Security personnel charged with the challenging and high-stakes work of protecting election systems from digital threats might soon have another task on their to-do list: reporting any cyber incidents to the federal government.
That’s if election technology, designated critical infrastructure in 2017, falls under proposed rules requiring critical infrastructure owners and operators to notify federal officials about cyber incidents, such as attempted hacks and ransomware attacks.
The idea has surfaced again in a recent Stanford Internet Observatory paper authored by a former high ranking election security official who offered recommendations for election administration reform, ranging from increased funding to centralizing election IT infrastructure at the state level. The proposals are consistent with multiple bills under consideration in Congress, where momentum is building to require operators of critical infrastructure — pipeline owners, electrical grids, and other industries key to U.S. interests — to disclose yet-to-be defined cyber “incidents” to the Department of Homeland Security, FBI or officials who can quickly respond to cyberattacks.
It remains unclear whether the federal government could mandate that the roughly 10,000 election jurisdictions — ranging from small towns to counties to states — report cyber incidents. And if it could, questions abound about who should hold that responsibility at a time when partisan politics are testing trust in the electoral system.
“If the federal government doesn’t have that full visibility, having lived it, you’re just never sure what we are missing, what else could be out there,” said Matt Masterson, the top election security official at the Cybersecurity and Infrastructure Security Agency at DHS until December 2020.
The kind of threat data that matters
Masterson, also a former local elections official from Ohio and an Elections Assistance Commission commissioner, had a front-row seat to information sharing problems during the 2016 presidential elections, and the progress made leading into 2020. Rapid information sharing is key, he said, pointing to a high-profile incident of Iranian election meddling from October 2020.
In that case, hackers affiliated with the Iranian government sent a series of intimidating emails to registered Democratic voters in Florida purporting to be from the Proud Boys, a far right-wing group that supported former President Trump. News reports and government officials quickly determined the emails were crudely spoofed by Iranian hackers. Roughly 24 hours the operation was outed, information shared in both directions. Top US intelligence officials publicly outed the operation in a prime time press conference. In the days after, CISA released detailed technical and contextual information about Iranian threats to elections officials, including indicators officials could look for in their systems.
Three bills currently circulating in Congress would give the director of CISA, the Department of Homeland Security’s cyber wing, the responsibility of determining which critical infrastructure sectors would be included in a mandatory cyber incident reporting framework. A spokesperson for CISA referred questions to the legislators drafting the bills. Staffers for the various legislators told CyberScoop the details have yet to be worked out, but that it’s likely that a ransomware reporting requirement is currently the most likely requirement to become law.
The bills would also require notification to a host of congressional committees. One current state election official, who requested anonymity because of the politically fraught nature of the debate in their state, told CyberScoop that the election community would be more likely to support a mandate without a congressional notification requirement, which adds politics into an already combustible environment.
“Could Congress be a stakeholder? Maybe,” the official said. “But no one has really, truly told me what the value is, and why I need to be doing this, other than their own personal vanity of wanting to be notified of these things. I think part of that is partisanship.”
Masterson agreed, calling partisanship a “concerning” factor in the debate, and noting that the FBI and CISA already have “appropriate” protocols for briefing Congress.
Politically, election administrators’ jobs are becoming increasingly pressurized, so any incident could threaten their jobs, making reporting more precarious, the state official said.
Any federal election mandate is likely to meet stiff resistance from state and local election officials, who view elections as squarely state-run affairs.
Elections were designated as critical infrastructure in January 2017, following 2016 Russian election interference operations which, in part, targeted state and local election systems and election vendors. Some state officials chafed at what they interpreted as federal incursion over states’ matters. In 2016, for instance, the state of Georgia wrongly accused DHS of attempting to hack a state election network.
Meanwhile, election officials are under intense scrutiny amid rampant disinformation about the reliability of election procedure, security, and results. Some may fear the political fallout of any reports being made public through congressional leaks, the state election official said, though current bills propose shielding any information from public disclosure.
Ensuring that state and local officials are able to quickly share information about potential threats, ranging from foreign espionage to technical reliability “is critically important, and worth the pushback that may come from a mandate,” Masterson said.
State and local officials also grew frustrated after 2016 from the lack of information sharing from federal agencies, which in some cases took many months or years. In 2019, for instance, Florida Gov. Ron DeSantis announced that the FBI and DHS had briefed state officials on Russian penetration of two county election databases in 2016. During the announcement he called the lack of information sharing a “breakdown” that needed to be addressed going forward.
Avoiding issues on Election Day
Masterson acknowledged that frustration and noted that the current proposals would necessitate information flowing both ways.
“It’s really about getting that information into the system, turning it around, and pushing it back out so we can identify: Are there additional victims? Is there additional activity?” he said.
The state official also told CyberScoop that officials overseeing some small jurisdictions—which may have several dozen registered voters—may not have the technical expertise to notice cyber incidents that sometimes take highly skilled professionals months to find. “This is the problem that we face. We are asking 70-year-old individuals with flip phones to participate in national security.”
With other critical infrastructure sectors there are more likely to be highly qualified professionals who would be able to interact with CISA to discuss a possible breach in a way that some small jurisdiction election officials just couldn’t.
“The nature of the election system and the owners of these systems are so completely different than the professionals that operate other key critical infrastructure sectors,” he said. “They are so apples to oranges that you can’t even express it enough.”