Cybersecurity industry executives reacted to a new report issued by a San Mateo, California grand jury this week focuses on the vulnerabilities of the County’s email and online communication platforms to hijacking and propagating disinformation in the guise of election instructions or announcements.
A mobile soft token is by far a better solution – there are many different solutions everyone has a phone and they can easily be provisioned. An open, token-independent MFA management solution would be far more appropriate. Vote harvesting, postal ballots and ID-less voting are real threats to election integrity. If people are concerned, states and the Federal government could deploy secure e-voting systems which would ensure that only authenticated and entitled voters could participate in local, state and Federal elections with voter privacy ensured and results publicly validated. Let’s just keep Facebook, Google, Twitter and the NSA out of it.
Attacks against our most important democratic institution – our free elections – are the most radical way to attack us at the core of our society. If our enemies can cause the public to lose faith in the election process, they\’ve caused us to lose faith in the very thing that such elections represent – our democracy. The grand jury said it most accurately. Even if the elections are actually secure, if the public doesn\’t show up because people no longer believe in the legitimacy of such an institution, then our enemies would\’ve accomplished their ultimate objective – they would’ve successfully manipulated our elections to their advantage. Yes, they’ve practically won! The fact that apparently two-factor authentication isn’t already being used is very appalling indeed. Why is it that in 2019, it takes a grand jury to propose the adoption of security measures that should be beyond obvious? Who are these people running the security policies of the institutions that are in charge of the election process? Why are they not forcing the issue and ensuring the adoption of the highest security standards already? Why do we need a grand jury to state the obvious? These situations baffle me to no end. Two-factor authentication may not be the ultimate solution, yes, but it surely goes a long way towards making hackers\’ lives miserable, hence enhancing and augmenting the element of data safety. So, why are we even having this discussion? Why is this not already adopted?
The Grand Jury is right about the necessary improvements to secure access to critical accounts, whether it’s email or social media. At the same time, I would recommend elections officials put in place response plans to trigger in the unfortunate case that a cyberattack is successful. These plans need to include a couple of things: monitoring that can identify that an attack took place, and a remediation plan to make the necessary corrections in as little time as possible.
Raising awareness about potential threats and impersonation of officials managing elections is important, but it’s a bit unsettling to have a Grand Jury recommending specific security technology and even vendors. Two-factor authentication should be the norm for any important business transaction, and is used and offered by most online services. Intercepting SMS codes with a MIM attack is actually quite difficult and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real probably seems to be county agencies using social media platforms to communicated official business. Stronger authentication may help, but will not stop the torrent of false social media information we should expect during this election cycle.