SAN JUAN, Puerto Rico (AP) — A group of state election officials is urging the nation’s cybersecurity agency to revise a draft rule that would require election offices to disclose suspected cyberattacks to the federal government, casting the mandate as too burdensome on overworked local officials.
The new rule is the result of a 2022 federal law that directed the U.S. Cybersecurity and Infrastructure Security Agency to develop regulations that require certain entities to report potential cybersecurity breaches or ransomware attacks to the agency. Election offices fall under the requirement because their systems are considered critical infrastructure, along with the nation’s banks, nuclear power plants and dams.
In a letter, the executive board of the National Association of Secretaries of State asked CISA to consider making the rule voluntary, limit the types of information requested and more clearly define what types of cyber incidents would trigger a report. The proposed rule says state and local election offices must report suspected breaches within 72 hours.
The association is holding its summer conference this week in Puerto Rico, and some state election officials have been discussing their concerns directly with CISA Director Jen Easterly, who is attending. Easterly said in an interview Wednesday that she has been reviewing the group’s letter along with comments submitted individually by state election officials. She said her agency would consider the feedback and adjust as necessary.
The rule is not expected to be finalized until sometime next year.
“CISA was stood up to largely be a voluntary agency, and it’s our magic. It is how we’ve been able to build success,” Easterly said, noting the agency held multiple sessions to gather feedback. “We’re taking all the comments on board. We will integrate them into the final rule.”
Utah Lt Gov. Deidre Henderson, who oversees elections in the state, said she was concerned about federal intrusion into state responsibilities. She said states must operate independently of the federal government in administering elections.
“It’s one thing to regulate. They're regulators; we are operators," she said. "We actually have to perform these functions. And that rule is an overreach.”
West Virginia Secretary of State Mac Warner agreed, saying CISA had gone too far in drafting the rule.
“Let’s work together in solving this, but don’t come out with edicts and say you must do this, you must report,” Warner said.
Federal overreach?
Minnesota Secretary of State Steve Simon said he would encourage agency officials to take a measured approach, saying he understood why it was important for CISA to collect the information.
“But I just think they need to be careful about the scope and extent of the request,” Simon said. “This can’t be too prescriptive, too granular, and it can’t impose too great a burden. Otherwise, they’re unlikely to get the compliance that they want.”
Kentucky Secretary of State Michael Adams said the proposal was too broad and would create a burden on local election offices that already are overworked and underfunded.
“If they really push this point, they will undo all the good they’ve done with their relationship building. And I think they’ll contribute to the argument that’s already out there that the federal government’s coming to take over our elections,” Adams said.
He said his relationship with CISA has been positive and expressed appreciation of the agency’s work to help local election officials in his state boost cybersecurity awareness and provide training.
“What I don’t want to see is for CISA to treat my staff, my office, like another federal agency where they expect us to report to them,” Adams said. “They’re at their best when they are responsive to us and what we need versus trying to be another top-down federal agency.”
Protecting the nation’s election systems has been a major focus since 2016, when Russia scanned state voter registration systems looking for vulnerabilities. That prompted the Obama administration in early 2017 to add election systems to the list of the nation’s critical infrastructure.
Experts continue to warn that Russia, China, Iran and others remain interested in seeking to undermine U.S. elections.