County election communications aren't secure, grand jury claims | July 31, 2019 | Almanac | Almanac Online |

Almanac

News - July 31, 2019

County election communications aren't secure, grand jury claims

by Matthew Vollrath

As 2020 approaches, the San Mateo County Civil Grand Jury has released a new report that raises concerns about the security of county elections. The threat: that the county's online election communications could be hacked.

The 34-page report, published July 24, is not about the security of election systems themselves, as the county has strong safeguards against voter fraud and manipulation of election results, the report's authors clarify. But if hackers wanted to infiltrate the Elections Office's website, emails, or Facebook and Twitter pages, the grand jury maintains, it would be relatively easy to do so.

Hacking these online accounts could allow attackers to spread misinformation about where and when to vote, or to convincingly misreport election results to the public, the report says.

These threats are "not theoretical," the grand jury warns. In 2016, Russian hackers took control of election networks in two Florida counties, according to the report published by former special counsel Robert Mueller on Russian interference in the 2016 presidential election. Similar attempts were recently made in Contra Costa County and Knox County, Tennessee. And in 2010, the San Mateo County elections website, smcacre.org, was successfully hacked (though not during an election period), and several county emails were compromised in 2016.

The grand jury report identifies several areas of ongoing vulnerability. For one thing, password sharing among social media accounts is part of official county policy, it found. Widespread access to these accounts greatly increases their vulnerability to "phishing" campaigns — scams where hackers try to steal login credentials through an infected link, which account for as much as 91% of cyberattacks.

These social media accounts also generally lack multi-factor authentication. Except for its Facebook account, the online profiles used for official election communications aren't protected by anything other than a single password. Nowadays, additional security, such as a one-time password sent through text, is crucial to stave off phishing, the grand jury asserts.

The grand jury recommends a number of measures based on its findings. First and foremost, the county should take advantage of the many election security services offered by the Department of Homeland Security, including a "Cyber Resilience Review" and a "Phishing Campaign Assessment," according to the report. All of these services are available to local elections offices for free.

In the meantime, the grand jury recommends the immediate use of "FIDO keys": physical drives containing login credentials, which experts say are far more secure than passwords.

Various county agencies must now respond to the report, including the Office of the Assessor-County Clerk-Recorder & Elections (ACRE). According to Jim Irizarry, assistant chief elections officer, ACRE recognizes the seriousness of the findings, but is confident in its ability to respond.

"The issuance of the Grand Jury report is timely and appropriate," Irizarry wrote in an email. He noted the significance of its release on the same day Robert Mueller testified in Washington, D.C., about foreign election interference, which "speaks to the high level and sophistication of these cyber threats," he said.

However, "San Mateo County Elections technology ... is among the safest and securest in California and the Nation," he wrote. Some of the report's recommendations were already implemented independently prior to its release, he asserted. For many of the remaining concerns, including multi-factor authentication and FIDO keys, ACRE will work with other departments "to identify ... and implement (them) as soon as possible."

"We are always vigilant and concerned about elections and security," Irizarry concluded. "We feel very confident that our efforts to harden our cyber defenses and our extensive voter education and outreach programs will protect the security and content of our elections web page."

ACRE and the other agencies have 60 days to release an official response.

Comments

There are no comments yet for this post

Post a comment

Posting an item on Town Square is simple and requires no registration. Just complete this form and hit "submit" and your topic will appear online. Please be respectful and truthful in your postings so Town Square will continue to be a thoughtful gathering place for sharing community information and opinion. All postings are subject to our TERMS OF USE, and may be deleted if deemed inappropriate by our staff.

We prefer that you use your real name, but you may use any "member" name you wish.

Name: *

Select your neighborhood or school community: * Not sure?

Choose a category: *

Since this is the first comment on this story a new topic will also be started in Town Square! Please choose a category that best describes this story.

Comment: *

Verification code: *
Enter the verification code exactly as shown, using capital and lowercase letters, in the multi-colored box.

*Required Fields


All your news. All in one place. Every day.

 

PRICE INCREASES MONDAY

On Friday, October 11, join us at the Palo Alto Baylands for a 5K walk, 5K run, 10K run or half marathon! All proceeds benefit local nonprofits serving children and families.

Register now