AB 2281 establishes an Office of Elections Cybersecurity within the California Secretary of State. The office’s twin missions are to coordinate and harden cyber defenses for elections infrastructure across state and local government, and to monitor and counter false or misleading information about the electoral process that could suppress turnout or disrupt election administration.
The bill gives the office a broad coordinating role: sharing threat information with federal, state, and local partners; developing best practices in consultation with researchers and private organizations; building cyber incident response into election emergency planning; and identifying training and protective tools for county elections officials. It also requires the office to assess whether state resources must replace federal cybersecurity supports and to educate voters—especially new and unregistered voters—when misinformation appears.
At a Glance
What It Does
Creates an Office of Elections Cybersecurity within the Secretary of State with duties to coordinate threat information sharing, produce cybersecurity best practices, integrate incident response into election preparedness, and monitor/mitigate online misinformation about elections.
Who It Affects
Directly affects the Secretary of State’s office and county elections officials who run voter registration and voting systems; it also touches federal partners, academic researchers, private cybersecurity vendors, and digital platforms that host election-related content.
Why It Matters
Centralizing expertise and coordination changes how California will manage election cyber risk and misinformation response, fills gaps created by shifting federal support, and could raise new operational and legal questions about government involvement in online information environments.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 2281 sets up a dedicated Office of Elections Cybersecurity inside the Secretary of State. The bill assigns the office two primary missions: lower the risk and impact of cyber incidents that could affect elections, and detect and counter false or misleading information about the electoral process that might suppress turnout or disrupt administration.
The statute frames the office as a coordinating and advisory unit rather than as a regulator with enforcement powers.
To accomplish those missions, the office must share threat information with federal, state, and local partners while protecting sensitive material, and it must consult broadly—bringing in federal and local agencies, academic researchers, and private-sector organizations—to draft and publish cybersecurity best practices. The office is explicitly required to fold cyber incident response practices into election emergency preparedness plans, identify protective tools and training available to counties, and recommend statutory or regulatory changes to strengthen protections.The bill names specific internet-connected systems the office should prioritize for protection, including the state’s online voter registration system, the statewide voter registration database required by HAVA, the Secretary of State’s election-night results website, and the online campaign and lobbying filing system.
It also charges the office with assessing whether state funding or resources must replace cybersecurity supports previously provided by the federal government.On misinformation, the office must assess deceptive content about the electoral process, mitigate its spread, and provide accurate information to voters—targeting outreach to new and unregistered voters in particular. The text assigns the office a liaison role between the Secretary of State, other state agencies, federal partners, and local elections officials, making it the central node for both cyber defense coordination and public-facing corrective communications.
The Five Things You Need to Know
The bill establishes the Office of Elections Cybersecurity within the Secretary of State and makes it the primary coordinator for election-related cyber risk and information integrity efforts.
The office must protect specific internet-connected systems named in the statute: the online voter registration portal, the statewide voter registration database (HAVA), the Secretary of State’s election-night results website, and the online campaign and lobbying filing system.
AB 2281 requires the office to develop cybersecurity best practices in consultation with federal/state/local agencies, academic researchers, and private organizations, and to incorporate cyber incident response into elections emergency plans.
The office must assess whether additional state resources are needed to replace cybersecurity supports previously provided by the federal government, signaling an obligation to identify and report resource gaps.
The statute directs the office to monitor and mitigate false or misleading information about elections and to educate voters—explicitly prioritizing outreach to new and unregistered voters—though it does not grant authority to compel platforms to remove content.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Establishment of the Office
This subsection creates the Office of Elections Cybersecurity as an entity within the Secretary of State. Practically, that makes the office part of the existing administrative structure and subject to the Secretary’s direction and budget processes; the bill does not create a separate board or independent governance structure.
Primary Missions: Cybersecurity and Misinformation
Subdivision (b) defines two parallel missions: reducing the likelihood and severity of cyber incidents, and monitoring/counteracting online false or misleading information that could suppress turnout or disrupt election administration. Framing both missions together signals that the office will handle both technical defenses and public-facing information integrity work, which require different skill sets and operational approaches.
Information Sharing, Best Practices, and Emergency Preparedness
These clauses require timely sharing of threat information with federal, state, and local partners while protecting sensitive data, and mandate development of best practices in consultation with agencies, researchers, and private entities. They also require the integration of cyber incident responses into election emergency plans—meaning the office must produce operational guidance counties can adopt during an incident.
Resource Identification, Gap Assessment, and Advisory Role
The office must catalogue protective tools, training, and other resources available to counties and assess whether state resources are needed to replace prior federal support. The statute also gives the office an advisory role to recommend changes to state law, regulation, or policy—positioning it to influence longer-term legal and budgetary changes.
Liaison Duties and Systems to Protect
The office serves as the central liaison between the Secretary of State, other state agencies, federal partners, and local elections officials on cybersecurity issues. The statute lists specific internet-connected systems the office must protect, which narrows operational priorities and helps counties and vendors understand what gets prioritized for security reviews and resources.
Misinformation Assessment, Mitigation, and Voter Education
This provision charges the office with assessing false or misleading election-related content, mitigating that content, and educating voters—particularly new and unregistered voters—using authoritative information from county officials or the Secretary of State. The text tasks the office with corrective communications but stops short of defining mitigation tactics or granting enforcement authority over content hosts.
This bill is one of many.
Codify tracks hundreds of bills on Elections across all five countries.
Explore Elections in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- County elections officials — gain a central resource for threat intelligence, shared best practices, training, and tools that can strengthen local defenses and incident response.
- New and unregistered voters — the office must prioritize outreach and corrective information to reduce confusion and the risk of turnout suppression caused by misinformation.
- Secretary of State’s office — receives centralized expertise and a formal mechanism to coordinate statewide cybersecurity and misinformation responses, improving situational awareness and policy influence.
- Academic researchers and private cybersecurity firms — the statute institutionalizes consultation with these groups, creating opportunities for partnership, pilot programs, and procurement of services.
- Federal partners — benefit from a single state-level contact for coordination and information-sharing, which can streamline joint responses to cross-jurisdictional cyber threats.
Who Bears the Cost
- Secretary of State’s office — must staff and operate the new office and absorb coordination, reporting, and advisory work; the bill does not appropriate funding within the text.
- State budget and Legislature — if the office requires dedicated staff, technology, or ongoing programs, the Legislature will need to allocate funds or reassign resources to the Secretary of State.
- County elections officials — while they gain guidance and tools, counties will need to implement practices, incorporate new incident-response procedures, and coordinate with the office—work that consumes local staff time and resources.
- Elections technology vendors and platforms — may face increased technical or contractual expectations as the office identifies prioritized systems for protection and recommends changes to laws or procurement rules.
- Civil liberties and free-speech stakeholders — will bear reputational and legal costs from increased government involvement in monitoring and mitigating online information, potentially leading to litigation or advocacy campaigns.
Key Issues
The Core Tension
The central dilemma is practical and political: the state needs a centralized capability to protect election systems and combat misinformation, but giving a government office authority to monitor and mitigate online information risks encroaching on speech and privacy while creating significant operational demands—especially without defined funding, legal definitions, or enforcement tools.
AB 2281 gives the office wide-reaching coordinating and advisory duties but leaves several operational and legal details unresolved. The statute requires monitoring and mitigation of ‘false or misleading information’ without defining key terms or describing mitigation methods; that gap creates uncertainty about when the office should engage platforms, pursue takedowns, or rely on counter-messaging.
Similarly, the bill requires assessment of federal resource gaps but does not set reporting deadlines, metrics, or follow-up obligations—so identification of needs may not translate into funded action.
Information sharing is essential to cybersecurity, but the statute balances timeliness with protection of sensitive information only at a high level. Implementing secure intelligence exchanges across counties, state agencies, and federal partners will require technical standards, data-handling agreements, and staff trained in classified or restricted information management.
Finally, pairing technical cybersecurity work with corrective communications raises institutional design questions: the office will need both technologists and communications specialists, and blending those roles risks mission creep or conflicting priorities unless the Secretary of State clarifies governance, operational authorities, and resource lines.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.