New guidelines show how the agency will coordinate with state officials in the event of a cyberattack on election infrastructure.
The FBI released new guidelines on how it will approach cyberattacks on elections after facing years of criticism from lawmakers across the country for their response to Russian intrusion attempts during the 2016 election.
State officials, particularly those in Florida, were incensed when the Mueller Report revealed that two county voting databases were breached by Russian hackers ahead of the 2016 election.
The FBI never told state-level officials and only coordinated with people in the counties that had been hit, waiting nearly two years until meeting and explaining the situation to Florida Gov. Ron DeSantis.
The new guidelines, explained on a media call last Thursday and in a press release last Friday, say the FBI will notify a state’s chief election official and other local election workers in the event of any cyberattack.
SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
“Understanding that mitigation of such incidents often hinges on timely notification, the FBI has established a new internal policy outlining how the FBI will notify state and local officials responsible for administering election infrastructure of cyber activity targeting their infrastructure,” the FBI statement said.
“The FBI’s new policy recognizes the necessity of notifying responsible state and local officials of credible cyber threats to election infrastructure. Each state has a designated person to serve as its chief state election official with ultimate authority over elections held in the state, which often includes certifying election results,” the statement added.
“However, most election infrastructure is owned and operated by local governments. Likewise, the local election process is overseen by local election officials.
“The FBI’s interactions regarding election security matters must respect both state and local authorities. Thus, the FBI’s new policy mandates the notification of a chief state election official and local election officials of cyber threats to local election infrastructure.”
Officials also released new guidelines on the “timely dissemination of notifications” as well as threat reporting, the protection of victim information and how the FBI coordinates with other government agencies.
TechRepublic spoke to Marcus Fowler, director of strategic threat at Darktrace, and Etay Maor, chief security officer at IntSights, about the changes and what effect it will have on the 2020 elections.
Good first step
Fowler, who spent 15 years working on cyber operations at the CIA, said the changes were a good step forward for the FBI as more states discuss security best practices and threat intelligence. But the new rules did leave a lot of questions unanswered.
Now that state-level officials will be notified of any breaches by the FBI, states themselves will have to come up with guidelines on how they notify counties or municipalities.
“The key is going to be to remediate and disrupt. What about other municipalities? They talk about not notifying other municipalities and that they’re going to let the state do that. So the state needs to have a plan for notifying.”
“How are they going to share that same threat intelligence across their state?” he said, adding that the FBI said it would not notify voting machine vendors or the people who create the election infrastructure, potentially leaving other states with the same machines vulnerable to the same attacks.
“The next step is the municipalities, the local election officials and the state ones who have to know ‘OK, what am I doing, what’s my playbook when I get this information.’ They have to know who gets notified and what gets shared. If it goes public what should they tell people? You really need to be careful about ensuring election details and integrity but also the perception of the integrity of the election.”
The election in 2020 is sure to see even more cyberattacks now that nation-states know it can be an effective arm of an influence operation, Fowler said.
These kinds of attacks aim to disrupt election infrastructure but also undermine the population’s confidence in the results. He added that artificial intelligence will be key to stopping many attacks as cyberattackers and their hacking toolkits evolve.
Both Maor and Fowler said the other important element of the FBI’s new rules is the time factor. In 2016, information about cyberattacks did not reach the right people in time and as threats become faster and faster, it will be incumbent on security agencies to get the right information out quickly.
“It’s great to have actionable intelligence but if it doesn’t reach the right people at the proper time, its garbage. It’s not worth it. The fact that they’re changing the methodology and making it a lot more actionable is key to being reactive and fast, whether you’re in the military or online threat intelligence. It’s always about disseminating the information fast enough to the right people to make the right decisions and stop a potential threat,” Maor said.
“By mandating the fact that you have to disclose information and make it actionable in a very specific time frame changes the approach of threat intelligence. It will lead to much better cooperation and lead to a two-way communication,” he added.
Is it enough?
Despite the recent changes, both Fowler and Maor said the FBI’s new guidelines were not enough.
For Fowler, the problem is not what the FBI should do and more with how the agency should be partnering, cooperating and guiding state officials on best practices in the event of an attack.
This goes far beyond just elections and general cybersecurity measures that every state needs to take to protect critical infrastructure.
“Are states being resourced adequately for the cyberattack realities of today? Whether that’s about the ransomware attacks we’ve seen across the U.S. or the uptick in cyber-influence operations associated with the election,” Fowler said.
“Those who have tried to influence elections in the past are thinking about how to revamp or try different tactics. A number of different actors doing these attacks know it will all be blamed on Russia,” he added.
Maor said the FBI’s moves were a positive step but didn’t go far enough. The end goal, he said, was real-time “fusion centers” that allowed federal, state and local officials to work in concert on mitigating any and all threats.
Instead of trying to get dozens of federal and state agencies to coordinate, it would be better to create centralized cybersecurity hubs that could communicate in a timely manner and contact experts if needed.
“What I hope will happen is the creation of fusion centers for these types of events where information is shared immediately and experts from different agencies and states or districts know who the person to reach is. They don’t just know they’re supposed to reach the chief information security officer. They know the person by name because they work together and can provide data as fast as possible,” Maor said.
But more than anything, awareness of cybersecurity issues has put everyone on high alert, bringing a new level of scrutiny over the issue that will help officials focus on efforts to protect election systems.
“Today as opposed to 2016, everyone understands that there is a threat. And not only that there is a threat, but that there’s a will for other entities, not just Russia, to get into the elections and be able to meddle with these results or to tamper and make it harder to conduct elections,” Maor said.
“In 2016, people thought ‘Hey it’s not happening. Maybe it is or maybe isn’t.’ I don’t think there is a doubt today in states or in districts that this is something that might be happening.”