Election officials write letter opposing new CISA draft rules

Some state election officials are opposing a proposed U.S. Cybersecurity and Infrastructure Security Agency rule that would require election offices to disclose suspected cyberattacks to the federal government within a certain time frame, arguing the security agency is asking too much of understaffed offices.

The Associated Press reported Wednesday that the National Association of Secretaries of State board sent CISA a letter proposing that the agency’s new rules be voluntary rather than mandatory, that they limit the types of information requested and that they more clearly define what types of cyber incidents require reporting.

Under the current draft rules, agencies responsible for critical infrastructure are required to report suspected breaches or “serious” cyberattacks within 72 hours and pay ransoms within 24 hours.

According to CISA, a “significant” cyberattack involves unauthorized access that leads to significant operational downtime or impairment. Minor cyber incidents, such as phishing attempts or unauthorized activity that does not result in extended downtime, do not need to be reported.

Local and state election offices are considered critical infrastructure, similar to seaports, energy and agriculture sectors, and are therefore subject to mandatory reporting requirements.

CISA is not expected to finalize the rule until next year.