Home News 75% U.S. States and Territories Graded ‘C’ for Poor Cybersecurity

75% U.S. States and Territories Graded ‘C’ for Poor Cybersecurity

Cybersecurity meeting, Biden Administration and Tech Giants, Zero-Trust Model

A survey from cybersecurity firm SecurityScorecard revealed the overall security posture of all 56 U.S. states and territories, which are leading up to the presidential election. The survey “State of the States” found that over 75% of the states indicating signs of a vulnerable IT infrastructure. The U.S. states were ranked with grades, where grade C states are 3x more likely to experience a cyberattack and grade D are nearly 5x more likely to experience an attack.

Key Findings

  • 75% of the U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below
  • States with the highest scores include Kentucky, Kansas, and Michigan
  • States with the lowest scores include North Dakota, Illinois, and Oklahoma
  • Significant security concerns were observed, with two critically important battleground states, Iowa, and Ohio, both of which scored a ‘D’ rating.


The survey also highlighted that the states with lower scores are prone to phishing attacks and threats from third-party vendors. “These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments. For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections but save more lives,” said Rob Knake, the former Director for Cybersecurity Policy at the White House in the Obama Administration.

Mitigation Measures

SecurityScorecard also recommended certain practices for the U.S. states to defend against potential attacks. These include:

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names, which can be subjected to typosquatting.
  • Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity.
  • States should establish clear lines of authority for updating the information on these sites that includes the two-person rule — no single individual should be able to update information without a second person authorizing it.
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems and ensure that vendors supplying equipment and services to the election process undergo stringent processes.