FBI to loop states into local election threats
- By Derek B. Johnson
- Jan 17, 2020
The FBI will brief state officials when local election infrastructure has been compromised, according to the bureau's announcement on expanding victim notification.
The new policy aims to keep state officials in the loop when municipalities suffer a cyber intrusion.
"If the FBI only notifies a local election official of a cyber threat, it may leave the state election official with incomplete knowledge about the threat landscape surrounding the integrity of the elections in their state," a senior FBI official who spoke on background said. "So we wanted to work towards creating a policy that really respected the rules and authorities at both the state and local level."
Under the new policy, the FBI will conduct briefings with each state's designated chief election official at or around the same time it notifies local officials.
However, the new policy would not inform states when a private-sector election equipment vendor operating in their state is breached. Such companies often sell and manage much of the software and IT infrastructure used to conduct elections and keep track of voters.
It would also continue to leave the decision of whether to alert the public or Congress about such breaches up to the affected states and counties.
"It's not to say that other people shouldn't learn [about compromises], it's just to say that we aren't probably the best messenger," a senior Department of Justice official said. "Recognizing that there's a legitimate public interest perhaps, it may be the states that should answer that call and tell … whoever they decide they should tell, whether it's the public, parts of their government, a congressional delegation, what have you."
Such notifications will also take place in conjunction with the Cybersecurity and Infrastructure Security Agency and other federal agencies "whenever possible," though officials said in some cases the need for rapid response may make that impossible.
During the 2016 election cycle, voter registration systems for two Florida counties were breached by Russian hackers, but it took nearly three years before the FBI told state and congressional officials. Even then, those officials were prohibited from publicly disclosing what they were told or identifying the hacked counties.
While officials did not directly cite the Florida incident, they acknowledged that the policy change came after gaining greater familiarity with how election infrastructure is dispersed across many different stakeholders and jurisdictions.
"We see that we can't treat every state the way we would treat a large company, where we think of it as entirely unified organization," the DOJ official said. "When we think about who the victim is, there's a politically accountable official somewhere in that state who is going to have to sign on to certifying those results. And when we think about that, we think that person needs to have some insight into the potential threats that might undermine the integrity or perceived integrity of those results."
A longer version of this article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.