Election officials want changes to federal regulations on cyberattack reporting

SAN JUAN, Puerto Rico (AP) — A group of state election officials is urging the nation’s cybersecurity agency to revise a draft rule that would require election offices to report suspected cyberattacks to the federal government, saying the mandate is too burdensome for overworked local officials.

The new rule is the result of a 2022 federal law that directed the U.S. Cybersecurity and Infrastructure Security Agency to develop regulations requiring certain entities to report potential cybersecurity breaches or ransomware attacks to the agency. Election offices fall under the requirement because their systems are considered critical infrastructure, along with the nation’s banks, nuclear power plants and dams.

In a letter, the board of the National Association of Secretaries of State asked CISA to consider making the rule voluntary, limiting the types of information requested and more clearly defining what types of cyber incidents would trigger a report. The proposed rule would require state and local election offices to report suspected breaches within 72 hours.

The association is holding its summer conference in Puerto Rico this week, and some state election officials have raised their concerns directly with CISA Director Jen Easterly, who is in attendance. Easterly said in an interview Wednesday that she has reviewed the group’s letter, along with comments submitted individually by state election officials. She said her agency would consider the feedback and make adjustments as necessary.

The rule is not expected to be finalized until sometime next year.

“CISA was created as a largely volunteer agency, and that’s our magic. That’s how we’ve been able to succeed,” Easterly said, noting that the agency held multiple sessions to gather feedback. “We’re taking all the comments on board. We’re going to incorporate them into the final rule.”

Utah Lt. Gov. Deidre Henderson, who oversees elections in the state, said she was concerned about federal interference in state responsibilities. She said states should operate independently of the federal government in administering elections.

“It’s one thing to regulate. They’re regulators; we’re operators,” she said. “We have to actually perform these functions. And that regulation is an overreach.”

West Virginia Secretary of State Mac Warner agreed, saying CISA had gone too far in drafting the regulations.

“Let’s work together to solve this, but don’t come with edicts and say you have to do this, you have to report this,” Warner said.

Federal government force majeure?

Minnesota Secretary of State Steve Simon said he would encourage agency officials to take a measured approach, saying he understood why it was important for CISA to collect the information.

“But I just think they have to be careful about the scope and size of the request,” Simon said. “It can’t be too prescriptive, too detailed, and it can’t impose too great a burden. Otherwise, they’re unlikely to get the compliance that they want.”

Kentucky Secretary of State Michael Adams said the proposal is too broad and would burden local election offices, which are already overburdened and underfunded.

“If they really push this point, they will undo all the good they have done in building relationships. And I think they will contribute to the argument that is already there that the federal government is going to take over our elections,” Adams said.

He said his relationship with CISA has been positive and expressed appreciation for the agency’s efforts to help local election officials in his state increase their cybersecurity awareness and provide training.

“What I don’t want to see is CISA treating my staff, my office, like another federal agency where they expect us to report to them,” Adams said. “They’re at their best when they’re responsive to us and what we need rather than trying to be another top-down federal agency.”

Protecting the country’s election systems has been a major focus since 2016, when Russia began scanning the state’s voter registration systems for vulnerabilities, prompting the Obama administration in early 2017 to add election systems to the country’s list of critical infrastructure.

Experts continue to warn that Russia, China, Iran and other countries are still interested in undermining the US election.

Back To Top