Monday, August 7, 2023

Review - HR 4462 Introduced – Election Security

Last month, Rep Mace (R,SC) introduced HR 4462, the Election Security Assistance Act. The bill would require DHS and DNI to prepare annual reports to Congress on foreign threats to elections. It would also require CISA and the Election Assistance Commission to establish a voluntary process to test for and monitor covered voting systems for cybersecurity vulnerabilities. Finally, it would require DHS to notify State and local election officials of election cybersecurity incidents. No funding is provided in the bill.

Moving Forward

Mace is not a member of the House Administration Committee to which this bill was assigned for primary consideration, nor is she a member of either the House Homeland Security Committee or the House Permanent Select Intelligence Committee, the two committees that have been assigned secondary consideration of the bill. This means that it is unlikely that there would be sufficient influence to see the bill considered in Committee. I suspect that there would be at least some level of bipartisan support for the bill if it were considered.

Commentary

There are a lot of things missing in this bill, but I will limit this discussion to two topics, coordinated vulnerability disclosure and incident reporting.

Vulnerability Testing

I understand that vague wording in legislation provides executive agencies with broad leeway to establish an effective program to implement the requirements. This may be a good thing, especially where the agency has technical capabilities and knowledge missing in Congress. Having said that, the broad guidance in §3(a)(1) leaves out a very important component of vulnerability testing, reporting any vulnerabilities to the vendor concerned so that mitigation measures can be developed.

Incident Reporting

The wording of §4 looks like the crafters of this bill were assuming that intelligence agencies would be the first to discover an election cybersecurity incident. While cyberattacks by foreign intelligence agencies may certainly be first discovered by friendly intelligence agencies, a whole host of other cyberattacks would first be detected by system owners (ransomware attacks being the most obvious example). With that in mind, this bill should provide a requirement for reporting of election cybersecurity incidents by State and local election officials.

 

For more details about the provisions of the bill, including suggested language changes for the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4462-introduced - subscription required.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */