FBI breach notice rules lauded by states, but some want more
A new FBI policy raises the question about who are the true victims of election systems breaches: local officials who supervise elections or the voters and candidates who depend on a trustworthy ballot?
- By Derek B. Johnson
- Jan 24, 2020
Primary voting in Ventura County, Calif. in 2016. (Photo credit: Joseph Sohm/Shutterstock.com)
Under a recent policy change, the FBI will notify states if local election systems are hacked, but some state officials and lawmakers want the feds to commit to informing a broader range of stakeholders.
The federal government, in particular the FBI, have taken heat for taking three years to notify the Florida state government and members of Congress that voter registration systems in two counties were breached by Russian hackers leading up to the 2016 elections. While U.S. officials have said they do not have any evidence that suggests voting machines or tallies were compromised, security experts say bad actors tampering with registration data can still sow confusion and wreak havoc on election day.
Alabama Secretary of State John Merrill said he and his counterparts in other states spent years pressing the federal government to notify states about local election hacks, arguing that many counties and municipalities lack the technical resources to effectively respond to a breach of their election systems.
"They're not in a position to give any attention to what was going on and to try to correct the issue, and so if [the feds aren't] contacting us, what's the value of calling anyone?" he told FCW. "And when we explained that to [the federal government,] they understood."
Officials in Ohio, Pennsylvania, Iowa and others states issued statements over the past week that were generally supportive of the shift, lauding the increasingly cooperative relationship that has built up between election stakeholders since the 2016 elections.
"This is a positive step in communications between the federal government and our states," said Iowa Secretary of State Paul Pate in a statement to FCW. "As Iowa's Commissioner of Elections, it's important I'm aware of any problems or attacks on our systems. We already require the counties to notify us."
Who are the real victims?
The FBI's new policy does not include notifying members of Congress or the public when a system is breached, though bureau and DOJ officials told reporters last week they might to do so in extenuating circumstances.
According to the FBI, the federal government does not prevent or inhibit states and localities from telling Congress or the public that one of their election systems have been hacked. Instead, it's left up to the victims to come forward.
"Victims who have been notified of cyber intrusions by the FBI are free to disclose that notification as they deem appropriate," an FBI spokesperson told FCW. "If the victims are provided classified information in addition to the notification, they cannot disclose the classified portions, but they are not prohibited from disclosing the existence of an intrusion."
Rep. Stephanie Murphy (D-Fla.) a former national security specialist at the Department of Defense who was first elected to Congress in 2016, told FCW she first learned of Russian hackers breaching Florida voter registration systems while reading Special Counsel Robert Mueller's report, nearly three years after the hacks are believed to have occurred.
Murphy and other members of Congress from the state didn't learn which counties were breached until May 2019, when they were briefed by FBI officials. Even then, they were told they could not publicly name the affected counties, both because the lawmakers were not considered victims and doing so could jeopardize sources and methods.
Murphy, who has sponsored legislation to require federal officials to alert Congress, states and the public about similar election-related breaches in the future, said that definition is insufficient.
"I disagree with them on this issue…I believe the victims are the voters," Murphy told FCW. "They deserve to know what happened and what their leaders are doing to prevent it from happening again."
She also argued that members of Congress ought to be considered victims when voter registration systems, e-pollbooks and other election software are hacked. In addition to being uniquely positioned to use the power of the purse, sanctions and their messaging platforms to respond to incidents and protect election infrastructure, they also rely on the very electoral process being targeted.
"State and local election officials hold elections that determine the fate of federal officials, and so it seems to me a matter of course that we would be notified if there was something awry with the way that elections were being held," she said.
A delicate balance
Connecticut Secretary of State Denise Merrill, who served as president of the National Association of Secretaries of State during the 2016 election, told FCW she "saw first-hand how frustrated my colleagues and I were by the lack of information we received from federal authorities." Still, she cautioned that deciding when to release information about a breach to the broader public would likely be determined on a case-by-case basis.
"There is a delicate balance between providing important information and creating a panic or making voters think that our elections aren't fair that election administrators have to weigh when deciding how to disclose problems of election administration like cybersecurity," she said in an emailed response to questions. "These decisions have to be made on an individual basis depending on the incident."
States also won't be informed under the new policy when a vendor who sells or manages election systems in their state suffers a breach of their company systems, though again officials said they reserve the right to do so in "unusual," national security-related circumstances.
That rankled some officials contacted by FCW.
"This is an information war and we're all engaged in it: voters, elected officials, state, local and federal officials, the vendors…this siloed approach towards information just empowers the adversary and it weakens our defense efforts, and I don't understand it at all," Murphy said of the omission.
Private tech and software companies build most of the nation's election systems and often manage them afterward through lucrative government contracts. They're viewed as prime targets for malicious hacking groups since their products and systems are often spread out over multiple states and jurisdictions and they generally operate with little regulatory oversight.
Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to Florida-based election vendor VR Systems inquiring whether a breach of their network by Russian hackers in 2016 asserted in the Mueller report might have been related to irregularities with the company's electronic pollbooks in several North Carolina districts on election day. Lawyers for VR Systems have denied the company was breached and asserted last year that the federal government has never told them otherwise.
"We need to know if our vendors are being compromised, just as we need to know if our own systems are under threat of compromise," said Denise Merrill.
John Merrill of Alabama said while he thought states should be informed when one of their vendors is hacked, federal officials may not always have complete visibility into a company's geographical footprint or how many systems may have been affected. His preference would be to leave the decision to disclose a hack up to the vendor, who he argued is best positioned to know the scope of an attack.
Asked if he trusted those companies to disclose their own breaches, Merrill argued the reputational damage they would incur from trying to cover it up would be devastating enough to act as a deterrent.
"This is the thing you have to remember: this is a small community of people and if they have a breach in the trust and confidence in the process…and people find them to be unreliable, they won't be in business very long and the business they have, they will lose," he said.