2024 Texas Election Security Update

Ballot box Election security is a top priority for the Texas Secretary of State’s office as we continue to employ effective and forward-thinking cybersecurity measures to further strengthen our state’s elections systems and safeguard our elections infrastructure against any malicious cyber activity. As always, our Elections and Information Technology officials are working tirelessly to ensure that every eligible Texas voter can cast a ballot with confidence.

Election Security in Past Elections

There is no evidence that any voting or voter registration systems in Texas were compromised before the 2016 Election or in any subsequent elections.
The Department of Homeland Security has offered a statement reiterating this fact as well.
The Texas Secretary of State’s Elections Division Audit Program conducts in-depth reviews and examinations of election records and documents maintained by county election officials to ensure election law and security procedures have been properly followed.

Legislative Efforts to Prioritize Election Security

The Texas Secretary of State’s Elections Division testified on election security during a Texas Senate Select Committee on Election Security hearing on February 22, 2018. Watch the video here to learn more details about our office’s work to enhance the security of Texas’ election infrastructure.
On November 30, 2018, the Texas Secretary of State’s office submitted a Report to the Texas Legislature on Election Cybersecurity Preparedness. Read the public summary report here (PDF).
HB 1421 (86th Legislative Session) added Chapter 279 “Cybersecurity of Elections Systems” to the Texas Election Code. This legislation implemented many of the recommendations in the SOS Report to the Texas Legislature on Election Cybersecurity Preparedness. This new chapter has resulted in the following:

The Secretary of State has issued an Election Security Best Practices Guide (PDF), which defines classes of protected election data and identifies best practices related to the security of election systems.
All individuals that access our Statewide Voter Registration and Election Management System are required to complete annual security training to maintain access to the system.
Any breach of cybersecurity that impacts election data is to be reported to the Secretary of State and to the standing committee of each house of the legislature with jurisdiction over elections.
All County Election Offices are required to undergo an Election Security Assessment (ESA).

HB 4130 (86th Legislative Session) requires the Secretary of State to create a certification program related to electronic pollbooks. This provision authorizes the Secretary of State to prescribe standards regarding functionality and security of electronic pollbooks.
SB 1 (87th Legislative Session, Second Called Session) added requirements relating to the posting of peace officers at central counting stations, and requirements relating to the video recording and livestreaming of all areas containing voted ballots in Texas counties with a population of at least 100,000.
SB 1 (87th Legislative Session, Second Called Session) added a requirement that a hash validation must be performed during the pre-election testing of the voting system for each election. The hash validation process is designed to verify that the software of the system has not been altered or manipulated, and that the software is the same software that was tested and certified by the federal government and the State of Texas. Our office released Advisory 2022-30, which explains the process for performing a hash validation.
SB 271 (88th Legislative Session, Regular Session) requires local governments to report to state officials when they experience certain security incidents, including security breaches and ransomware attacks. If the incident involves election data, the local government must notify the Secretary of State of the incident.
SB 1661 (88th Legislative Session, Regular Session) provides that an authority operating a central counting station may only use or purchase a ballot scan system if the system is only capable of using a data transfer device that (1) once a cast vote record is written, is incapable of being modified without automatic detection of the modification and rejection of the cast vote record and (2) does not allow for the process to be overridden or circumvented.

Working with Federal and Local Partners

The SOS along with our county election officials have participated in numerous tabletop exercises on election security provided by the Department of Homeland Security.
The SOS has provided on-going training opportunities for county election officials at our annual seminars, and on an individual basis, as needed, to county election officials.
Most Texas counties participate in the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) to ensure that the elections community is effectively sharing relevant information with respect to safeguarding our elections and being aware of potential cyber threats.

Current Safeguards in Texas Law

No voting system is ever connected to the internet at any point - either when votes are being cast or when they are being counted. (Sec. 129.054, Texas Election Code).
Only software certified by the Texas Secretary of State can be loaded on a computer used for counting or accumulating vote totals. (Sec. 129.055, Texas Election Code).
Before and after use each day, all voting systems are sealed with locks and with seals with unique serial numbers, and all election workers must follow proper chain of custody procedures during the election, including a careful tracking of the serial numbers used to seal the machines at the end of each period of voting. (Secs. 129.051, 129.053, Texas Election Code).
While voting is occurring, election judges are required to periodically inspect the equipment to ensure there is no tampering or damage to the equipment. (Sec. 125.005, Texas Election Code).
All voting systems are tested three times – twice before the machines are used in the election and once immediately after. The tests consist of a deck of ballots being voted on the machines and then tabulated to ensure that the machine results are correct and match the test stack of ballots. The machines cannot be used or deployed until the test is 100% successful. Note that one of the tests conducted before the machines are used in an election is open to the public, and notice of this test is published in a local paper. Each political party has the right to submit names of individuals to represent that party on the testing board and thus every county usually has a testing board that consists of at least one person from each political party. (Sec. 129.023 and Subchapter D, Chapter 127, Texas Election Code).
A hash validation is performed as part of the pre-election testing process for the voting system in every election, which is open to the public. The hash validation process allows the entity conducting the election to verify that the software used with the system has not been manipulated or altered, and that the software is the same software that was tested and certified by the federal government and the State of Texas. (Advisory 2022-30; Sec. 129.023(c-1), Texas Election Code).
The election worker at the polling place (both during early voting and election day) must confirm that there are zero votes cast at the opening of voting and at the end of voting they must compare the number of ballots cast to the number of voters that have checked-in on the poll list. (Advisory 2019-23, Secs. 61.002, 127.068, Texas Election Code).
Background checks are required for all personnel that prepare, test or service all voting system equipment. (Sec. 129.051, Texas Election Code).
Poll watchers are allowed to observe at all early voting and election day polling locations and at the central counting or accumulation station where ballots are being counted or vote totals accumulated. (Chapter 33, Texas Election Code).
A post-election audit (partial manual count) is required for all elections that have paper ballots. (Sec. 127.201, Texas Election Code).
The Secretary of State has the authority to conduct a manual or electronic recount of any election using electronic voting systems. (Sec. 127.202, Texas Election Code).
These safeguards are outlined in Section 9 of Advisory 2019-23 Electronic Voting System Procedures Advisory.

Protecting Election Infrastructure

The Texas Secretary of State’s office has also taken the following steps to further strengthen election infrastructure security in the State of Texas:
Established effective communication protocols with the Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), the Department of Public Safety (DPS), and the Department of Information Resources (DIR) to coordinate cybersecurity monitoring and response.
Engaged in a pilot program with DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC), which helped develop and improve information sharing protocols between the federal government and the states in the realm of election security.
Instituted multi-factor authentication for election officials to ensure that only those who are authorized to do so can gain access to the statewide voter registration database.
Installed an active Albert sensor on our voter registration database that alerts our agency when any suspicious cyber-activity occurs.
Submitted Texas’ proposal to the U.S. Election Assistance Commission (EAC) (PDF) for implementing new cybersecurity and election security measures – both at the state and local levels – using funds from the 2018 HAVA disbursement to states for election security.
Informed and encouraged Texas counties to take advantage of free cybersecurity services and physical security assessments available from DHS, MS-ISAC, and EI-ISAC.
Removed legal roadblocks that prevented counties from upgrading to newer, more secure systems.

Misinformation in Elections

If voters or election officials come across information related to voting that is inaccurate, misleading or incorrect, please report that to the Secretary of State as we have established communication lines with various social media organizations and law enforcement agencies that can assist in removing incorrect information regarding elections.

Below are the full texts of selected Texas Election Code provisions that relate to election security:

Sec. 279.001. DEFINITIONS.

(1)  "County election officer" means an individual employed by a county as an elections administrator, voter registrar, county clerk, or other officer with responsibilities relating to the administration of elections.
(2)  "Election data" means information that is created or managed in the operation of an election system.
(3)  "Election system" means a voting system and the technology used to support the conduct of an election, including the election data processed or produced in the course of conducting an election, such as voter registration information, ballot information, collected and tabulated votes, election management processes and procedures, and other election-related documents and election data.

Sec. 279.002. ELECTION CYBERSECURITY: SECRETARY OF STATE.

(a)  The secretary of state shall adopt rules defining classes of protected election data and establishing best practices for identifying and reducing risk to the electronic use, storage, and transmission of election data and the security of election systems.
(b)  The secretary of state shall offer training on best practices:
(1)  on an annual basis, to all appropriate personnel in the secretary of state's office; and
(2)  on request, to county election officers in this state.
(c)  If the secretary of state becomes aware of a breach of cybersecurity that impacts election data, the secretary shall immediately notify the members of the standing committees of each house of the legislature with jurisdiction over elections.

Sec. 279.003. ELECTION CYBERSECURITY: COUNTY ELECTION OFFICERS.

(a)  A county election officer shall annually request training on cybersecurity from the secretary of state.  The secretary of state shall pay the costs associated with the training with available state funds.
(b)  A county election officer shall request an assessment of the cybersecurity of the county's election system from a provider of cybersecurity assessments if the secretary of state recommends an assessment and the necessary funds are available.
(c)  If a county election officer becomes aware of a breach of cybersecurity that impacts election data, the officer shall immediately notify the secretary of state.
(d)  To the extent that state funds are available for the purpose, a county election officer shall implement cybersecurity measures to ensure that all devices with access to election data comply to the highest extent possible with rules adopted by the secretary of state under Section 279.002.

Pre-Election Security Procedures: Subchapter C, Chapter 129 outlines our general voting system security procedures.

Sec. 129.051. Pre-election security procedure.

(a) The general custodian of election records shall create and maintain an inventory of all electronic information storage media.
(b) The general custodian of election records shall develop a procedure for tracking the custody of each electronic information storage medium from its storage location, through election coding and the election process, to its final post-election disposition and return to storage. The chain of custody must require two or more individuals to perform a check and verification check whenever a transfer of custody occurs.
(c) The general custodian of election records shall establish a secured location for storing electronic information storage media when not in use, coding a medium for an election, transferring and installing the medium into voting system equipment, and storing voting system equipment after election parameters are loaded.
(d) An election information storage medium shall be kept in the presence of an election official or in a secured location once the medium has been coded for an election.
(e) The general custodian of election records shall create a procedure for tracking the custody of voting system equipment once election parameters are loaded.
(f) The general custodian of election records shall create a recovery plan to be followed if a breach in security procedures is indicated. This plan must include immediately notifying the secretary of state.
(g) The general custodian of election records shall conduct a criminal background check for relevant election officials, staff, and temporary workers upon hiring.

Sec. 129.052. Transport of voting system equipment.

(a) The general custodian of election records shall adopt procedures for securely storing and transporting voting system equipment. The procedures shall include provisions for locations outside the direct control of the general custodian of election records, including overnight storage at a polling location. Procedures relating to the chain of custody must require two or more individuals to perform a check and verification check whenever a transfer of custody occurs.
(b) The general custodian of election records shall create a recovery plan to be followed if a breach in security procedures is indicated. This plan must include immediately notifying the secretary of state.
(c) The general custodian of election records shall provide a training plan for relevant election officials, staff, and temporary workers that addresses the procedures authorized under this section.

Sec. 129.053. Access to voting system equipment.

The general custodian of election records shall secure access control keys or passwords to voting system equipment. Use of access control keys or passwords must be witnessed by one or more individuals authorized to use that information. The use of an access control key or password must be documented and witnessed in a log dedicated for that purpose that is retained until the political subdivision disposes of the equipment.

Sec. 129.054. Network connections and wireless technology.

(a) A voting system may not be connected to any external communications network, including the Internet.
(b) A voting system may not have the capability of permitting wireless communication unless the system uses line-of-sight infrared technology that shields the transmitter and receiver from external infrared transmissions and the system can only accept transmissions generated by the system.
(c) The secretary of state may not waive any requirements of this section.

Sec. 129.055. Equipment and software.

The sole purpose of voting system equipment is the conduct of an election, and only software certified by the secretary of state and necessary for an election may be loaded on the equipment.

Sec. 129.056. Plan for machine failure.

The general custodian of election records shall create a contingency plan for addressing direct recording electronic voting machine failure. This plan must include the timely notification of the secretary of state.

Sec. 129.057. Use of machine in early voting.

A direct recording electronic voting machine deployed for early voting may not be deployed on election day.

In the polling place: Chapter 125 of the Texas Election Code provides procedures on inspecting equipment at the polling place before the polls open, during the course of the election, and after the polls close.

Sec. 125.005. Maintaining security of equipment during voting.

(a) The presiding judge shall periodically have an election officer inspect the voting system equipment for tampering and damage while voting is in process.
(b) If any tampering or damage is discovered, the inspecting officer shall immediately stop use of the equipment and report to the presiding judge, who shall promptly take appropriate action.

Sec. 125.061. Inspecting equipment at polling place.

(a) Before opening a polling place for voting on election day, the presiding judge shall inspect any electronic voting system equipment installed at the polling place to determine whether it is installed and functioning properly.
(b) The presiding judge shall take appropriate corrective action if the equipment is not installed or functioning properly.

Sec. 125.063. Securing equipment on close of voting.

On the close of voting at each polling place at which electronic voting system equipment is used, an election officer shall secure or inactivate the equipment as prescribed by the secretary of state so that its unauthorized operation is prevented.