Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Election officials push back against draft federal rule for reporting potential cyberattacks

A group of state election officials is urging the nation’s cybersecurity agency to revise a draft rule that would require election offices to disclose suspected cyberattacks to the federal government, casting the mandate as too burdensome on overworked local officials

Christina A. Cassidy
Wednesday 10 July 2024 18:11 EDT

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A group of state election officials is urging the nation’s cybersecurity agency to revise a draft rule that would require election offices to disclose suspected cyberattacks to the federal government, casting the mandate as too burdensome on overworked local officials.

The new rule is the result of a 2022 federal law that directed the U.S. Cybersecurity and Infrastructure Security Agency to develop regulations that require certain entities to report potential cybersecurity breaches or ransomware attacks to the agency. Election offices fall under the requirement because their systems are considered critical infrastructure, along with the nation’s banks, nuclear power plants and dams.

In a letter, the executive board of the National Association of Secretaries of State asked CISA to consider making the rule voluntary, limit the types of information requested and more clearly define what types of cyber incidents would trigger a report. The proposed rule says state and local election offices must report suspected breaches within 72 hours.

The association is holding its summer conference this week in Puerto Rico, and some state election officials have been discussing their concerns directly with CISA Director Jen Easterly, who is attending. Easterly said in an interview Wednesday that she has been reviewing the group’s letter along with comments submitted individually by state election officials. She said her agency would consider the feedback and adjust as necessary.

The rule is not expected to be finalized until sometime next year.

“CISA was stood up to largely be a voluntary agency, and it’s our magic. It is how we’ve been able to build success,” Easterly said, noting the agency held multiple sessions to gather feedback. “We’re taking all the comments on board. We will integrate them into the final rule.”

Utah Lt Gov. Deidre Henderson, who oversees elections in the state, said she was concerned about federal intrusion into state responsibilities. She said states must operate independently of the federal government on administering elections.

“It’s one thing to regulate the regulators. We are operators," she said. "We actually have to perform these functions. And that rule is an overreach.”

West Virginia Secretary of State Mac Warner agreed, saying CISA had gone too far in drafting the rule.

“Let’s work together in solving this, but don’t come out with edicts and say you must do this, you must report,” Warner said.

Minnesota Secretary of State Steve Simon said he would encourage agency officials to take a measured approach, saying he understood why it was important for CISA to collect the information.

“But I just think they need to be careful about the scope and extent of the request,” Simon said. “This can’t be too prescriptive, too granular, and it can’t impose too great a burden. Otherwise, they’re unlikely to get the compliance that they want.”

Kentucky Secretary of State Michael Adams said the proposal was too broad and would create a burden on local election offices that already are overworked and underfunded.

“If they really push this point, they will undo all the good they’ve done with their relationship building. And I think they’ll contribute to the argument that’s already out there that the federal government’s coming to take over our elections,” Adams said.

He said his relationship with CISA has been positive and expressed appreciation of the agency’s work to help local election officials in his state boost cybersecurity awareness and provide training.

“What I don’t want to see is for CISA to treat my staff, my office, like another federal agency where they expect us to report to them,” Adams said. “They’re at their best when they are responsive to us and what we need versus trying to be another top-down federal agency.”

Protecting the nation’s election systems has been a major focus since 2016, when Russia scanned state voter registration systems looking for vulnerabilities. That prompted the Obama administration in early 2017 to add election systems to the list of the nation’s critical infrastructure.

Experts continue to warn that Russia, China, Iran and others remain interested in seeking to undermine U.S. elections.

___

The Associated Press receives support from several private foundations to enhance its explanatory coverage of elections and democracy. See more about AP’s democracy initiative here. The AP is solely responsible for all content.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in