The 34-page report, published July 24, is not about the security of election systems themselves, as the county has strong safeguards against voter fraud and manipulation of election results, the report's authors clarify. But if hackers wanted to infiltrate the Elections Office's website, emails, or Facebook and Twitter pages, the grand jury maintains, it would be relatively easy to do so.
Hacking these online accounts could allow attackers to spread misinformation about where and when to vote, or to convincingly misreport election results to the public, the report says.
These threats are "not theoretical," the grand jury warns. In 2016, Russian hackers took control of election networks in two Florida counties, according to the report published by former special counsel Robert Mueller on Russian interference in the 2016 presidential election. Similar attempts were recently made in Contra Costa County and Knox County, Tennessee. And in 2010, the San Mateo County elections website, smcacre.org, was successfully hacked (though not during an election period), and several county emails were compromised in 2016.
The grand jury report identifies several areas of ongoing vulnerability. For one thing, password sharing among social media accounts is part of official county policy, it found. Widespread access to these accounts greatly increases their vulnerability to "phishing" campaigns — scams where hackers try to steal login credentials through an infected link, which account for as much as 91% of cyberattacks.
These social media accounts also generally lack multi-factor authentication. Except for its Facebook account, the online profiles used for official election communications aren't protected by anything other than a single password. Nowadays, additional security, such as a one-time password sent through text, is crucial to stave off phishing, the grand jury asserts.
The grand jury recommends a number of measures based on its findings. First and foremost, the county should take advantage of the many election security services offered by the Department of Homeland Security, including a "Cyber Resilience Review" and a "Phishing Campaign Assessment," according to the report. All of these services are available to local elections offices for free.
In the meantime, the grand jury recommends the immediate use of "FIDO keys": physical drives containing login credentials, which experts say are far more secure than passwords.
Various county agencies must now respond to the report, including the Office of the Assessor-County Clerk-Recorder & Elections (ACRE). According to Jim Irizarry, assistant chief elections officer, ACRE recognizes the seriousness of the findings, but is confident in its ability to respond.
"The issuance of the Grand Jury report is timely and appropriate," Irizarry wrote in an email. He noted the significance of its release on the same day Robert Mueller testified in Washington, D.C., about foreign election interference, which "speaks to the high level and sophistication of these cyber threats," he said.
However, "San Mateo County Elections technology ... is among the safest and securest in California and the Nation," he wrote. Some of the report's recommendations were already implemented independently prior to its release, he asserted. For many of the remaining concerns, including multi-factor authentication and FIDO keys, ACRE will work with other departments "to identify ... and implement (them) as soon as possible."
"We are always vigilant and concerned about elections and security," Irizarry concluded. "We feel very confident that our efforts to harden our cyber defenses and our extensive voter education and outreach programs will protect the security and content of our elections web page."
ACRE and the other agencies have 60 days to release an official response.