Mac Warner needed to get something off his chest.
The secretary of state of West Virginia had patiently listened to federal officials explain their updated process for notifying state officials and the public of foreign attempts to interfere in U.S. elections.
As the Nov. 8 phone call with election officials across the country came to a close, Warner said he wouldn’t mince words the way one of his “silver-tongued” colleagues had done while offering feedback on the updated process.
“The analogy that came to me is the realigning of the deck chairs on the Titanic,” Warner said, according to a call transcript obtained by CyberScoop. “I think this is a straightening up of the chairs: It feels good and so forth, but you’re not getting to the substance.”
It was one of multiple blunt exchanges about the new threat-notification framework, which is meant to give U.S. officials a consistent process for alerting state personnel, the private sector, Congress, and the public of foreign attempts to interfere in U.S. politics through influence operations or cyber-activity. State officials were only given a generic, one-page summary of the document, which is still restricted to the federal government.
It was “either done without [states’] input or our input was ignored,” Warner vented.
“I’m not seeing anything new in this current rendition of what’s going on,” Warner said. The policy wasn’t addressing “the heart of our concerns” — that federal agencies needed to more quickly and transparently share threat information with state and local officials, he added.
Collaboration on cybersecurity between federal and state and local election officials has grown by leaps and bounds since 2016, when Russian hackers probed IT systems in states across the country, and election officials weren’t notified about that activity for many months. There is now a cyberthreat-sharing center for election infrastructure, and state and local officials have fostered much closer relationships with the Department of Homeland Security and the FBI.
But, as the Nov. 8 phone call vividly illustrates, state and local officials are still irked by what they see as bureaucratic obstacles to getting actionable threat information. Some state officials and lawmakers, for example, have criticized the FBI for refusing to name the two Florida counties where Russians accessed voter data in 2016.
Rectifying that notification process could be key to building on progress made in election security since 2016.
‘I know that’s not what you want to hear’
On the Nov. 8 phone call with officials from the Office of the Director of National Intelligence, the FBI, and DHS to explain the updated threat-notification policy, Warner was not alone in airing his concerns about the federal approach to alerting states to hacking incidents.
“You need to understand that … we have seen in Florida how this notification process can be done incorrectly and cause a lot of consternation,” David Stafford, supervisor of elections in Escambia County, Florida, said on the call.
Many state and local officials were caught off-guard by the announcement and unclear about what in federal policy had changed.
“Reading the one-pager and then hearing the intro, I’m struggling to identify how the policy has changed,” said Judd Choate, Colorado’s state election director.
Shelby Pierson, who became the intelligence community’s top election security official in July, told Warner and other state and local officials that she heard their concerns “loud and clear,” and that federal officials were pushing to make threat information available to them as quickly as possible.
“There are a whole sequence of considerations” at the federal level that go into notifying targets of malicious cyber-activity, Pierson said. “I know that’s not what you want to hear, but we’re trying to balance the equities of a very, very large federal space against all of the interests that you have.”
The updated notification framework is designed for federal officials to be more proactive in alerting state officials of, say, foreign disinformation campaigns or phishing attempts. It is a difficult task: influence operations that exploit social media, for example, can be more nebulous and harder to quantify than hacking activity that can be tied back to a given IP address. U.S. officials have to make tough calls about how and when to relay an emerging threat without tipping off an adversary or inadvertently amplifying the adversary’s work by making it public.
While many state and local officials appreciate the spirit behind the new framework and the challenges of getting it right, its abrupt rollout was problematic for them in other ways. It left some state and local officials scratching their heads and wondering why intelligence officials were helping lead this latest initiative, and not their more familiar contacts at DHS and FBI, who have been their go-betweens with the intelligence community.
“Would there ever be a scenario where we would be engaging directly with ODNI, or would the intel come through the federal partners that we have traditionally dealt with, namely DHS and FBI?” Stafford asked.
No, Pierson said. Nothing has changed in how state and local officials communicate with their DHS and FBI contacts, a message that officials from those agencies hammered home throughout the call. U.S. officials will continue to preach open lines of communications as they prepare for the 2020 election, which U.S. intelligence agencies have warned will draw interference attempts from China, Iran, and Russia.
Trevor Timmons, CIO of the Colorado secretary of state’s office, said he sympathized with the balancing act that intelligence agencies had of promptly putting out threat information while still protecting sources and methods. Federal officials, he said, have worked to declassify information more quickly.
“I’m encouraged that they actually wanted to talk to us” about the framework, Timmons, who was on the phone call, told CyberScoop.
“Warner was summing up how state officials feel about threat intelligence,” Timmons said. “We don’t care which federal agency it comes from, just as long as it’s actionable.”
State and local officials have asked to see the full framework, which federal agencies will update periodically. But Pierson told them that it is White House and National Security Council policy not to release the document as it relates to sensitive interagency policy processes.
“The burden of information sharing is a shared space across the federal government as well as the states and localities that also have very relevant information in this space,” a senior U.S. intelligence official told CyberScoop. “The notification framework is another step in the federal government’s commitment in this area.”
A greater role for intelligence officials in election security
In many respects, election security advocates have welcomed the more proactive role that U.S. intelligence agencies have taken in helping protect the vote since 2016. In the build-up to the 2018 midterm election, the National Security Agency participated in a large-scale drill with state and local officials, and Cyber Command personnel traveled to European allies like Ukraine to study Russian hacking techniques.
Now, it’s a matter of bridging the gap between that intelligence gathered and the data state and local officials are receiving.
On the call with federal officials, Warner, who served in the U.S. Army before entering politics, also unloaded on what he sees as a lack of value in the classified threat briefings that federal officials periodically give state officials.
“I don’t think there’s been one thing that we have gained from having those security clearances and it’s led to a lot of frustration at these so-called classified briefings where nothing substantively is put out,” Warner said, according to the transcript. It’s a frustration widely shared by state and local officials.
“I’m tired of hearing of stuff through the New York Times, the Mueller report, the Senate Intelligence report,” he said. “I want to hear it from my Department of Homeland Security as it happens, as much as they know.”
Federal officials say they are well aware of the criticism of the classified briefings and are working to address it. Some of the important unclassified threat data that election administrators receive, the officials point out, started off in some shape or form as classified intelligence information.
In a statement to CyberScoop, Sara Sendek, spokesperson for DHS’s Cybersecurity and Infrastructure Security Agency, said election security is a “top priority for CISA and the entire federal government. Over the last few years, we have worked hand-in-hand with state and local election officials to provide them information, tools, and assessments to manage risk to their systems.”
CISA, Sendek added, is “encouraged by any effort to provide our partners with more timely and useful information.”
As for Warner’s criticism that state and local officials weren’t given the chance to provide input for the framework, some U.S. officials argue that the involvement of DHS, which works closely with states, in the framework meant it took into consideration state and local viewpoints.
‘We’re much better positioned for the 2020 election’
In an interview with CyberScoop, Warner said he had seen firsthand the improvement that state officials had made in their cybersecurity by working with DHS, and that his unvarnished remarks on the phone call were meant to add to that progress.
DHS officials were “now doing a much better job” of getting threat information to states, he said. “We now understand what the Russians are up to,” Warner added. “We’re much better positioned for the 2020 election.”
“I think they’ve heard us,” Warner said of federal officials. “I think they’re moving in the right direction.”
But he also expounded on the frustrations he expressed on the phone call with federal officials.
“We’re five months away from our primary in West Virginia and it would have been nice to have had this a year ago,” Warner said of information on Russian hacking that has trickled out publicly via, for example, the report from former Special Counsel Robert Mueller.
“I’m still waiting for an explanation why revealing that a hack or an intrusion … into a voting registration system, why that needs to be kept quiet or away from at least the other election officials,” Warner told CyberScoop.
The updated framework makes clear that partisan politics won’t play any part in the notification process. During the phone call, Pierson said federal officials were very sensitive to inserting themselves into politics by making notifications or announcements that get “morphed into the political landscape of debates within the country — and I think we have seen that in 2016 and 2018.”
Warner was having none of that.
“I almost don’t have time for listening to the federal government when they talk about, ‘Well, it’s difficult. We don’t want to make a choice and get in the political process,'” Warner said.
“By not making a choice, you are making a choice, and it allows for a lot of stuff going around in the newspapers and in the political arena that you all could have cut short if you had gotten engaged and let us know on the front end.”
Changes coming to FBI, DHS hacking alerts for states
The call also sheds light on a separate, but related, update that the FBI and DHS are preparing to make to their policies of making state officials aware of cyber intrusions in their jurisdictions. The policy change is meant to ensure that federal officials notify elected state officials, and not just systems administrators, of hacking affecting U.S. election infrastructure.
Cynthia Kaiser, an assistant section chief of the FBI’s Cyber Division, said the policy change was in response to feedback from election officials making clear that “there really is a larger spectrum of impacted individuals at the system level for these types of intrusions and crimes.”
“While it’s not finalized yet, you can expect to see a policy probably in the coming months that will discuss our continued approach to notifying system owners and operators … but also ensure that the politically accountable chief state election official or board is also aware of what’s going on and what we’re notifying at that local level,” Kaiser said.
Matt Masterson, DHS’s top election-security-focused official, said his team is also revising the way it alerts states to hacking threats. The new DHS approach, which will align with the FBI’s, will recognize “the important role of state and local [officials]” and the way those officials interact with state IT systems, Masterson said, according to the transcript.
In some ways, the earful that Warner gave federal officials can even be seen as a sign of progress. Warner and many other secretaries of state are now on a first-name basis with DHS and FBI officials, in contrast with the distance between them in 2016. The West Virginian felt comfortable tearing into a big announcement from federal officials, who heard him out.
You can read the one-page summary of the notification framework below.