Learning from early challenges, communicating clearly, and addressing problems at their source all stress the same point: Readiness is imperative! ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
ESX News Header

May 27, 2026

TLP:CLEAR

In This Issue:

  • Situation Room: A look-back at the first 16 primaries of 2026 exemplifies the impact of unexpected events on election processes. 
  • Resource Library: Communicating During an Election Incident provides election officials with five steps for timely and effective public communication. 
  • Planning Desk: Within the Incident Response Process, eradication is the critical step of removing the cause of a cyber attack, not just the symptoms. 
Header text: Situation Room

Security Review of First 16 Statewide Primaries

 

An Exchange team look-back at security issues in the first 16 statewide primaries of 2026 describes an election landscape where sparks are popping without igniting.

 

The most startling incidents involved explosive devices. We reported in our March 11 issue on a flash-bang device tossed from a moving vehicle into the grass outside the park building hosting an early voting site in Moore County, North Carolina. The device produced significant noise but limited explosive force. Moore County law enforcement believes the voting site was the intended target.

 

In a similar incident last week, an explosive device tossed from one moving vehicle detonated beneath another, “partially destroying it.” The incident occurred a half block from a polling place in Lehigh County, Pennsylvania, where voting was underway. The driver of the damaged car spoke to the media without suggesting they were targeted.

 

With no evidence that the election was targeted, officials kept the polling place open. However, street closures, police activity, and general concerns after the incident may have deterred some voters, as poll workers said that voter arrivals slowed. At press time, two suspects had been arrested, and police still say there is no connection to the election.

 

These incidents underscore the importance of strong communications planning to reassure voters and describe alternatives, even parking alternatives, that can help them vote with less disruption, while maintaining the security of the election.

 

In Ohio’s May 5 primary, Exchange sources reported a series of events with some similarity to the Pennsylvania incident. Bomb threats without a clear connection to the election – at zoos, a university, and a school – caused concern among election officials, uncertain how evacuations, rumors, and visible law enforcement responses might impact voters and poll workers.

 

Shortly before the May 19 Georgia primary, a threatening manifesto and a suspicious object disrupted a gubernatorial campaign event for Secretary of State Brad Raffensperger, the state’s outgoing chief election official. As with the Pennsylvania incident, it’s not clear that the motive or disruptive intent had any relationship to his election administration duties.

 

Other primary news includes a few election mishaps, some likely prompted by late changes to election laws, sites, or procedures. These incidents remind us that issues, small and large, can generate confusion and anger that amplify existing narratives of distrust and create security vulnerabilities.

 

In Indiana’s May 5 primary, one county made a programming error that led to voters seeing contests that shouldn’t have been on their ballot. Fortunately, the issue affected only local races whose outcomes were not close. Another county failed to include roughly 1,900 ballots that “had been accounted for on Election Night” in the initial, unofficial results. The issue, corrected by the following Friday, changed the outcome of contests for a township board race and a party precinct committee person.

 

In one Kentucky county, nearly 60 election workers called out or did not show up on the morning of the May 19 primary, requiring the use of 159 alternate workers. Confusion about closing procedures at three affected precincts delayed the release of results. The county clerk noted the small size of the team in her office while lauding their work in navigating the issues.

 

In Butts County, Georgia, results were significantly delayed when election officials determined that the memory card in an early voting machine was “corrupt”, requiring all the ballots tabulated by that machine to be rescanned. The County Election Director assured the public that all votes were present and accounted for.

 

More than 12,000 voters went to the wrong polling place in Texas’s March 3 primary, after a party decision forced Williamson and Dallas Counties to change from vote centers to precinct-based voting for that election. The election offices worked hard to communicate the change, but the party decision was made only in January, leaving less than two months for the message to reach voters. The change left thousands of voters from each major party misrouted. The numbers come from a Dallas County effort to text polling place directions to those who initially went astray. Adding voters in Williamson and those who chose not to give phone numbers, the true totals are likely much higher.

 

In Louisiana and many parts of Alabama, voters in mid-May primaries received ballots with a major contest that was no longer on the ballot. Both states moved their U.S. House primaries to special election dates later in the year in order to use district maps newly allowed under the U.S. Supreme Court’s Callais decision. In Alabama, only four of the state’s seven congressional districts were affected, while primaries in the other three did take place last week.

 

Because there was insufficient time to reprint, the House contests remained on ballots, with vote totals not tabulated. This may have limited disruption to election offices in both states. An earlier change might have forced a rapid re-mapping in an election where overlapping districts at federal, state, and local levels mean many precinct splits and ballot styles – a recipe for confusion and inadvertent errors.

 

A common thread across these events is the importance of effective communication with voters when the voting process is disrupted. For additional guidance on communicating during election incidents, review the resources highlighted in the Resource Library section of this newsletter.

 

The Situation Room focuses on real security incidents and threats in the news relevant to election security. To review previous issues, see the newsletter archive.

Header text: Resource Library

Communicating During an Election Incident

 

When an issue arises during an election, how you communicate about it with the public is almost as important as how you resolve it. Communicating During an Election Incident is a new resource from the Election Security Exchange that provides election officials with easy-to-understand guidance on accurate, timely, and coordinated communications.

 

Transparency and accuracy are critical to maintaining public confidence. Without timely communication from election officials, the wrong information can quickly fill the void. The guide focuses on five basic steps election officials can take to effectively inform the public and ensure they remain the trusted source when something goes wrong:

  • Prepare now. Identify your communication partners, including media, before the election, and prepare preexisting templates for various scenarios.
  • Coordinate messaging. Ensure alignment with security partners before going public.
  • Acknowledge early. Establish your office as the trusted source by communicating quickly, even if you do not have all the information.
  • Be clear. State what’s known, unknown, and what is happening next.
  • Provide consistent updates. Continue communicating until the situation is resolved.

By following these basic steps, election officials can ensure that they remain in control of the narrative during an incident. Most importantly, effective communication means the voting public knows what happened, any changes they should be aware of, and ultimately, that the issue has been resolved.

 

Additional Resources

  • For an in-depth review of communication strategies during an incident, including useful templates for each phase of your response, see CISA’s Election Infrastructure Incident Response Communications Guide.
  • For a deep dive into the development of a successful public communications plan, see CISA’s Enhancing Election Security Through Public Communications.
  • For practical advice on effective engagement with the media, including tips for conducting a successful interview, see the Partnership for Large Election Jurisdictions’ Toolkit: Best Practices for Media Engagement. 

The Resource Library section of the newsletter spotlights election security resources. All highlighted resources are available online in the Resource Library.

Header text: Planning Desk

Week E-23: Eradication: Remove the Cause, Not Just the Symptom

 

Eradication is the step in the Incident Response Process that determines whether you resolve an incident or prolong it. Containment stops the spread; recovery brings things back online. Eradication is the work in between: finding and removing the underlying cause so you are not dealing with the same problem weeks later.

 

Once containment puts out the immediate fire, recovery may appear to be in sight. But starting recovery before eradication is complete can restore the underlying cause. The cleanup you just did can be undone, accompanied by less patience from leadership and more public attention.

 

Symptom Versus Cause

 

Consider this example: an election staff member clicks a phishing link, and their account is used to send more phishing emails. The symptom is the outbound emails. The cause is the entry path that lets the click succeed.

 

Eradication of that incident is not just about stopping the emails. It also includes resetting credentials, checking settings the attacker may have changed, revoking active sessions, looking for any other accounts affected by the same source, and tackling whatever made the original click effective. That is often a missing multi-factor prompt, a filter rule that should have caught the message, or a permission that was broader than necessary.

 

If you only stop the outbound email, the account is still reachable, the rules are still in place, and the next phishing wave finds the door propped open.

 

Actions You Can Take

 

Containment is dramatic, recovery is satisfying, and eradication is quiet. Review the following actions with your IT, incident response team, and Election Security Working Group to support thorough eradication in the event of a cyber attack.

  1. Build a short eradication checklist for the most likely scenarios: phishing, ransomware, website defacement, and insider misuse. For each, write down what "root cause removed" specifically requires. That definition will help keep the incident response team honest under pressure.
  2. Name the eradication owner. One person must confirm the cause is gone before recovery begins. That person can use outside help, but the accountability is theirs.
  3. Require the two-question test before any recovery action. Before declaring eradication complete, two questions must be answered:
    -  How did this incident start?
    -  Is whatever allowed it to start no longer present?

    If you cannot answer both clearly, you are not finished. That is not a failure; it is a signal to keep working or bring in help. Prematurely declaring eradication complete is the single most expensive mistake in this phase. Put this test in your incident response plan as a checkpoint, not a suggestion.
  4. Plan for help. Some root causes are beyond in-house capacity. Know in advance which incident types trigger a call to your State Fusion Center, FBI, or your contracted incident response firm.
  5. Keep eradication notes with the containment log. Our previous Planning Desk’s action steps described a containment log. Expand that same log to include notes on the eradication actions completed. This log serves as your audit trail and your post-incident learning record. Again, a shared or handwritten document with timestamps is fine. Memory is not.

Next week’s issue moves to recovery, the step that finally puts the office back together, carefully.

 

The Planning Desk is a running timeline of key election security tasks. You can find prior editions in the newsletter archive.

Header text: Election Security News


Want to get daily updates on election news? Subscribe to electionline.

  • Advisory: Incendiary or Explosive Devices | Election Security Exchange (May 26, 2026) // National
  • The next election could be less secure | Salon (May 21, 2026) // National
  • Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches | CyberScoop (May 19, 2026) // National
  • Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens | Federal Bureau of Investigation (May 21, 2026) // National

 
LinkedIn
YouTube
Email
Website

Copyright © 2026 Election Security Exchange. All rights reserved. TLP:CLEAR

 

You are receiving this email because you subscribed to the Election Security Exchange Newsletter.

 

Find this useful? Pass it along and invite other election teams to subscribe.
Subscribe

Election Security Exchange

712 H Street NE, Suite 2456

Washington, DC, 20002, United States

Unsubscribe Manage Preferences