A San Mateo, California, grand jury issued a report this week that focuses on San Mateo County’s email and online communication platforms, which are vulnerable to hijacking and propagating disinformation in the guise of election instructions or announcements.
“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public. Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report said.
In San Mateo County, the Assessor–County Clerk–Recorder and Elections (ACRE) uses email, social media and website to collect voter information directly from local election offices. Attackers hijacked the election results webpage in 2010; six years later, the county suffered a breach resulting from a spear-phishing email.
After analysis, the grand jury determined that "the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure,” according to the report.
The report goes on to make specific recommendations that include the use of FIDO physical security keys, which Satya Gupta, CTO of Virsec, said is a bit unsettling. “Two-factor authentication should be the norm for any important business transaction and is used and offered by most online services. Intercepting SMS codes with a [man-in-the-middle] attack is actually quite difficult, and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real problem seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help but will not stop the torrent of false social media information we should expect during this election cycle.”
The fact that two-factor authentication isn’t already being used is very appalling to Pierluigi Stella, CTO of Network Box USA, who pointed out that "in 2019, a grand jury should not be the body that has to propose the adoption of what should be obvious security measures."
“The people running the security policies of the institutions that are in charge of the election process are not forcing the issue and ensuring the adoption of the highest security standards already. We do not need a grand jury to state the obvious. These situations baffle me to no end. Two-factor authentication may not be the ultimate solution, yes, but it surely goes a long way towards making hackers' lives miserable, hence enhancing and augmenting the element of data safety,” Stella said.