FBI will notify states when election systems are breached

The FBI announced plans to expand its victim notification policy to ensure state officials are briefed when election infrastructure located in their state but owned by local jurisdictions suffer a cyber-intrusion.

In a press briefing with reporters, a senior FBI official who spoke on background said the internal policy change was meant to increase "visibility and transparency" about similar intrusions for the 2020 elections.

"If the FBI only notifies a local election official of a cyber threat, it may leave the state election official with incomplete knowledge about the threat landscape surrounding the integrity of the elections in their state," the official said. "So we wanted to work towards creating a policy that really respected the rules and authorities at both the state and local level."

The shift comes in the same week the top election security executive at the Office of the Director of National Intelligence acknowledged criticisms that information shared by the government about Russian hacking threats in 2016 had "a lack of context and specificity" and said she was "committed" to ensuring the Intelligence Community does a better job informing stakeholders leading up to the 2020 elections.

Under the new policy, the FBI will conduct briefings with each state's designated chief election official at or around the same time they notify officials for the local jurisdiction, and any delay in notification would require sign off by FBI division leaders. However, the new policy would not inform states when a private election vendor operating in their state is breached. Such companies often sell and manage much of the software and IT infrastructure used to conduct elections and keep track of voters.

It would also continue to leave the decision of whether to notify the public or Congress about such breaches to the affected states and counties. In some cases, when the national security consequences of a private sector breach are particularly grave, the FBI might consider additional disclosures, but officials did not provide further explanation of when beyond saying it would be "unusual."

"Our decision that we're going to continue to notify victims and only victims when we're working with them, that's not to say there aren't other notifications that aren't appropriate, it's not to say that other people shouldn't learn, it's just to say that we aren't probably the best messenger," said a senior Department of Justice official. "Recognizing that there's a legitimate public interest perhaps, it may be the states that should answer that call and tell…whoever they decide they should tell, whether it's the public, parts of their government, a congressional delegation, what have you."

Such notifications will also take place in conjunction with the Cybersecurity and Infrastructure Security Agency and other federal agencies "whenever possible," though officials said in some cases speed may be so important that this is not possible.

Rep. Stephanie Murphy (D-Fla.), who cosponsored legislation last year that would require the Secretary of Homeland Security to notify state and local officials and members of Congress when there's credible evidence of an unauthorized intrusion into election systems, welcomed the news but said the FBI didn't go far enough.

"I will continue to push for federal officials to provide more information to the voting public when foreign powers interfere with our democracy," Murphy said in a statement. "Our citizens will then be in a position to check their voter registration data to confirm it wasn’t tampered with and to hold accountable state and local officials who fail to protect election infrastructure."

Murphy's bill has 35 cosponsors drawn from both parties, but hasn’t moved past the committee stage since being introduced last summer.

During the 2016 election cycle, voter registration systems for two Florida counties were breached by Russian hackers, but it took nearly three years before the FBI told state and congressional officials which ones in a May 2019 briefing. Even then, those officials were prohibited from publicly disclosing what they were told or identifying the hacked counties.

While officials did not directly cite the Florida incident, they acknowledged that the policy change came after gaining greater familiarity with how election infrastructure is dispersed across many different stakeholders and jurisdictions.

"All of us who do this work have learned more about election law and how states are organized and how state and local authorities might have different procedures…and so in looking at our experience over the last couple of years, we see that we can't treat every state the way we would treat a large company, where we think of it as entirely unified organization," the DOJ official said. "When we think about who the victim is, there's a politically accountable official somewhere in that state who is going to have to sign on to certifying those results, and when we think about that, we think that person needs to have some insight into the potential threats that might undermine the integrity or perceived integrity of those results."