FBI will notify states when election systems are breached

The internal policy change is meant to increase "visibility and transparency" around voting system intrusions during the 2020 election cycle.

FBI Headquarters (Photo by Kristi Blokhin/Shutterstock)
 

The FBI announced plans to expand its victim notification policy to ensure state officials are briefed when election infrastructure located in their state but owned by local jurisdictions suffer a cyber-intrusion.

In a press briefing with reporters, a senior FBI official who spoke on background said the internal policy change was meant to increase "visibility and transparency" about similar intrusions for the 2020 elections.

"If the FBI only notifies a local election official of a cyber threat, it may leave the state election official with incomplete knowledge about the threat landscape surrounding the integrity of the elections in their state," the official said. "So we wanted to work towards creating a policy that really respected the rules and authorities at both the state and local level."

The shift comes in the same week the top election security executive at the Office of the Director of National Intelligence acknowledged criticisms that information shared by the government about Russian hacking threats in 2016 had "a lack of context and specificity" and said she was "committed" to ensuring the Intelligence Community does a better job informing stakeholders leading up to the 2020 elections.

Under the new policy, the FBI will conduct briefings with each state's designated chief election official at or around the same time they notify officials for the local jurisdiction, and any delay in notification would require sign off by FBI division leaders. However, the new policy would not inform states when a private election vendor operating in their state is breached. Such companies often sell and manage much of the software and IT infrastructure used to conduct elections and keep track of voters.

It would also continue to leave the decision of whether to notify the public or Congress about such breaches to the affected states and counties. In some cases, when the national security consequences of a private sector breach are particularly grave, the FBI might consider additional disclosures, but officials did not provide further explanation of when beyond saying it would be "unusual."

"Our decision that we're going to continue to notify victims and only victims when we're working with them, that's not to say there aren't other notifications that aren't appropriate, it's not to say that other people shouldn't learn, it's just to say that we aren't probably the best messenger," said a senior Department of Justice official. "Recognizing that there's a legitimate public interest perhaps, it may be the states that should answer that call and tell…whoever they decide they should tell, whether it's the public, parts of their government, a congressional delegation, what have you."

Such notifications will also take place in conjunction with the Cybersecurity and Infrastructure Security Agency and other federal agencies "whenever possible," though officials said in some cases speed may be so important that this is not possible.

Rep. Stephanie Murphy (D-Fla.), who cosponsored legislation last year that would require the Secretary of Homeland Security to notify state and local officials and members of Congress when there's credible evidence of an unauthorized intrusion into election systems, welcomed the news but said the FBI didn't go far enough.

"I will continue to push for federal officials to provide more information to the voting public when foreign powers interfere with our democracy," Murphy said in a statement. "Our citizens will then be in a position to check their voter registration data to confirm it wasn’t tampered with and to hold accountable state and local officials who fail to protect election infrastructure."

Murphy's bill has 35 cosponsors drawn from both parties, but hasn’t moved past the committee stage since being introduced last summer.

During the 2016 election cycle, voter registration systems for two Florida counties were breached by Russian hackers, but it took nearly three years before the FBI told state and congressional officials which ones in a May 2019 briefing. Even then, those officials were prohibited from publicly disclosing what they were told or identifying the hacked counties.

While officials did not directly cite the Florida incident, they acknowledged that the policy change came after gaining greater familiarity with how election infrastructure is dispersed across many different stakeholders and jurisdictions.

"All of us who do this work have learned more about election law and how states are organized and how state and local authorities might have different procedures…and so in looking at our experience over the last couple of years, we see that we can't treat every state the way we would treat a large company, where we think of it as entirely unified organization," the DOJ official said. "When we think about who the victim is, there's a politically accountable official somewhere in that state who is going to have to sign on to certifying those results, and when we think about that, we think that person needs to have some insight into the potential threats that might undermine the integrity or perceived integrity of those results."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.