The FBI announced a new policy intended to “clarify and guide timely” notification of state and local election officials of any cyber intrusions, marking a major shift three years after Russian intrusions during the 2016 elections, The Hill reports. The new internal policy mandates that a state’s chief election official and local election officials be notified as quickly as possible of any credible cyber threats to election infrastructure. It prioritizes working with other federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), to notify officials. The previous policy was to notify direct victims of a cyber intrusion, but not always state officials, a stance politicians have protested after special counsel Robert Mueller’s finding that Russians were able to infiltrate systems in at least one Florida county in 2016.
A senior FBI official told reporters Thursday that the bureau would aim to notify state and local officials in person, and that any delays in notification would require approval from a “very senior official within the FBI.” The official emphasized that the new policy deals with notifying state and local officials of specifics of a cyber incident, and “does not preclude informing others about potential vulnerabilities or widespread effects.” Mueller found that Russian hackers sent phishing emails to more than 100 Florida election officials in November 2016 to try to gain access to networks. A senior DOJ official said federal agencies involved in election security have “learned more about election law and how states are organized.” “We see that we can’t treat states as we would a large company,” the official said.