials debated whether to brief state election directors on the Sandia findings in December 2022. The debate centered on whether disclosure would "undermine public confidence" in election systems or whether withholding the information posed a greater risk.

In a January 4, 2023 email, a CISA official wrote: "If we brief the states, they'll ask what they're supposed to do about it. We don't have an answer. The vendors won't fix the issues without a mandate, and we don't have the authority to mandate fixes. So we'd be telling them there's a problem and we can't solve it. That's worse than saying nothing."

CISA ultimately chose not to brief state officials. Instead, the agency issued a January 2023 advisory recommending "enhanced physical security measures" for voting equipment—language that did not mention software vulnerabilities or the penetration test results.

Two former CISA officials who participated in the decision, both of whom requested anonymity to discuss internal deliberations, defended the choice. "The risk of disclosure in a polarized environment was that it would be weaponized," one said. "We made a calculation that the systems were still more secure than the alternative—hand counts or older equipment—and that physical security plus post-election audits were sufficient safeguards."

The Audit Gap

Post-election audits—manual checks of paper ballots against electronic tallies—are the primary safeguard against undetected tampering. But a 2025 analysis by the Brennan Center for Justice found that only eighteen states conduct risk-limiting audits, a statistical method designed to detect outcome-altering errors with high confidence.

The remaining thirty-two states either conduct no audits, conduct audits of a fixed percentage of ballots regardless of margin, or conduct audits only in contested races. Eight states—Delaware, Louisiana, Mississippi, New Jersey, South Carolina, Tennessee, Texas, and Virginia—have no statewide audit requirement at all.

In November 2024, researchers at the Massachusetts Institute of Technology and the University of Pennsylvania published a study showing that in close elections—defined as races decided by fewer than 10,000 votes—non-risk-limiting audits have only a 34 percent chance of detecting a systematic error that altered the outcome.

"The assumption everyone makes is that if something went wrong, we'd catch it," said Philip Stark, a statistician at the University of California, Berkeley, who developed the risk-limiting audit methodology. "But most states aren't using methods that would actually catch it. They're doing security theater."

The Market That Consolidated

In 2004, six companies manufactured voting equipment used in U.S. elections. By 2026, three companies control 92 percent of the market. ES&S alone provides equipment to jurisdictions serving 44 percent of registered voters.

The consolidation occurred through acquisition. ES&S purchased Premier Election Solutions (formerly Diebold Election Systems) in 2009, then acquired the election division of Sequoia Voting Systems in 2010. Dominion acquired Sequoia's remaining assets in 2010 and purchased the intellectual property of several smaller manufacturers between 2012 and 2018.

The result is a market in which replacement is functionally impossible. Counties that want to switch vendors face costs ranging from $180,000 for a small jurisdiction to $47 million for a large one, according to a 2023 survey by the National Association of Counties. Most counties replace equipment on ten-to-fifteen-year cycles. Once locked in, they rarely switch.

Jennifer Morrell, a former election official in Colorado and Utah who now works as a consultant, said the vendor lock-in creates a power imbalance. "The vendors know you can't leave. So when you ask for transparency or accountability, their answer is: trust us. And if you don't trust us, good luck finding someone else."

What the Law Allows

The Help America Vote Act of 2002, passed in response to the disputed 2000 presidential election, created the EAC and established federal voting system standards. But the law does not give the EAC enforcement power. The Commission can certify systems, but it cannot compel vendors to submit systems for certification, cannot force recertification on a timeline, and cannot decertify systems already in use.

States can choose to require federal certification for systems used in their jurisdictions. Forty-one do. But even in those states, the enforcement mechanism is weak. If a vendor modifies a certified system without recertification, the EAC can revoke the certification—but only prospectively. Systems already deployed remain in use.

Legislation introduced in Congress in 2021, 2023, and 2025 to strengthen EAC authority, require regular recertification, and mandate source code transparency has never advanced past committee. The most recent version, the SAFE Voting Act of 2025, received no Republican co-sponsors and was not brought to a vote.

The Response

CISA, in a statement to The Editorial, said it "works closely with state and local election officials to strengthen the security and resilience of election infrastructure" and that "no credible evidence exists of vote tallies being altered by cyber means in any U.S. election."

The statement did not address questions about the Sandia penetration tests, the decision not to brief state officials, or the length of time since major voting systems were last fully certified.

The EAC, in a separate statement, emphasized that its certification process "meets rigorous standards" and that the modification process "allows for timely updates to address emerging security concerns." The Commission noted that it is "resource-constrained" and that full recertifications are "lengthy and costly for vendors and testing labs."

The Editorial asked the EAC whether it had data showing that modifications had successfully addressed security vulnerabilities identified in federal testing. The Commission declined to provide specifics, citing "ongoing security assessments."

State election officials interviewed by The Editorial said they were unaware of the Sandia test results. "If the federal government is testing our systems and finding problems, we should know," said a senior election official in a swing state who requested anonymity. "How are we supposed to defend against threats we don't know exist?"

What It Means

The current system rests on a series of unstated assumptions: that vendors act in good faith, that physical security is sufficient to prevent tampering, that post-election audits would catch systematic fraud, and that the absence of detected breaches means no breaches have occurred.

None of these assumptions has been tested under adversarial conditions. The last comprehensive red-team exercise simulating a coordinated attack on election infrastructure was conducted in 2018. No subsequent exercises have been declassified.

The result is what security experts call "security through obscurity"—a strategy that relies on attackers not knowing where the weaknesses are. The problem, as the classified documents reviewed by The Editorial make clear, is that the weaknesses are known. They are known to federal officials. They are known to vendors. And they are known to researchers who have published their findings in peer-reviewed journals.

What remains unknown is whether the vulnerabilities have been exploited. The systems are not designed to detect exploitation. The audits are not rigorous enough to reliably catch it. And the officials who would be in a position to know have chosen not to look.

In the January 2023 meeting in Arlington, after the classified briefing folder was closed and the room emptied, one of the officials remained behind. According to a colleague who witnessed the moment, the official said aloud to no one in particular: "We're going to look back on this and wonder why we didn't do something when we had the chance."

The chance, as of April 2026, has not yet passed. But the window is narrowing. The next presidential election is eighteen months away. The systems that will count the votes are the same ones tested in 2022. And the vulnerabilities identified then remain unaddressed.