Chetrice Romero: Proper election security starts many months in advance

Primary Day has come and gone. Now attention shifts to the general election in November.

Across the country, election offices are already doing what they do best — learning from the primaries, adjusting where needed and beginning the countdown to one of the most complex and scrutinized operations in government.

Coordinating people, systems, vendors and logistics to deliver a secure and reliable voting experience is no small task. And yet, once the primary passes, it’s easy to mentally “set it aside” until the fall.

But focusing only on Election Day misses a much larger reality. Election risk does not begin and end on Election Day. It begins now.

And even with months to go, there will never be enough time to do everything.

So the real question becomes: How do we prioritize what matters most?

The part of elections we don’t talk about enough

Long before a single vote is cast, a complex web of activity is already underway:

• Ballot design and programming
• Vendor coordination and system updates
• Poll worker onboarding and training
• Database updates and voter record management
• Logic and accuracy testing
• Equipment staging and distribution
• Emergency planning for violence, weather, power loss, and staffing shortages
• Public education — especially as AI-driven misinformation and deepfakes increase

And so much more …

These activities don’t happen in one centralized, controlled environment. They happen across thousands of local jurisdictions across the nation, often operating on separate networks with varying levels of cybersecurity maturity, staffing and resources.

In states like Indiana, that means 92 different local environments contributing to one election outcome.

A decentralized system creates a distributed risk

This structure isn’t necessarily a flaw — it’s just the reality of how our election system is designed.

But from a cybersecurity perspective, it creates a challenge we don’t always fully acknowledge: The security of an election is only as strong as the environments that support it in the months leading up to it.

Election administrators are often operating within systems they do not fully control — relying on local government IT, emergency management, law enforcement and community partners.

That means election security is not just an elections issue. It’s a whole-of-local-government issue.

And it requires:

• Shared understanding
• Shared responsibility
• Shared investment

When preparation activities span multiple systems and stakeholders:

• Visibility becomes fragmented.
• Security controls are inconsistent.
• Vendor dependencies multiply.
• Incident response becomes more complex.

Layer on staff turnover and limited resources, and the challenge becomes even more pronounced.

At the same time, many jurisdictions are navigating a shifting landscape of external support where federal programs, threat-sharing resources and on-the-ground assistance may not be as readily available as in prior cycles.

That reality makes local and state coordination even more critical.

What state leaders should be thinking about now

States are uniquely positioned to strengthen election security — not by centralizing control but by enabling consistency and support at scale.

That means focusing on what local jurisdictions cannot easily do on their own:

• Establish baseline expectations for cybersecurity and operational readiness.
• Provide consistent, practical training across election and supporting functions.
• Coordinate cross-jurisdictional tabletop exercises that include IT, emergency management and law enforcement.
• Serve as a trusted hub for threat intelligence and information sharing (cyber and physical).
• Align state technology and homeland security resources to support local election infrastructure.
• Offer clear vendor guidance and risk considerations ahead of critical election phases.

States don’t need to do everything, but they can ease friction, reduce inconsistency and raise the floor for everyone.

What local election leaders should be thinking about now

The period after the primaries is one of the most valuable — and underutilized — windows to strengthen resilience.

Focus on what is actionable now:

• Assess vendor performance and system access while the primary is still fresh.
• Engage your local partners — IT, emergency management, law enforcement — and clarify roles.
• Ask your IT support:
• When was our last security assessment?
• What vulnerabilities remain open?
• How are backups managed and tested?
• What is our incident response plan between now and November?
• Plan for gaps if external support is delayed or unavailable.
• Validate downtime procedures and continuity plans.
• Review physical security measures for offices and polling locations.

Conduct or participate in tabletop exercises with other agencies who are involved in security elections (physical, operational and cyberattacks).

And just as important: Don’t operate in isolation. Reach out, coordinate, and share.

Election security is a team sport

We often measure election security by what happens on Election Day. But the truth is: Election Day reflects the strength — or weakness — of everything that came before it.

We have time. But not as much as we think.

And no single office, county or agency can do this alone.

If we want confidence in November, we need to invest in the systems, partnerships and preparation happening right now — together.•

__________

Romero is a senior cybersecurity advisor at Ice Miller LLP and a former cybersecurity advisor and state coordinator with Cybersecurity and Infrastructure Security Agency.