Election Security Spotlight – Virtual Private Network (VPN) for Election Offices

What it is

Virtual Private Networks (VPNs) encrypt and transmit data allowing a user to securely connect to the internet or access a remote network on an untrusted connection. This ensures that all transmitted data remains confidential.

Organizations use VPNs to allow employees to connect to their internal network when working remotely. Other common uses include securely connecting on public Wi-Fi, user anonymity, and circumventing government censorship. Many cybersecurity firms offer ready-made hardware and software solutions to deploy VPN. Well-resourced organizations can also develop their own solutions, such as setting up a VPN router to manage secure connections.

When an employee connects to a VPN, it will appear as if they are connecting to the internet from the organization’s network, instead of their remote location. Below is a diagram showing how VPNs may be used in an election system.

Why it matters

Election offices can use a VPN to:

    • Protect data streams if an employee must connect to an office network, or transmit
      sensitive data (e.g. employee or voter data), while working remotely.
    • Securely connect local election officials’ workstations to a state voter registration
    • Securely transmit information to an external partner, such as an election vendor.

When a VPN connection is established it becomes an extension of your network. Organizations using VPNs should take steps to secure them like any other piece of hardware/software. VPNs are not designed to prevent malware or viruses from spreading between the devices and networks they connect. Devices and networks that are connecting to an enterprise VPN should be trusted. If a vendor’s network, or an individual’s device, has been compromised or infected with malware, a cyber threat actor could use the VPN to access your network or spread the infection.

What you can do

  • Implement a VPN where applicable.
    • Review CISA’s Enterprise VPN Security Alert.
    • Update the hardware and software used by VPNs and implement a patch
      management program to prevent malicious actors from exploiting known
      vulnerabilities. There have been reports of cyber threat actors targeting
      VPNs by exploiting known vulnerabilities in hardware/software systems.
  • Implement multi-factor authentication on all VPN connections.
  • Work with IT personnel to test VPN limitations.
  • Review CIS’ “Telework and Small Office Network Security Guide” for tips on
    securing a remote work setup.
  • If a trusted third party, like a vendor, provides the VPN used to connect to your
    network, confirm they are following the same security principles as your
  • For more tips on working with vendors, review CIS’ “A Guide for Ensuring
    Security in Election Technology Procurements.”

Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to [email protected] to request a topic.