FBI plans to notify states about local election breaches

WASHINGTON (AP) — The FBI, in a change of policy, is committing to inform state officials if local election systems have been breached, federal officials said Thursday.

In the past, the FBI would alert local governments about attacks on their electoral systems without automatically sharing that information with the state. That meant state officials, left in the dark, might be in a position of certifying the accuracy of election results without realizing there had been problems in individual counties. Alerting local governments about breaches, but not the states, was in keeping with FBI policy of protecting the privacy and identities of the actual hacking victim.

Now, though, the FBI will notify both counties victimized by breaches as well as the state's chief election official — in most cases, the secretary of state. Under the new policy, that notification is to be done in person. The state will be notified either simultaneously or shortly after, officials said Thursday.

The change is intended to bolster federal-state cooperation, which has often been difficult on electoral issues, and is one of several government efforts to rethink how information about cyber threats is shared and with whom. It may also ease concerns of local officials who in the past have complained about the lack of information they've received from the federal government, though cooperation has improved ahead of the 2020 election with concerns that Russia or another nation could try to tamper with the vote.

The policy change was shared with state officials on Thursday and made public later in the day. Senior officials from the FBI and Justice Department described the outlines of it to The Associated Press on condition of anonymity ahead of the formal release.

Officials say their goal is to sound the alarm louder and at higher levels of government than in past years, ensuring that information about efforts to interfere in the election reaches the state officials who need it the most and who have the best resources to deal with it. That is especially important since federal officials believe Russian agents in 2016 searched for vulnerabilities within election systems in all 50 states.

Though the policy change means that a broader audience of government officials will learn of any intrusion, it does not guarantee that the American public will as well.

FBI officials say they will continue to protect the privacy of individual hacking victims, including governmental offices or local elections systems, by not sharing their identities with the public. It will remain up to electoral officials to disclose if they've been hacked, or if they are working with the FBI.

That stance has been a source of contention between federal law enforcement and state and local officials. The public still does not know, for instance, which two Florida counties were breached by Russian agents in 2016 and members of the congressional delegation said they were barred by federal officials from sharing that information following a briefing they attended.

Florida Gov. Ron DeSantis said last May that he was frustrated when he saw a reference to the Florida hacking in special counsel Robert Mueller's report on Russia interference in the 2016 election. DeSantis said he signed an agreement with the FBI not to disclose the names of the two counties where hackers gained access to the voting database and that his predecessor as governor did not have access to the information.

Rep. Stephanie Murphy, a Florida Democrat, has co-sponsored bipartisan legislation that would compel reporting among federal, state and local officials and to voters potentially affected by a breach.

On Thursday, she called the FBI's announcement welcome but not enough and said she would continue to push for federal officials to release more information when foreign powers interfere with the election.

“Our citizens will then be in a position to check their voter registration data to confirm it wasn’t tampered with and to hold accountable state and local officials who fail to protect election infrastructure," Murphy said in a statement.

The FBI policy does not cover more routine cyber activity, such as scanning for network vulnerabilities. But it would extend to sophisticated spear-phishing campaigns, aimed at tricking employees into giving up their log-in credentials, and other acts that officials see as particularly alarming and think must be communicated both to the county and the state.

The policy comes two months after the Office of the Director of National Intelligence released a broad framework for how and in what circumstances to notify the public about foreign election interference, laying out general considerations for the government to take into account.

“What I want for the American voting public is that they understand these threats, that they've heard about so frequently, that they've availed themselves of the resources," the DNI's chief election official, Shelby Pierson, said at a conference this week. “It is with the confidence of knowing these threats that they are empowered to participate in the process.”

When it comes to notifying states, one FBI official told the AP there was confusion in the past about who was receiving information and in what circumstances — issues the new policy is meant to address.

The official said the policy is meant to ensure that one party does not hear it from the other before hearing it from the federal government.


Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP

Bg pattern light


Subscribe to Samoa Observer Online

Enjoy access to over a thousand articles per month, on any device as well as feature-length investigative articles.

Ready to signup?