Pillar 01 · 8 documents · 37 pages

Vulnerabilities in Electronic Voting and Ballot-Counting Systems

This eight-document collection, declassified in stages between March and July 2026, assembles two decades of US government reporting on the security of electronic voting and ballot-counting systems. It pairs a CIA summary of 2004-2020 intelligence on Venezuela's alleged capability to manipulate Smartmatic-based voting systems with a cluster of 2020-2021 products on foreign threats to the 2020 US election: a National Intelligence Council memorandum on infrastructure vulnerabilities, a NIC assessment of Russian, Chinese, and Iranian influence operations, a CIA WIRe article on Chinese APT31 cyber targeting of a presidential campaign, and a formally branded "Alternative Analysis" dissent arguing China took low-level steps to undermine President Trump's reelection. Two internal emails document sharp interagency friction — the FBI's "absolute red line" objections to that minority view and a later ODNI complaint of inconsistent IC characterization of the same Chinese unit. A 2026 CISA report closes the set with unclassified technical findings: election software carries typical vulnerability classes, certification rules leave known flaws unpatched for months, and CISA red teams repeatedly gained full control of state and local networks within hours or days.

Election Integrity · From the White House release

For years Americans were blatantly lied to about the security of our election infrastructure, including electronic voting machines and ballot-counting systems. We are releasing a series of previously-classified U.S. Intelligence Community Assessments and other reports proving that our government has long known these machines are extremely exposed to attack. As one assessment states: “We judge that U.S. adversaries, including at a minimum Russia, China, Iran, and North Korea, as well as non-state groups, have the capability to compromise U.S. election infrastructure.” The documents also state: “We assess that centralized election-related data repositories, such as voter registration databases, pollbooks, and official election websites, are most vulnerable to exploitation, and adversaries could use access to these systems to disrupt election processes.” Tonight, we are releasing all of these findings, spanning from January 2020 to June 2026. This is a cyber threat aimed at the very heart of our democracy.

Many people have questioned whether it could actually be possible to electronically manipulate vote totals or change election results. Today, we are releasing documents that show the CIA obtained reporting of a specific plot by the Maduro regime in Venezuela to do exactly that—conspiring to digitally rig their own country’s elections in 2020. This reporting included precise details about methods the regime developed to digitally alter vote totals in ways that could not be detected even with an audit. This intelligence underscores why we must take urgent action to ensure that our own systems can never be hacked or compromised.

By the numbers

What the documents record

The record

What this collection contains

The collection's centerpiece on foreign capability is the CIA Note summarizing 2004-2020 reporting on Venezuela [1]. It records April 2004 reporting that Hugo Chavez aimed to prevent a sitting US president's reelection; a 2006 assessment rating Smartmatic's acquisition of Sequoia Voting Systems — with contracts in roughly 400 US counties — a "moderate overall threat," prompting a 2007 CFIUS-driven divestiture; pre-2012 reporting that Venezuelan intelligence, the CNE, and Smartmatic planned to deploy altered machines to about 300 voting centers to secure a 1.5-million-vote win (Chavez won by about 1.6 million); and September 2020 reporting on a virtual-machine technique to substitute manipulated data while evading audits. Crucially, the note stresses CIA's baseline view that no large-scale electronic fraud was confirmed in 2012 and that neither Smartmatic nor Venezuela could predictably manipulate elections abroad.

The 2020-cycle products assess US exposure. NICM 2020-003 [2] judges Russia, China, Iran, and North Korea capable of compromising US election infrastructure — noting Russia reconnoitered all state election networks in 2016 and that DefCon 2019 hackers compromised over 100 certified machines — while assessing wide-scale vote manipulation would be difficult and likely exposed by audits and paper trails. The August 2020 NICA [3] details Russian denigration of Biden via proxies Derkach and Kilimnik, Iranian operations authorized by Khamenei, and Chinese economic signaling, repeating the judgment that audits would most likely catch localized machine manipulation. The CIA WIRe article [4] documents APT31 spear-phishing of a presidential campaign's staffers — the cycle's first direct campaign targeting — while assessing China did not then intend to sway the outcome.

That judgment became the collection's fault line. NICM 2020-09381 [5], a minority view by the NIO for Cyber and D/ETA, argues Beijing took "at least some low-level, exploratory steps" against Trump's reelection — "black materials" collection, tasked protests, deepfake experimentation — at low-to-medium confidence. The FBI pushed back hard [6], with DAD Nikki Floris calling the intent claim "extremely misleading" and analytic standards "an absolute red line." A December 2021 email [7] shows the NIO-Cyber alleging the IC later attributed the same Chinese unit's identical activity as foreign election influence while labeling it mere "issue influence" in the US.

Finally, CISA's July 2026 report [8] grounds the debate technically: election software contains input-validation, deserialization, and privilege-escalation flaws; certification "lockdown" rules leave known vulnerabilities unpatched for months or years; CISA assessors repeatedly gained full control of state and local networks within hours or days; and the 2020 ImageCast X barcode issue showed votes could be altered without physical access. It recommends paper ballots, manual audits, harmonized patching rules, and transparency, asserting citizens have a right to know when election infrastructure is compromised.

Themes in this collection
Venezuelan manipulation capability and the Smartmatic question

Two decades of reporting on Chavez- and Maduro-era plans to alter electronic voting results — altered machines in 2012, virtual-machine data substitution in 2020 — alongside CIA caveats that large-scale fraud was never confirmed and that Smartmatic could not predictably manipulate elections outside Venezuela.

Technical vulnerability vs. practical difficulty of vote manipulation

Assessments consistently find election infrastructure exploitable (DefCon compromises, barcode flaws, soft SLTT networks) yet judge wide-scale, undetected vote-count manipulation difficult, with paper trails and post-election audits the key safeguard.

Chinese cyber collection and the election-influence dissent

APT31 spear-phishing of campaigns and officials, voter-database collection, and a formal minority view that Beijing took exploratory steps against Trump's reelection — against the IC mainline judgment that China chose restraint.

Interagency analytic conflict and alleged inconsistency

Internal emails reveal the FBI's 'absolute red line' objections to the China minority view and a later ODNI officer's charge that the IC labeled the same Chinese unit's activity 'election influence' abroad but only 'issue influence' at home.

Russian, Iranian, and other foreign influence operations in 2020

Kremlin proxies denigrating Biden, Iranian campaigns authorized by Khamenei, Turkish covert funding, and ransomware incidents — influence aimed at voters and confidence rather than confirmed vote-count alteration.

Certification gaps, patching delays, and transparency

CISA finds certification regimes leave known vulnerabilities unpatched for months or years, vendor threat models assume unrealistic network isolation, and secrecy about incidents erodes public trust.

The 2026 declassification wave

All documents were released between March and July 2026 under stamps from DNI Gabbard, D/CIA Ratcliffe, President Trump, and Counsel to the President Warrington, with redactions ranging from moderate to heavy.

Chronology

Timeline drawn from the documents

Open the timeline 34 dated entries
April 2004
Intelligence reporting indicates Hugo Chavez stated his objective was to prevent the reelection of a sitting US president.
2006
National Security Threat Assessment rates Smartmatic's acquisition of Sequoia Voting Systems a 'moderate overall threat,' citing contracts in roughly 400 US counties; the assessment also concludes neither Smartmatic nor Venezuela could predictably manipulate elections outside Venezuela.
2007
Under CFIUS pressure, Smartmatic divests Sequoia Voting Systems.
2008 onward
Chinese cyber actors conduct collection activity against every US presidential election campaign since at least 2008.
2012
Pre-election reporting describes plans by DGCIM and SEBIN with the CNE and Smartmatic to deploy altered machines to about 300 voting centers to ensure a ~1.5-million-vote victory; Chavez wins by ~1.6 million, though CIA's baseline assessment finds no large-scale electronic fraud.
2013
CIA 'Devil's Advocacy' alternative analysis outlines a plausible scenario for undetected large-scale electronic manipulation of Venezuela's 2012 election.
2016 election cycle
Russia almost certainly reconnoiters all US state election networks, accesses election-related infrastructure in at least two states, and exfiltrates voter data from at least one state.
2017
A separate Chinese effort begins identifying e-mail addresses of high-level US officials and requesting that passwords be obtained or cracked.
August 2017
Smartmatic publicly accuses the Maduro regime of inflating turnout by over one million votes in the National Constituent Assembly election.
2018
APT31 begins targeting personal e-mail accounts of senior US leadership including Executive Office of the President officials, Congress, and the federal judiciary; the IC assesses China begins researching tools for online covert influence operations targeting Americans.
March 2018
Smartmatic ceases operations in Venezuela after its turnout-inflation accusations.
2019
At DefCon, hackers compromise more than 100 voting machines, all certified for use in at least one US jurisdiction; a pollbook is modified to run the videogame Doom.
May 2019
Unidentified cyber actors render a US county election website unavailable on the night of a mayoral primary; offline tabulation results are unaffected.
2019-2024
CISA and Idaho National Laboratory run the Critical Product Evaluation program assessing election software; the program is retired in 2024 with final reporting concluded in 2025.
15 January 2020
NICM 2020-003 assesses that Russia, China, Iran, North Korea, and nonstate groups can compromise US election infrastructure, but wide-scale vote manipulation would be difficult and very likely uncovered by audits and paper trails.
January 2020
Iranian-contract cyber actors try to compromise a server of a US business involved in election infrastructure; the FBI helps remediate.
March 2020
China launches overt and covert influence efforts around the COVID-19 narrative, including cartoons denigrating the President's handling of the crisis.
April 2020
Unidentified actors use ransomware to compromise computers of a Virginia county administrator and vote registrar.
20 May 2020
APT31 actors have sent spear-phishing e-mails with tracking links to Gmail accounts of a presidential campaign's staffers.
4 June 2020
Google announces APT31 targeting of the campaign; Google and the FBI brief campaign officials, and Google publicly calls the attempts unsuccessful. The same month, Google announces unsuccessful Iranian spearphishing of Trump campaign staffers.
1 July 2020
CIA WIRe article assesses China is probing a US presidential campaign for collection opportunities but does not currently intend to covertly interfere to sway the election outcome.
19 August 2020
NICA 2020-06885D details Russian denigration of Biden via proxies Derkach and Kilimnik, Iranian influence authorized by Khamenei, Chinese economic signaling, and judges wide-scale vote manipulation would be difficult and likely caught by audits.
September 2020
Reporting describes Venezuelan plans to manipulate the December 2020 National Assembly elections via a second set of virtual machines substituting manipulated data while evading audits; analysts judge the regime did not need gross fraud given the opposition boycott.
16 October 2020
NICM 2020-09381 'Alternative Analysis' by the NIO for Cyber and D/ETA assesses Beijing took 'at least some low-level, exploratory steps' to undermine President Trump's reelection, dissenting from the IC mainline view.
2020
ImageCast X Ballot Marking Devices encode voter selections in barcodes voters cannot verify; research later shows barcode-encoded votes could be changed without physical access.
30 December 2020
FBI Counterintelligence DAD Nikki Floris sends formal objections to the ICA's China minority view, calling equal analytic standards 'an absolute red line' and the intent claim 'extremely misleading.'
1 July 2021
J. Alex Halderman's expert report in Curling v. Raffensperger demonstrates hackers could change votes encoded in ImageCast X barcodes without physical access.
23 December 2021
The NIO for Cyber emails colleagues arguing the IC inconsistently labeled the same Chinese unit's activity 'election influence' abroad but only 'issue influence' in the US 2020 election — 'the same personnel doing the same kind of activity.'
25 September 2025
Mojave Research delivers an ODNI-commissioned forensic examination of Dominion Voting Systems devices used in Puerto Rico's 2024 election; CISA reviews the report without device access.
16 March 2026
DNI Gabbard declassifies NICM 2020-003 on 2020 election infrastructure vulnerabilities.
29 June - 1 July 2026
CIA completes its note summarizing 2004-2020 Venezuela voting-manipulation reporting; D/CIA Ratcliffe declassifies it on 1 July 2026.
3 July 2026
President Trump declassifies the August 2020 NICA, the October 2020 China minority-view NICM, and the December 2021 NIO-Cyber email, and approves NICM 2020-003 for public release.
10 July 2026
Counsel to the President Warrington approves public release of the CIA Venezuela note and declassifies the CIA WIRe article and the FBI ICA-comments email.
13 July 2026
CISA issues its election report finding unpatched known vulnerabilities on production election systems, soft SLTT networks, and recommending paper ballots, manual audits, and incident transparency.
The documents

Every document in this collection

Summaries and key findings below are drawn solely from each document. Open the original PDF alongside any entry.

Central Intelligence Agency June 29, 2026 6 pages

(U) Summary of Select Intelligence Reporting from 2004-2020 on Venezuela's Electronic Voting Manipulation Capabilities

CLASSIFICATION REDACTEDintelligence assessmentmoderate redactions

This CIA memo summarizes intelligence from 2004-2020 on Venezuela's interest in rigging electronic voting, including reports that Venezuelan agents planned to deploy altered machines to about 300 voting centers before the 2012 election, which Chavez won by roughly 1.6 million votes. The memo also notes the CIA's own conclusion that no large-scale electronic fraud actually occurred in 2012, and that Venezuela could not predictably manipulate elections outside its borders.

“it did not definitively confirm that large-scale electronic fraud was successfully executed in specific Venezuelan elections, with CIA's baseline assessments maintaining that other factors better explained electoral outcomes”

From this document, p. 2
Full summary & key findings

Intelligence reporting from 2004-2020 documented sustained interest by Hugo Chavez and Nicolas Maduro in manipulating electronic voting systems, including Smartmatic technology, according to this CIA Note. An April 2004 report indicated Chavez's stated objective to prevent a sitting US president's reelection, and a 2006 threat assessment rated Smartmatic's acquisition of Sequoia Voting Systems — with contracts in roughly 400 US counties — a "moderate overall threat," prompting federal foreign-investment review pressure that forced Smartmatic to divest Sequoia in 2007. Pre-2012-election reporting described plans by Venezuela's military and civilian intelligence services, the National Electoral Council, and Smartmatic to deploy altered machines to about 300 voting centers to ensure victory by roughly 1.5 million votes; Chavez won by about 1.6 million. September 2020 reporting described a virtual-machine technique to substitute manipulated data while evading audits. The note stresses caveats: CIA's baseline held no large-scale electronic fraud occurred in 2012, the 2013 fraud scenario was an alternative-analysis exercise, and the 2006 assessment found neither Smartmatic nor Venezuela could predictably manipulate elections outside Venezuela. Its source endnotes are entirely redacted.

  • Intelligence Community reporting from 2004-2020 documented persistent concerns about Venezuelan government manipulation of electronic voting systems, including Smartmatic technology, but did not definitively confirm large-scale electronic fraud was successfully executed in specific Venezuelan elections.
  • April 2004 intelligence reporting indicated Hugo Chavez stated his objective was to prevent the reelection of a sitting US president, suggesting intent to influence US domestic politics; this was part of the basis for the 2006 IC assessment.
  • The 2006 National Security Threat Assessment by the National Intelligence Council rated Smartmatic's acquisition of Sequoia Voting Systems a "moderate overall threat to US national security interests," citing among other factors Smartmatic's and Sequoia's reported contracts in approximately 400 US counties; CFIUS pressure led Smartmatic to divest Sequoia in 2007.
  • Prior to Venezuela's 2012 presidential election, reporting indicated Chavez's intelligence services (DGCIM and SEBIN) worked with the National Electoral Council (CNE) and Smartmatic on plans to deploy altered, preprogrammed machines to approximately 300 voting centers in pro-Chavez areas to ensure victory by approximately 1.5 million votes; Chavez won by approximately 1.6 million votes and reportedly congratulated his team for implementing the plan.
  • CIA's baseline assessment maintained that no large-scale electronic fraud occurred in Venezuela's 2012 election, based on pre-election polling showing Chavez ahead by about 10 percentage points, a 24% increase in government spending before the election, the opposition's concession, and CIA quantitative analysis showing no irregular voting patterns.
  • In 2006, CIA analysts assessed as theoretically achievable claims that Venezuelan voting machines had unspecified artificial intelligence components, were designed to alter vote tallies, could detect when audited, and could print receipts without registering votes — a technical-feasibility judgment, not confirmation such features were implemented.
  • A 2013 CIA "Devil's Advocacy" alternative analysis outlined a plausible scenario for undetected large-scale electronic manipulation of the 2012 election, citing insider-access vulnerability, the CNE's centralized control of voting technology, and gaps in opposition monitoring, while acknowledging "conflicting [redacted] reporting" and limited insight.
  • September 2020 reporting said Venezuela had developed detailed technical plans to manipulate the December 2020 National Assembly elections by creating a second set of virtual machines to replicate legitimate voting-machine results and substitute manipulated data — replicating digital hash files, mimicking machines favoring the ruling party, overwriting hash files of machines favoring the opposition, and making altered votes appear legitimate — while evading standard audit procedures; sourcing was limited, and analysts judged the regime did not need gross fraud given the opposition boycott.
  • Reporting consistently indicated individuals tied to Venezuelan intelligence had access to election technology: in 2012 Chavez assigned an army communications specialist to the CNE for real-time access to results, and the CNE IT Director, a confidant of the head of military intelligence, designed protocols for auditing voting software.
  • In March 2018, Smartmatic ceased operations in Venezuela after publicly accusing the Maduro regime of inflating voter turnout by over one million votes in the August 2017 National Constituent Assembly election, figures that diverged from Smartmatic machine data.
  • The 2006 IC assessment concluded neither Smartmatic nor the Venezuelan government had the capability — the level of control or access required — to manipulate the outcome of an election outside Venezuela in a predictable fashion, since domestic manipulation depended on controlling every stage from machine acquisition through auditing.
  • The 2006 IC assessment that Smartmatic's Venezuela ties posed a national security threat led to US government action forcing Smartmatic to divest its US operations in 2007.
View original PDF 596 KB · 6 pp
Cybersecurity and Infrastructure Security Agency, Department of Homeland Security July 13, 2026 6 pages

Election Report (CISA)

unmarkedreport

This DHS cybersecurity agency report describes its testing of U.S. election systems from about 2019 to 2024. Testers found common software flaws that certification rules can leave unpatched for months or years, and in several exercises they gained full control of state and local networks within hours or days. The report recommends paper ballots people can read, hand audits before results are certified, and faster patching.

“For example, some government election systems certification regimes require that no patches be applied for months before an election.”

From this document, p. 1
Full summary & key findings

CISA reports that election software contains typical vulnerability classes — input validation bugs, insecure deserialization, race conditions, insecure cryptography, privilege escalation — and that certification rules, including federal Election Assistance Commission requirements and state pre-election "lockdown" periods, leave known flaws unpatched on production systems for months or years. The report covers work from roughly 2019 to 2024, all at system owners' request: software analysis with Idaho National Laboratory under the Critical Product Evaluation program (retired 2024), penetration testing of state, local, tribal, and territorial networks, and incident response. In multiple tests, assessors gained full network control within hours or days, citing flat segmentation, weak identity management, poor logging, and legacy remote access. It notes the 2020 ImageCast X barcode issue and an intelligence-community-commissioned forensic review of Dominion devices from Puerto Rico's 2024 election, which CISA reviewed without device access. Recommendations include harmonized patching rules, paper ballots, manual audits, vendor vulnerability numbering, software bills of materials, and transparent incident disclosure.

  • From around 2019 to 2024, CISA evaluated election security via software examination, SLTT penetration testing/red teaming, and incident response, all upon request of system owners/operators; every identified vulnerability was reported to the owner/operator.
  • CISA partnered with Idaho National Laboratory on the Critical Product Evaluation program (2019-2024) to assess election software, often pre-release; the program was retired in 2024 based on stakeholder feedback, with final reporting concluded in 2025.
  • Election software vulnerabilities found included input validation bugs, insecure deserialization, insufficient logging, race conditions, insecure crypto primitives, and privilege escalation paths; CISA did not independently validate that deployed production builds incorporated all fixes.
  • Some certification regimes require no patches for months before an election, and state laws may require only EAC-certified software, producing environments where known, documented vulnerabilities persist for months or years on production election systems.
  • In multiple penetration tests, CISA assessors gained full network control of SLTT networks within hours or days, showing many SLTT partners cannot stop even moderately skilled adversaries.
  • Recurring SLTT weaknesses: flat/minimally segmented networks, weak identity and access management (poor MFA, shared credentials), lack of endpoint hardening, legacy remote access pathways, and insufficient network traffic monitoring.
  • Vendor threat models assume strong segmentation and airgaps, but CISA found election systems reachable from enterprise hosts via shared authentication domains, legacy VLANs, vendor support tunnels, and co-location on general-purpose virtualization clusters.
  • In 2020, ImageCast X Ballot Marking Devices encoded voter selections in barcodes voters could not verify; a researcher (J. Alex Halderman, Curling v. Raffensperger expert report, July 1, 2021) showed hackers could change barcode-encoded votes without physical access.
  • ODNI commissioned a forensic examination of Dominion Voting Systems devices used in Puerto Rico's 2024 election (Mojave Research report, September 25, 2025); CISA reviewed the report but had no access to the devices and performed no examination.
  • CISA recommends six mitigation measures for SLTT officials, including harmonizing patch/certification rules for real-time cybersecurity changes, human-readable paper ballots, and post-election manual audits of paper ballots before certification of results.
  • CISA recommends vendors assign CVE numbers, notify customers if election software source code is leaked or stolen, report cybersecurity incidents to authorities, and include an SBOM with all products.
  • The report asserts American citizens have a right to know when election infrastructure has been compromised, and that perceived secrecy around incidents can erode trust faster than the incidents themselves.
View original PDF 409 KB · 6 pp
National Intelligence Council October 16, 2020 7 pages

Making the Case That China Has Taken Some Steps to Influence the Presidential Election (NICM 2020-09381)

CLASSIFICATION REDACTEDintelligence assessmentheavy redactions

In this October 2020 memo, two senior intelligence analysts dissented from the intelligence community's official view, arguing China took "at least some low-level, exploratory steps" to hurt President Trump's 2020 reelection — including tasking its US missions to incite protests, experimenting with deepfakes, and targeting candidates' advisors and donors. The authors say their confidence is only low-to-medium, and note there was no evidence China tampered with voting systems or mail-in ballots.

“Beijing has taken at least some low-level, exploratory steps to undermine the President's reelection chances by denigrating him and shaping voter perceptions.”

From this document, p. 1
Full summary & key findings

Two senior intelligence officials formally dissented from the intelligence community's mainline judgment on China and the 2020 election, assessing that Beijing took "at least some low-level, exploratory steps" to undermine President Trump's reelection — while the broader community held China considered but never deployed such efforts. The National Intelligence Council's cyber officer and its election-threats director argue, with low-to-medium confidence, that Beijing worked to denigrate Trump and shape voter perceptions through overt messaging, nascent covert online capabilities, diplomacy, and economic leverage, while avoiding its most aggressive options to limit blowback. Evidence cited includes a recommendation that China collect derogatory "black materials" on the President, tasking of Chinese missions in the US to incite protests, government-affiliated tech employees covertly inciting violence, experimentation with anti-Trump deepfakes, a pro-China social media network denigrating him in English, a platform takedown of pro-China accounts posing as Americans, and targeting of candidates' advisors and donors. Tempering the case, the authors note no reporting of compromised voting infrastructure or mail-in ballot interference; a chart shows the two camps diverging on two of nine propositions. Key evidentiary details, including dates and sources, are heavily redacted.

  • The NIO for Cyber and D/ETA assess Beijing has taken at least some low-level, exploratory steps to undermine the President's reelection chances by denigrating him and shaping voter perceptions — differing from the IC judgment that Beijing considered but did not deploy influence efforts; they hold low-to-medium confidence.
  • The IC mainline view, including the NIO for East Asia, assesses Beijing has not deployed influence efforts intended to change the 2020 US presidential election outcome, preferring restraint to preserve the ability to repair relations after the election; the IC 'has seen no indication' (passage circled in yellow) that Beijing is engaged in such an effort.
  • Reporting cited: Beijing began taking unspecified steps around [redacted] 2020 to damage the US President's reelection campaign in response to US pressure on China's technology sector; senior leaders expected China's semiconductor industry would continue to be damaged if the President were reelected, and Chinese [redacted] expected sanctions relief if US resolve weakened or a candidate from a named US political party were elected.
  • In [redacted] 2020 a [redacted] recommended China collect derogatory 'black materials' on the US President and 'sensationalize' them at the appropriate time; a [redacted] in 2019 reference describes an aim to prevent the US President's reelection by suppressing his base.
  • The Chinese Government had tasked its missions in the US to use Chinese groups and organizations to incite protests to damage the President's public standing; government-affiliated Chinese technology company employees were assisting a campaign to covertly incite violence and protests against the US Government; Chinese [redacted] were experimenting with deepfakes intended to denigrate President Trump.
  • A pro-China influence network on US social media platforms posted English-language content denigrating the President; the NIO and D/ETA assess elements of the Chinese government were at minimum aware of and condoned the campaign and may have directed or conducted it, citing its ability to operate outside China's Great Firewall.
  • A US social media platform took down a cluster of unattributed pro-China accounts posing as Americans that posted US election-focused content in four groups — one favoring the President, two favoring his opponents, and one primarily denigrating the President; the IC assesses that since 2018 China has been researching methods and new tools for online covert influence operations targeting American audiences.
  • Starting in March, China launched overt and covert influence efforts on the COVID-19 narrative, including disinformation about the pandemic's origins and English-language cartoons denigrating the President's handling of the crisis; in May a CCP-owned newspaper warned economic measures against supporters of COVID-19 compensation lawsuits could affect US state and congressional races — the first time the IC observed Beijing publicly suggest willingness to impose economic costs affecting US elections; a 2019 [redacted] advised directing unspecified resources to political swing states.
  • Beijing over at least the past year stepped up efforts to influence views and policies of candidates for US political office by targeting their key advisors and financial donors; Chinese diplomats acknowledged the sensitivity of targeting donors and sought to hide such activity from US authorities.
  • Tempering the assessment: no reporting suggests China engaged in more aggressive measures such as funneling large donations, compromising voting infrastructure, or interfering with mail-in ballots; China continues buying agricultural products under the Phase One trade deal, which Beijing probably assesses helps the President's reelection bid.
  • An IC Terminology box defines election influence (overt/covert activities intended to affect candidates, parties, voters, or political processes) versus election interference (a subset targeting technical aspects: voter registration, casting and counting of ballots, reporting of results); the NIO and D/ETA assess China intends to at least indirectly affect US candidates, voters' preferences, and political processes, meeting the definition of election influence (passage circled).
  • Page 7 chart 'Comparing Judgments on Chinese Election Influence' (graphic ID NIC 2010-00891) shows IC and minority agreement (Yes/Yes) on 7 propositions — including broad influence efforts in the US, probable preference for Trump's defeat, considered/prepared influence options, and avoidance of interference with US election systems — but divergence on two: 'Intends public and diplomatic actions to undercut Trump in election' and 'Undertaken a few covert influence efforts to undermine Trump's reelection' (IC: No; Minority: Yes).
  • A footnote states that in NICM 2019-113 the IC warned that because China would probably use the same tactics to influence the election as it already uses to influence US policy, such a pivot might not be detected.
View original PDF 4.9 MB · 7 pp
National Intelligence Council for Cyber January 15, 2020 5 pages

Vulnerabilities in US 2020 Election Infrastructure (NICM 2020-003)

CLASSIFICATION REDACTEDintelligence assessmentmoderate redactions

This January 2020 memo by senior intelligence analysts assesses that Russia, China, Iran, and North Korea could hack U.S. election systems for 2020, though no specific plans were known. It reports Russia scanned all 50 states' election networks in 2016 and stole voter data from at least one state. Voter registration databases were judged most vulnerable, while changing actual vote counts at scale would likely be caught by audits and paper records.

“We judge that US adversaries, including at a minimum Russia, China, Iran, and North Korea, as well as nonstate groups, have the capability to compromise US election infrastructure for the 2020 presidential election.”

From this document, p. 1
Full summary & key findings

Russia, China, Iran, North Korea, and nonstate hackers all had the capability to compromise US election infrastructure ahead of the 2020 vote, this National Intelligence Council memo judges, though intelligence agencies knew of no specific plans to manipulate election systems (a scope note says it does not assess intentions). The memo reports Russia almost certainly reconnoitered all state election networks in 2016, accessed election infrastructure in at least two states, and stole voter data from at least one. Centralized targets — voter registration databases, pollbooks, election websites — are judged most vulnerable, while tabulation and results systems would be hard to manipulate at outcome-altering scale, and audits and paper trails (required in 38 states) would very likely catch it. It cites hackers at DefCon 2019 compromising over 100 certified voting machines, one pollbook modified to run Doom; 31 states plus DC allowing internet or fax ballot return; a May 2019 county election-website outage; and Pennsylvania findings on man-in-the-middle risks. It warns fabricated adversary claims could erode public confidence and recommends cyber hygiene, vendor verification, public education, and private warnings to adversaries.

  • The NIC judges that US adversaries, at a minimum Russia, China, Iran, and North Korea, as well as nonstate groups, have the capability to compromise US election infrastructure for the 2020 presidential election, but the IC does not know whether any have specific plans to manipulate election-related systems.
  • Russia almost certainly reconnoitered all US state election networks during the 2016 election cycle, accessed election-related infrastructure in at least two states, and exfiltrated voter data from at least one state.
  • Centralized election-related data repositories -- voter registration databases, pollbooks, and official election websites -- are assessed as most vulnerable to exploitation because of ease of access and comparative lack of security.
  • Systems that tabulate, transmit, or display election results are vulnerable to localized exploitation but would be difficult to manipulate on a wide enough scale to alter the election outcome; postelection audits and paper trails very likely would uncover such an effort.
  • At the 2019 DefCon cyber security conference, hackers demonstrated the ability to compromise more than 100 voting machines, all certified for use in at least one US voting jurisdiction; a pollbook at the DefCon Voting Machine Hacking Village was modified to run the videogame Doom.
  • Thirty-one states and the District of Columbia allow eligible voters to submit absentee ballots via Internet or fax; four states allow return via web portal, seven via fax only, and one allows mobile voting secured with blockchain technology.
  • Direct recording electronic (DRE) machines, especially those with no paper backup, are particularly vulnerable to cyber operations, though they are used far less than more secure machine types; postelection audits are now required in 38 states.
  • In May 2019, unidentified cyber actors rendered a US county election website unavailable on the night of a mayoral primary; tabulation results, stored on a separate non-Internet-connected system, were unaffected.
  • The Blue Ribbon Commission on the vulnerabilities of Pennsylvania's election infrastructure found transmission of preliminary results to public-facing websites is vulnerable to man-in-the-middle attacks, though certified offline copies would not be altered.
  • Adversaries could make wholly fabricated claims -- such as announcing they compromised all US voting machines -- that would be difficult, time-consuming, or impossible for the US Government to disprove, undermining public confidence.
  • Ballot and voting machine preparation is vulnerable to cyber, supply chain, or insider threats, but security measures, distributed storage facilities, and logic and accuracy testing would make a coordinated multi-state manipulation campaign difficult and detectable.
  • Recommended mitigations include physical security and cyber hygiene (noted as probably insufficient against the most advanced nation-state actors), third-party vendor verification, public messaging and education, and private messaging to adversaries about serious consequences.
View original PDF 1.3 MB · 5 pp
National Intelligence Council August 19, 2020 8 pages

Foreign Threats to 2020 US Federal Elections (NICA 2020-06885D)

CLASSIFICATION REDACTEDintelligence assessmentheavy redactions

This August 2020 assessment by senior US intelligence analysts reports that Russia, China, and Iran were each trying to influence the 2020 election: Russia by spreading claims against Joe Biden, Iran by pushing anti-Trump disinformation, and China by preferring Trump lose but holding back. The analysts judged that manipulating votes on a wide scale would be difficult and would likely be caught by audits and paper records.

“We assess that Russia is using a range of measures primarily to denigrate former Vice President Biden and what it sees as an anti-Russia establishment.”

From this document, p. 1
Full summary & key findings

Russia, China, and Iran are using covert and overt influence to sway voters, deepen discord, and erode confidence in the 2020 US elections, this National Intelligence Council assessment judges — but wide-scale vote manipulation would be hard to pull off and would likely be caught by audits and paper trails. Russia is denigrating former Vice President Biden through Kremlin-directed proxies including Derkach and Kilimnik, who spread Ukraine/Burisma corruption claims, while the Lakhta Internet Research troll farm and Russia's SVR and GRU intelligence services pay authors on English-language platforms such as "United World International"; some Kremlin-linked actors boost President Trump online. China prefers Trump lose but probably calculates a concerted effort would backfire; a state-linked newspaper first publicly warned of economic costs affecting state and congressional races. Iran's Khamenei-authorized campaign spreads anti-Trump disinformation, and Iranian-contract hackers tried to breach an election-infrastructure company's server in January. The assessment also covers Turkish influence efforts, April ransomware against a Virginia county vote registrar, Merkel, and Saudi Crown Prince Muhammad Bin Salman, though redactions are heavy throughout.

  • The IC judges Russia, China, Iran, and many nonstate actors have the capability to compromise US election infrastructure, but it would be difficult for them to manipulate voting processes at scale and without detection.
  • Russia is using a range of measures primarily to denigrate former Vice President Biden; President Putin and senior Russian officials oversee proxies — Derkach, Kilimnik, and others — spreading claims tying Biden to Ukraine and energy firm Burisma, and some Kremlin-linked actors are boosting President Trump's candidacy on social media.
  • Russian proxy figures are conspiring to orchestrate a high-profile corruption scandal implicating Biden and the Democratic Party at the peak of the 2020 campaign, aiming to defeat Biden and ensure the President's victory; Russian actors have circulated voter-fraud narratives about mail-in balloting and called some US primaries 'rigged' by the Democratic Party.
  • Since last year the Lakhta Internet Research (LIR) troll farm, Russia's SVR, and the GRU have employed cadres of US and other foreign authors to create anti-American political content on English-language news platforms, including 'United World International.'
  • As of June 2020, a (redacted) actor reconnoitered multiple state and local government websites for unknown purposes; in July a commercial cybersecurity company believed a (redacted) actor may have targeted a US political organization, probably unsuccessfully.
  • China prefers that President Trump — seen by Beijing as unpredictable and tough on China — not win reelection, but Beijing did not intend to try to affect the election (surrounding context redacted) and probably calculates a concerted influence effort would risk backfiring; a newspaper owned by a (redacted) Chinese entity issued the first observed public warning that Beijing is willing to impose economic costs that could affect US state and congressional races.
  • Beijing has expanded cyber collection related to the 2020 elections through opportunistic intrusions against US private-sector entities to collect information on candidates, campaigns, donors, and voter data.
  • Boxed assessment on election infrastructure: hostile actors could exploit Internet-connected systems (voter registration databases, pollbooks, election officials' websites) and could manipulate vote-counting systems such as voting machines on a localized basis, but wide-scale coordination would be difficult and post-election audits and paper trails would most likely uncover such efforts in nearly all US states; cyber operations against electronic tabulation reporting could delay reporting but probably not affect the integrity of certified results.
  • Iran, whose influence campaign Supreme Leader Khamenei probably authorized, is working to undermine the President and divide the country; in January 2020 Iranian-contract cyber actors tried to compromise a server of a US business involved in election infrastructure (FBI helped remediate), and in June Google announced Iranian-linked actors unsuccessfully spearphished Trump campaign staffers' email accounts.
  • Over the past two years social media companies removed thousands of Iranian-origin inauthentic accounts, some linked to the Iranian Government, including accounts that impersonated a candidate in 2018.
  • Turkey: senior officials including President Erdogan have sought to covertly influence US politicians; over the past year Ankara's efforts included covert funding of US municipal election campaigns, unregistered lobbying, and state-owned-outlet social media messaging.
  • In April, unidentified actors used ransomware to compromise the computers of a Virginia county administrator and vote registrar; German Chancellor Merkel cited the 2020 election as a 'risk factor' for the EU in June, and in mid-2019 Saudi Crown Prince Muhammad Bin Salman worried Riyadh would lose US support if the President lost.
View original PDF 1.8 MB · 8 pp
Central Intelligence Agency July 1, 2020 2 pages

China: Cyber Activities Probably Prelude to Election Espionage (WIRe, WIRe2020-05063)

CLASSIFICATION REDACTEDintelligence assessmentmoderate redactions

This July 2020 CIA analysis reports that Chinese government hackers had been spying on every US presidential campaign since at least 2008, and that year targeted the former Vice President's campaign, sending fake emails with hidden tracking links to staffers' Gmail accounts. Google announced the targeting on June 4, 2020, and said the attempts failed. The report concludes China was gathering intelligence, not trying to sway the election.

“China is probing the presidential campaign for opportunities to tailor collection and gather insight on policy positions on US-Chinese issues.”

From this document, p. 1
Full summary & key findings

The CIA assessed in July 2020 that China was probing a US presidential campaign to tailor its intelligence collection and gain insight into US-China policy positions, noting Chinese cyber actors have targeted every US presidential election campaign since at least 2008. The article, written jointly with the FBI and NSA, reports that since 2018 the hacking group known as APT31 targeted personal email accounts of senior US leaders — White House officials, high-ranking Executive Branch figures, Congress, and the federal judiciary — while a separate effort dating to 2017 identified officials' email addresses and arranged for passwords to be cracked. Detected targeting of the former Vice President's campaign was the cycle's first direct campaign hit: as of 20 May, APT31 had sent spear-phishing emails with tracking links to staffers' Gmail accounts; Google announced it on 4 June and, with the FBI, briefed the campaign, calling the attempts unsuccessful. Chinese actors also harvested data from voter databases, a polling firm, political groups, and fundraisers. The CIA judged China did not then intend to covertly sway the outcome, though the tracking-link method suggested mapping targets for follow-on military signals-intelligence collection.

  • Chinese cyber actors have conducted collection activity against every US presidential election campaign since at least 2008; US policy on China is described as a longstanding high collection priority for Beijing (sourcing redacted except "open-source reporting").
  • Since a redacted date in 2018, Chinese cyber actors known in the private sector as APT31 targeted the personal e-mail accounts of senior US leadership, including officials in the Executive Office of the President, high-ranking officials in multiple Executive Branch organizations, Congress, and the federal judiciary.
  • Since 2017, a separate (redacted) entity worked with a (redacted) partner to enable stealthier operations by identifying e-mail addresses of high-level US officials, then requesting that a (redacted) party obtain or crack the passwords for targeted accounts.
  • The IC detected Chinese state-sponsored cyber actors targeting the former Vice President's presidential campaign, probably to gather intelligence enabling future operations — described as the first instance in the 2020 election cycle of direct targeting of a US presidential campaign.
  • The IC assessed China did not currently intend to covertly interfere to sway the election outcome, but the activity could enable such operations if Beijing decided to do so.
  • As of 20 May (2020), APT31 actors had sent spear-phishing e-mails containing tracking links to the Gmail accounts of staffers associated with a presidential campaign; on 4 June, Google announced APT31 was targeting the campaign.
  • Google and the FBI both briefed campaign officials shortly after discovering the activity; Google officials publicly stated the spear-phishing attempts were unsuccessful (a follow-on clause is redacted).
  • During the past year, Chinese cyber actors collected US election-related information from US voter databases, a polling data company, political and nonprofit organizations, fundraisers, and advisory organizations for political campaigns.
  • The article assesses APT31's tracking-link method suggests operators were mapping the target network for follow-on approaches, possibly tasking campaign staffers' e-mail accounts in the Chinese military's signals intelligence system for collection; tracking links collect metadata such as internet activity and system information usable to exploit accounts and identify other targets.
  • Opening a spear-phishing e-mail with a tracking link — even without clicking links — would confirm an active account, potentially narrowing the target set for future (redacted) operations; knowledge of a victim's operating system and software would let actors decide between exploiting known vulnerabilities or developing malware.
  • The product was produced jointly under the auspices of the Chief of Analysis, a redacted entity, the FBI, and the NSA; document details list Produced By: CIA, Product Type: World Intelligence Review, Document Number WIRe2020-05063, Publication Date 01 Jul 2020.
View original PDF 510 KB · 2 pp
ODNI/National Intelligence Council December 23, 2021 1 page

Email: "Everyone's favorite topic" (NIO-Cyber on inconsistent IC characterization of Chinese election-influence unit)

CLASSIFICATION REDACTEDemailmoderate redactions

In this December 2021 email, a senior U.S. intelligence official questions why agencies labeled a Chinese unit's activity "election influence" abroad but only "issue influence" in the U.S. during 2020, writing that it was "the same personnel doing the same kind of activity." The author calls the inconsistency "a weird coincidence" worth flagging for oversight. A sentence beginning "FBI and" is fully blacked out.

“That's a weird coincidence, and one we should highlight for oversight.”

From this document, p. 1
Full summary & key findings

The intelligence community's top cyber officer accused an unnamed report of inconsistency: using "some of the same intel and logic used in 2020" — which then concluded certain Chinese units were NOT engaged in election influence, only "issue-focused" activity — to now argue China IS influencing a (redacted) election. In this December 23, 2021 email, subject "Everyone's favorite topic," the National Intelligence Officer for Cyber at the Office of the Director of National Intelligence's National Intelligence Council notes the report attributes a redacted unit's activity to "the Chinese military," even though in 2020 the intelligence community said it did not know who it was. The author says this is the same unit that he and another (redacted) colleague — in a minority report dissenting from the mainline 2020 assessment — said was influencing the US 2020 election, calling it "a weird coincidence" worth flagging for oversight. He asks on what "logical, non-partisan basis" identical activity by "the same personnel" counts as election influence abroad but only "issue influence" in the US; a follow-on point beginning "FBI and" is fully redacted.

  • The email's author, the ODNI/National Intelligence Council National Intelligence Officer for Cyber, critiques an unnamed report for using "some of the same intel and logic used in 2020" — which then said the same units were NOT engaged in election influence, only issue-focused — to now argue China IS influencing a (redacted) election.
  • The report allegedly cites a (redacted) unit's activity as being "the Chinese military" even though, per the author, "in 2020 the IC said we didn't know who it was."
  • The author states the report describes the same unit that the author and another (redacted) person said was influencing the US 2020 election, and now characterizes it as an election-influence unit attributed to the Chinese Government.
  • The author calls this "a weird coincidence, and one we should highlight for oversight."
  • The author says the report "literally cite[s] as support for their argument some of the same reporting used in the mainline assessment in our minority report" — indicating the author co-authored a minority report dissenting from the mainline 2020 assessment.
  • The author questions the "logical, non-partisan basis" for IC calls: the unit's activity in two redacted foreign contexts is labeled election influence "to promote China's interests," but in the US it is labeled "issue influence" and "somehow not election-related."
  • The author asserts: "It's the same personnel doing the same kind of activity."
  • A follow-on point beginning "FBI and" is entirely redacted.
  • Email dated Thursday, December 23, 2021 12:52:29 PM; sender, To, and Cc lines are redacted; classification block (Classification, Classified By, Derived From, Declassify On) is redacted.
  • The document bears the stamp "DECLASSIFIED BY PRESIDENT TRUMP on 3 July 2026" (appearing twice at the top of the page).
View original PDF 191 KB · 1 pp
Federal Bureau of Investigation, Counterintelligence Division December 30, 2020 2 pages

FW: ICA Comments — FBI Comments on ICA Minority View (Floris email, 30 December 2020)

CLASSIFICATION REDACTEDemailmoderate redactions

In this December 30, 2020 email, a senior FBI counterintelligence official objects to a dissenting opinion in an intelligence report on election interference. She writes that claims that China's leaders intended to influence U.S. candidates or encouraged protests lack evidence and are "extremely misleading," calling equal analytic standards "an absolute red line." A forwarding official wonders whether the FBI is backtracking or just commenting for the record.

“we firmly believe the analysis in said text box must comport to the same analytic standards as the rest of the ICA. This is an absolute red line for the FBI.”

From this document, p. 1
Full summary & key findings

The FBI drew "an absolute red line" against a dissenting minority view in the intelligence community's post-2020-election assessment, demanding it meet the same analytic standards as the rest of the document and opposing its inclusion in the Key Judgments. In this December 30, 2020 email, FBI Counterintelligence Division Deputy Assistant Director Nikki L. Floris (with Tonya Ugoretz copied) wrote that the National Intelligence Officer's claim that China's leaders "intended" efforts to indirectly affect US candidates lacks evidence and is "extremely misleading" — the intelligence community had found only awareness of potential effect, not intent. Floris also objected that dubious clandestine and foreign-partner reporting was weighted equally with signals intelligence on senior Chinese diplomatic and intelligence figures, that the claim China "may" have encouraged protests misrepresents underlying reports, and that the dissent's collection-gaps argument actually concedes Chinese restraint. She called the Iran section edits "much improved." Forwarding the message, the National Intelligence Council's election-threat director noted FBI Director Wray had already signed off on the text and questioned whether the FBI was "backtracking or just commenting for the record."

  • FBI Counterintelligence Division DAD Nikki L. Floris sent formal FBI comments on the updated ICA draft on Wednesday, December 30, 2020 at 1:42 PM, all centering on the ICA's minority (dissent) view; Tonya Ugoretz was cc'd.
  • FBI stated it was fine with including a minority-view textbox but declared it 'an absolute red line' that the textbox analysis must comport to the same analytic standards as the rest of the ICA.
  • FBI did not support including the minority view in the Key Judgments (KJs), arguing that without proper context and source descriptions the minority view 'is given parody to the ICA assessments.'
  • FBI disputed the NIO's first-paragraph claim that China's leaders 'intended' some of Beijing's efforts to indirectly affect US candidates, saying the IC has repeatedly stated, based on a body of intelligence, there is no evidence of that intention — only awareness of the potential effect — and calling the NIO's statement 'extremely misleading.'
  • FBI objected that the NIO gave more weight to several clandestine and liaison reports without any source descriptions, equating dubious-credibility US/liaison reporting with signals intelligence of identified senior Chinese diplomatic and intelligence figures and with generally reliable clandestine reporting on Beijing decision-making.
  • FBI said the NIO's assessment that China 'may' also have encouraged protests has no evidence in the reporting and the associated citations do not support it, calling it 'highly misleading and a misrepresentation of the underlying reports.'
  • FBI argued the dissent's final paragraph on collection gaps effectively acknowledges IC collection demonstrated that China's leaders practiced restraint and did not intend to influence the outcome of the election, and reiterated that 'citing the absence of evidence is an absolute red line for us.'
  • The forwarding NIC official (Director, Election Threat Analysis, NIC/DNI Election Threat Executive) noted FBI had previously said Director Wray signed off on the ICA text, with the only subsequent changes being downgrades of (redacted) reporting and the DNI's minor initial edits, and questioned whether FBI was 'backtracking or just commenting for the record.'
  • Floris noted the Iran section edits were 'much improved,' that she would be out of office the next day with 'Cynthia' available, and the team back 'in full force Monday.'
  • The document was declassified by 'COUNSEL TO THE PRESIDENT WARRINGTON' on 10 July 2026; all classification markings, recipient names, and FBI contact details (Open, NSTS, FBIHQ room number) remain redacted.
View original PDF 616 KB · 2 pp
Citations

References

Documents cited in the narrative and timeline above. Each reference links to the document’s entry on this page and its original PDF.

  1. (U) Summary of Select Intelligence Reporting from 2004-2020 on Venezuela's Electronic Voting Manipulation Capabilities — Central Intelligence Agency · June 29, 2026 · 6 ppPDF
  2. Vulnerabilities in US 2020 Election Infrastructure (NICM 2020-003) — National Intelligence Council for Cyber · January 15, 2020 · 5 ppPDF
  3. Foreign Threats to 2020 US Federal Elections (NICA 2020-06885D) — National Intelligence Council · August 19, 2020 · 8 ppPDF
  4. China: Cyber Activities Probably Prelude to Election Espionage (WIRe, WIRe2020-05063) — Central Intelligence Agency · July 1, 2020 · 2 ppPDF
  5. Making the Case That China Has Taken Some Steps to Influence the Presidential Election (NICM 2020-09381) — National Intelligence Council · October 16, 2020 · 7 ppPDF
  6. FW: ICA Comments — FBI Comments on ICA Minority View (Floris email, 30 December 2020) — Federal Bureau of Investigation, Counterintelligence Division · December 30, 2020 · 2 ppPDF
  7. Email: "Everyone's favorite topic" (NIO-Cyber on inconsistent IC characterization of Chinese election-influence unit) — ODNI/National Intelligence Council · December 23, 2021 · 1 ppPDF
  8. Election Report (CISA) — Cybersecurity and Infrastructure Security Agency, Department of Homeland Security · July 13, 2026 · 6 ppPDF