FBI recently announced a new policy aimed to clarify and guide timely notification of local and state election officials of any form of cyber invasion, recording a major shift three years after 2016 during the Russian invasion.
The new internal policy mandates that all state’s chief election be official and local election officials be informed as fast as possible of any credible cyber threats to election facilities. It welcomes working with other federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), to give notice to these officials.
The FBI previous policy was to report direct victims of a cyber intrusion, but not to do so always to state officials, a stance politicians have protested against, most especially, in the wake of findings from former special counsel, Robert Mueller, that Russians were able to bypass the systems in at least one Florida county in 2016.
FBI then wrote in a statement announcing the new policy that “decisions surrounding notification continue to be dependent on the nature and breadth of an incident and the nature of the infrastructure impacted.”
The agency also said that “it is the plan of the FBI that the new policy will strengthen collaboration between all levels of government for the integrity and security of U.S. elections.”
FBI senior official told reporters during a call on Thursday that the bureau would notify state and local officials in person, and that any time wasted in the process of notification would require further approval from a “very senior official within the FBI.”
The official emphasized that the new policy deals with notifying state and local officials of specifics of a cyber incident, and “will not preclude informing others about potential vulnerabilities or widespread effects.”
The new policy comes months after the Mueller report found that Russian hackers sent phishing emails to more than 100 Florida election officials in November 2016 to try to gain access to the networks.
Mueller noted that the FBI followed up the investigation, but also noted that while the FBI believed the Russian hackers successfully accessed systems in at least one Florida county, it “did not take the investigative steps” to verify what occurred.
Following the release of the Mueller report, the FBI briefed Florida representatives in Congress, and Gov. Rick DeSantis (R) said during a press conference in May that the FBI had told him that Russian hackers had accessed the systems of two unnamed Florida counties.
A senior Justice Department official told reporters on Thursday that federal agencies involved in election security have “learned more about election law and how states are organized” in the wake of past election security.
“Looking at our experience over the last couple of years, we see that we can’t treat states as we would for a large company,” the Justice Department official said. “This is our effort to be as well-footed and solidly grounded as we move into 2020.”
The Mueller report also found that Russian hackers had gained access to the Illinois voter’s registration database through successfully compromising the network of the Illinois State Board of Elections, and that these hackers scanned for vulnerabilities in the networks of dozens of other states in the summer of 2016.