Two members of the U.S. House of Representatives from Florida said Thursday they will introduce a bill that would require federal officials to inform Congress, state and local authorities and the public if an election-related computer system is hacked.
The measure, from Democrat Stephanie Murphy and Republican Michael Waltz, comes as a response to federal authorities’ refusal to publicly name the two Florida counties where voter registration databases were successfully breached by Russian military intelligence hackers during the 2016 presidential election.
Under the bill, text of which has not yet been released, federal law enforcement and cybersecurity authorities who detect unlawful access of election systems would be required to “promptly” notify the relevant state and local officials, as well as members of Congress representing the targeted jurisdiction. In turn, state and local officials would be obligated to notify any potentially affected voters.
“It is unacceptable that the Russians know which systems were hacked and not the Americans affected,” Murphy said in a press release. “When federal officials determine unauthorized users gain access to an elections system, local officials and the public have a right to know so they can respond.”
Murphy and Waltz know which counties had their voter files penetrated by a Russian spearphishing effort in 2016. The pair, along with the rest of Florida’s congressional delegation, received a classified briefing from the FBI last week, but were not authorized to share what they learned at the meeting. Florida Gov. Ron DeSantis was also briefed last week, and said he was asked to sign a nondisclosure agreement, which he called “unusual.”
The Florida hacking was publicly disclosed for the first time on April 18 in the report by Special Counsel Robert Mueller, who investigated foreign interference in the 2016 election. The breaches of the county voter databases were under a separate investigation by the FBI. One of the counties has been reported as Washington County, a 25,000-person jurisdiction on the Florida panhandle. The other remains unknown.
“The FBI’s notification protocol is inadequate and unacceptable,” Waltz said in the press release Thursday. “If we are going to have any success securing our elections, we need to know immediately whether or not an elections system has been compromised — and most importantly, the voters need to know too.”
The notification requirements in Murphy and Waltz’s bill may be redundant. Speaking on background, an official with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said that when it becomes aware of a potential intrusion on a network, it notifies the owner or operator and offers its technical support and expertise. The agency also shares anonymized information with its partners to help prevent similar attacks.
The Government Coordinating Council for elections systems also has established protocols for sharing information on threats and attacks. But details that would identify a victim are not shared without consent, in order to avoid discouraging organizations from voluntarily sharing information with CISA in the future, the official said.
FBI officials have said that naming the counties publicly could jeopardize their sources and methods of investigating cyberattacks. Murphy and Waltz’s offices said the bill features a “narrow exception” to alerting the public about an attempt to hack elections systems if doing so would undermine law enforcement or intelligence.