Election officials pen letter opposing new CISA draft rule

Some state election officials are pushing back against a draft rule by U.S. Cybersecurity and Infrastructure Security Agency that would require election offices to disclose suspected cyberattacks to the federal government within a set window, arguing that the security agency is demanding too much from understaffed offices.

The Associated Press reported Wednesday that the executive board of the National Association of Secretaries of State sent CISA a letter proposing the agency’s new rules be voluntary instead of mandatory, limit the types of information requested and more clearly define what types of cyber incidents necessitate a report.

Under the current draft rules, critical infrastructure agencies are mandated to report suspected breaches or “substantial” cyberattacks within 72 hours and ransom payments within 24 hours.

According to CISA, a “substantial” cyberattack involves unauthorized access leading to significant operational downtime or impairments. Minor cyber incidents, such as phishing attempts or unauthorized activities that do not result in a prolonged outage, need not be reported.

State and local election offices systems are considered critical infrastructure, along with the nation’s maritime ports, energy and agricultural sector, and therefore are subject to the mandated reporting requirement.

CISA is not expected to finalize the rules until next year.