A group of state election officials is raising concerns about a draft rule that would require election offices to disclose suspected cyberattacks to the federal government. The rule, a result of a 2022 federal law, directs the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations mandating certain entities to report potential cybersecurity breaches or ransomware attacks.
Election offices, classified as critical infrastructure alongside banks and power plants, would be required to report suspected breaches within 72 hours under the proposed rule. The National Association of Secretaries of State has requested CISA to consider making the rule voluntary, limiting the information requested, and clearly defining triggering cyber incidents.
State election officials have expressed concerns about federal intrusion into state responsibilities, emphasizing the need for states to operate independently in administering elections. Some officials believe the proposed rule is an overreach by CISA and could burden already overworked and underfunded local election offices.
CISA Director Jen Easterly has acknowledged the feedback from state officials and assured that the agency will consider adjustments before finalizing the rule next year. While recognizing the importance of collecting information for cybersecurity, officials urge CISA to be cautious in the scope and burden of the reporting requirements.
Since the 2016 election interference by Russia, protecting the nation's election systems has been a top priority. Despite ongoing threats from foreign actors like Russia, China, and Iran, state officials stress the need for a balanced approach to cybersecurity reporting to ensure compliance without overwhelming local election offices.
The relationship between state election officials and CISA remains crucial in enhancing cybersecurity awareness and training. Officials hope for continued collaboration while maintaining the autonomy of state election operations.
