Election officials resist proposed federal rule on reporting cyberattack threats

A group of state election officials is calling on the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to reconsider a draft rule that requires election offices to report suspected cyberattacks to the federal government. This group, including the National Association of Secretaries of State, believes that the current mandate places excessive burdens on already overwhelmed local officials. The rule stems from a 2022 federal law that designates election systems as critical infrastructure, mandating reports similar to those required for banks, power plants, and dams.

The National Association of Secretaries of State has suggested that the reporting rule be made voluntary, that the information requested be limited, and that clearer definitions be provided for the types of cyber incidents that require reporting. The proposed rule sets a deadline of 72 hours for reporting suspected breaches.

During their summer conference in Puerto Rico, state election officials have been voicing these concerns directly to CISA Director Jen Easterly. Easterly has stated that she is reviewing the feedback and individual comments submitted by officials. The final rule is not expected to be completed until next year. Easterly emphasized that CISA’s aim is to work collaboratively and integrate suggestions into the regulation.

Some state officials, like Utah Lt Gov. Deidre Henderson and West Virginia Secretary of State Mac Warner, view the proposed rule as federal overreach into state jurisdiction. They believe it undermines states’ independence in managing elections. Minnesota Secretary of State Steve Simon supports the importance of providing information to CISA but suggests a cautious and balanced approach to avoid overly burdensome requirements that may hinder compliance.

Kentucky Secretary of State Michael Adams expressed concerns that the broad scope of the proposal could overwhelm local election offices that are already understaffed and underfunded. He stressed the importance of maintaining a cooperative relationship between CISA and state offices. Adams highlighted that CISA’s effectiveness lies in being responsive to state needs rather than enforcing top-down directives.

Cybersecurity in election systems has been paramount since 2016, following Russian attempts to breach state voter registration systems. Despite ongoing threats from countries like Russia, China, and Iran, the focus remains on safeguarding the integrity of U.S. elections.