The FBI on Thursday announced a new policy intended to “clarify and guide timely” notification of state and local election officials of any cyber intrusions, marking a major shift three years after Russian intrusions during the 2016 elections.
The new internal policy mandates that a state’s chief election official and local election officials be notified as quickly as possible of any credible cyber threats to election infrastructure. It prioritizes working with other federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), to notify these officials.
The previous policy of the FBI was to notify direct victims of a cyber intrusion, but not to always state officials, a stance politicians have protested against, particularly in the wake of findings from former special counsel Robert MuellerRobert (Bob) MuellerSenate Democrats urge Garland not to fight court order to release Trump obstruction memo Why a special counsel is guaranteed if Biden chooses Yates, Cuomo or Jones as AG Barr taps attorney investigating Russia probe origins as special counsel MORE that Russians were able to infiltrate systems in at least one Florida county in 2016.
The FBI wrote in a statement announcing the new policy that “decisions surrounding notification continue to be dependent on the nature and breadth of an incident and the nature of the infrastructure impacted.”
The agency added that “it is the intent of the FBI that this new policy will result in increased collaboration between all levels of government for the integrity and security of U.S. elections.”
A senior FBI official told reporters during a call on Thursday that the bureau would aim to notify state and local officials in person, and that any delays involved in the process of notification would require approval from a “very senior official within the FBI.”
The official emphasized that the new policy deals with notifying state and local officials of specifics of a cyber incident, and “does not preclude informing others about potential vulnerabilities or widespread effects.”
The new policy comes months after the Mueller report found that Russian hackers sent phishing emails to more than 100 Florida election officials in November 2016 to try to gain access to networks.
Mueller noted that the FBI took over this investigation, but that, while the FBI believed the Russian hackers successfully accessed systems in at least one Florida county, it “did not take the investigative steps” to verify this occurred.
Following the release of the Mueller report, the FBI briefed Florida representatives in Congress, and Gov. Rick DeSantis (R) said during a press conference in May that the FBI had told him that Russian hackers had accessed the systems of two unnamed Florida counties.
A senior Justice Department official told reporters on Thursday that federal agencies involved in election security have “learned more about election law and how states are organized” in the wake of past election security concerns.
“In looking at our experience of the last couple of years, we see that we can’t treat states as we would a large company,” the Justice Department official said. “This is our effort to be as well-footed and solidly grounded as we can going into 2020.”
The Mueller report also found that Russian hackers had gained access to the Illinois voter registration database through successfully compromising the network of the Illinois State Board of Elections, and that these hackers scanned for vulnerabilities in the networks of dozens of other states in the summer of 2016.