Election officials are seeking changes to the federal rule on reports of cyberattacks

SAN JUAN, Puerto Rico (AP) — A group of state election officials is calling on the country’s cybersecurity agency to revise a draft rule that would require election offices to disclose suspected cyberattacks to the federal government, making the mandate too burdensome for overworked local officials. .

The new rule is the result of a 2022 federal law that ruled US Cybersecurity and Infrastructure Security Agency to develop regulations that require certain entities to report potential cyber security breach or ransomware attacks against the agency. Electoral offices fall under the requirement because their systems are taken into account critical infrastructurealong with the country’s banks, nuclear power plants and dams.

In a letter, the board of directors of the National Association of State Secretaries asked CISA to consider making the rule voluntary, limiting the types of information requested and more clearly defining the types of cyber incidents that would trigger a report. The proposed rule says state and local election offices must report suspected violations within 72 hours.

The association is holding its summer conference this week in Puerto Rico, and some state election officials have discussed their concerns directly with CISA director Jen Easterly, who is attending. Easterly said in an interview Wednesday that she has reviewed the group’s letter along with comments submitted individually by state election officials. She said her agency would consider the feedback and adjust as needed.

The rule is not expected to be finalized until sometime next year.

“CISA stood up to be a largely voluntary agency, and that’s our magic. That’s how we’ve been able to build success,” Easterly said, noting the agency held several sessions to gather feedback. “We are taking on board all of the comments. We will incorporate them into the final rule.”

Utah Lt. Gov. Deidre Henderson, who oversees state elections, said she was concerned about federal intrusion into state responsibilities. She said states must operate independently of the federal government in administering elections.

“It is a matter to regulate. They are regulators; we are operators,” she said. “We actually have to perform these functions. And that rule is an abuse.”

West Virginia Secretary of State Mac Warner agreed, saying CISA had gone too far in drafting the rule.

“Let’s work together to solve this, but don’t come out with an injunction and say you have to do this, you have to report,” Warner said.

Federal overreach?

Minnesota Secretary of State Steve Simon said he would encourage agency officials to take a measured approach and said he understood why it was important for CISA to collect the information.

“But I just think they have to be careful about the scale and scope of the request,” Simon said. “This can’t be too prescriptive, too detailed, and it can’t be too burdensome. Otherwise, they’re unlikely to get the compliance that they want.”

Kentucky Secretary of State Michael Adams said the proposal was too broad and would create a burden on local election offices that are already overworked and underfunded.

“If they really push this point, they’re going to undo all the good they’ve done with their relationship building. And I think they’re going to add to the argument that’s already out there that the federal government is going to take over our elections,” Adams said .

He said his relationship with CISA has been positive and expressed appreciation for the agency’s work to help local election officials in his state raise cybersecurity awareness and provide training.

“What I don’t want to see is for CISA to treat my staff, my office, like another federal agency where they expect us to report to them,” Adams said. “They’re at their best when they’re responsive to us and what we need versus trying to be another top-down federal agency.”

Protect the nation’s electoral system has been a major focus since 2016, then Russia scanned state voter registration systems looking for vulnerabilities. That prompted the Obama administration in early 2017 to add election systems to the nation’s critical infrastructure list.

Experts continue to warn that Russia, China, Iran and others are still interested in trying to undermine American elections.

Back To Top