The FBI announced Thursday that it will begin notifying statewide election officials if voting infrastructure in any part of their states suffers a cyberattack, a shift from the bureau’s longstanding policy of only notifying local officials and vendors directly.
Previously, the FBI would only inform a local government or election-technology vendor if it had been hacked, consistent with an agencywide policy of only notifying cybercrime victims. But with the federal government and states expanding their collaboration on election security — and pressure from state officials wanting more information about threats against their systems — the bureau said it would make an exception for elections.
“We realized this traditional approach did not fit in the elections context,” a senior FBI official said on a conference call with reporters.
The official noted that while each state has a single person — usually a secretary of state or elections director — overseeing the voting process, including the final certification of results, most of the technology, including voting machines, vote tabulators and electronic pollbooks, is owned and operated locally.
“Given that dynamic, if the FBI only notified a local official of a cyberthreat, it may leave the state official with incomplete knowledge about the landscape surrounding the integrity of the election in their state. We wanted to work toward a policy that respects the authority of both the state and local level,” the FBI official said.
The bureau also said these state-level notifications will be “near-simultaneous” with those it delivers to actual targets. It also said it will be working more closely with the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security unit that’s taken the federal government’s lead role in detecting threats against election infrastructure.
Statewide officials have expressed displeasure with some of the way the federal government has kept them abreast of threats and breaches, though. West Virginia Secretary of State Mac Warner has said that state election chiefs had little to no input on a DHS framework for notifying states and localities about threats to their voting systems, CyberScoop reported. And the FBI was criticized last year for withholding the names of two Florida counties where Russian hackers successfully accessed voter data in 2016.
But Iowa Secretary of State Paul Pate told StateScoop that the FBI’s interactions with state election leaders has improved.
“This is a positive step in communications between the federal government and our states,” said Pate, who also serves as president of the National Association of Secretaries of State. “The FBI is an important partner in our goal to protect elections and we’re pleased with the progress in our relationship with them, the Department of Homeland Security and other federal entities.”
In addition, Pate said Iowa has statutes that require county officials to notify his office of any breaches.
The FBI also said Thursday that it will aim to make its notifications understandable to statewide officials who might not have the same technical expertise as an election vendor or technology official. A senior Justice Department official compared the new policy to how the FBI alerts corporations that have suffered data breaches.
“If you think about the context in which there might be a particularly serious breach, in getting the attention of the CEO, our goal is not to convey the same understanding the network manager,” the Justice official said. “The point of that conversation is to ensure the entity has an appreciation for what we think might be at stake and that it deserves the attention of senior individuals who are going to be on the hook for however that incident is handled.”
But the officials on Thursday’s conference call said it’s unlikely the new change will affect the FBI’s traditional policy of not confirming or denying details of its investigations to the public at large, though some lawmakers have pushed for the bureau to inform voters if election systems in their counties or states have been breached.
“All of this is welcome news, but it is not enough,” said Rep. Stephanie Murphy, D-Fla., who has sponsored legislation that would require the FBI to tell the public if election-related IT is hacked. “I will continue to push for federal officials to provide more information to the voting public when foreign powers interfere with our democracy”
CyberScoop’s Sean Lyngaas contributed reporting.