Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

FBI Plans to Notify States About Local Election Breaches

The FBI, in a change of policy, is committing to inform state officials if local election systems have been breached, federal officials said Thursday.

The FBI, in a change of policy, is committing to inform state officials if local election systems have been breached, federal officials said Thursday.

In the past, the FBI would alert local governments about attacks on their electoral systems without automatically sharing that information with the state. That meant state officials, left in the dark, might be in a position of certifying the accuracy of election results without realizing there had been problems in individual counties. Alerting local governments about breaches, but not the states, was in keeping with FBI policy of protecting the privacy and identities of the actual hacking victim.

Now, though, the FBI will notify both counties victimized by breaches as well as the state’s chief election official — in most cases, the secretary of state. Under the new policy, that notification is to be done in person. The state will be notified either simultaneously or around the same time, officials said Thursday.

The change is intended to bolster federal-state cooperation, which has often been difficult on electoral issues, and is one of several government efforts to rethink how information about cyber threats is shared and with whom. It may also ease concerns of local officials who in the past have complained about the lack of information they’ve received from the federal government, though cooperation has improved ahead of the 2020 election with concerns that Russia or another nation could try to tamper with the vote.

The policy change was shared with state officials on Thursday and made public later in the day. Senior officials from the FBI and Justice Department described the outlines of it to The Associated Press ahead of the formal release on condition of anonymity.

State elections officials praised the change, saying the notifications are essential to securing elections in their states. The secretaries of state in Ohio, Colorado and West Virginia issued a joint statement calling it a “good step forward in protecting” elections.

California Secretary of State Alex Padilla told The Associated Press that state election officials play an important role in supporting local election officials.

“It’s imperative that we work together not just in the proper administration of elections but in the proper security of elections,” Padilla said. “It’s us at the state level that can connect dots if things are happening in multiple jurisdictions in our state.”

Advertisement. Scroll to continue reading.

Federal officials say their goal is to sound the alarm louder and at higher levels of government than in past years, ensuring that information about efforts to interfere in the election reaches the state officials who need it the most and who have the best resources to deal with it. That is especially important since federal officials believe Russian agents in 2016 searched for vulnerabilities within election systems in all 50 states.

Though the policy change means that a broader audience of government officials will learn of any intrusion, it does not guarantee that the American public will as well.

FBI officials say they will continue to protect the privacy of individual hacking victims, including governmental offices or local elections systems, by not sharing their identities with the public. It will remain up to electoral officials to disclose if they’ve been hacked, or if they are working with the FBI.

That stance has been a source of contention between federal law enforcement and state and local officials. The public still does not know, for instance, which two Florida counties were breached by Russian agents in 2016 and members of the congressional delegation said they were barred by federal officials from sharing that information following a briefing they attended.

Florida Gov. Ron DeSantis said last May that he was frustrated when he saw a reference to the Florida hacking in special counsel Robert Mueller’s report on Russan interference in the 2016 election. DeSantis said he signed an agreement with the FBI not to disclose the names of the two counties where hackers gained access to the voting database and that his predecessor as governor did not have access to the information.

Rep. Stephanie Murphy, a Florida Democrat, has co-sponsored bipartisan legislation that would compel reporting among federal, state and local officials and to voters potentially affected by a breach. On Thursday, she called the FBI’s announcement welcome but not enough and said she would continue to push for federal officials to release more information when foreign powers interfere with the election.

“Our citizens will then be in a position to check their voter registration data to confirm it wasn’t tampered with and to hold accountable state and local officials who fail to protect election infrastructure,” Murphy said in a statement.

Another sponsor of the bill, Republican Rep. Michael Waltz, praised the new policy but said he would “continue to press for voters to be eventually included.”

The FBI policy does not cover more routine cyber activity, such as scanning for network vulnerabilities. But it would extend to sophisticated spear-phishing campaigns, aimed at tricking employees into giving up their log-in credentials, and other acts that officials see as particularly alarming and think must be communicated both to the county and the state.

The policy comes two months after the Office of the Director of National Intelligence released a broad framework for how and in what circumstances to notify the public about foreign election interference, laying out general considerations for the government to take into account.

When it comes to notifying states, one FBI official told the AP there was confusion in the past about who was receiving information and in what circumstances — issues the new policy is meant to address. The official said the policy is meant to ensure that one party does not hear it from the other before hearing it from the federal government.

Related: Securing the 2020 Elections From Multifarious Threats

Related: New Election Systems Use Vulnerable Software

Related: Key Senate Panel Approves $250 Million for Election Security

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.