San Mateo County Grand Jury • 2018-2019

Security of Election Announcements Table of Contents | Issue | Executive Summary | Agencies | Glossary | Background |

Published: September 23, 2019 52 pages Consolidated Report

View Original PDF

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings 17 findings

F1 Page 27

The veracity of the County’s election broadcasts on any ACRE or CMO online communication platform is important to the public’s trust in the electoral process.

F2 Page 27

Unlike DHS,161 ACRE does not include the security of online election communications when describing election security on its website.162

F3 Page 27

Protecting online communication platforms with multi-factor authentication that is susceptible to SIM hijacking, phishing, and man-in-the-middle attacks—as is the case with the use of one-time PINs (OTPs) sent to cell phones—exposes the County to election disinformation attacks. Vulnerability of the County’s Email

F4 Page 27

Although the County implemented several email security protections that provide many of the DMARC benefits following a 2016 phishing attack, the County’s email security practices do not follow DHS guidelines for federal agencies due to the absence of complementing DMARC protection.

F5 Page 27

The County utilizes multi-factor authentication methods for its email that remain susceptible to SIM hijacking, phishing, and man-in-the-middle attacks. Vulnerability of ACRE’s Website

F6 Page 27

ACRE’s website security practices do not follow DHS guidelines for federal agencies requiring the use of multi-factor authentication protection by users who have the system permissions to alter the ACRE webpages.

F7 Page 27

ACRE outsources the domain management and hosting of its smcacre.org website to a third-party vendor. Vulnerability of Social Media Accounts

F8 Page 27

The San Mateo County Information Security Training produced by ISD does not make any

F9 Page 27

The San Mateo County Departmental Social Media Policy produced by CMO requires that multiple employees share official social media account passwords. Department of Homeland Security. “Election Security.” Accessed March 22, 2019. https://www.dhs.gov/topic/election-security. Assessor-County Clerk-Recorder and Elections. “Election Security and Accuracy.” Accessed April 27, 2019. https://www.smcacre.org/post/election-security-and-accuracy.

F10 Page 28

ACRE and CMO employees share passwords to their official social media accounts listed in Table 1 with multiple employees within their offices.

F11 Page 28

The San Mateo County Departmental Social Media Policy produced by CMO does not make any recommendations about using multi-factor authentication to protect against an unlawful takeover of social media accounts.

F12 Page 28

The ACRE and CMO social media accounts listed in Table 1, with the exception of the CMO Facebook page, do not use multi-factor authentication. Status of Cyber Hygiene

F13 Page 28

ACRE and ISD could strengthen their coordination of the evaluation and addition of security features to address election security.

F14 Page 28

ISD utilizes a DHS “Vulnerability Scanning” service for the entire County, but ACRE does not utilize any of the other seven free elections-specific DHS services listed in Table 2.

F15 Page 28

ISD runs network vulnerability assessments (“Vulnerability Scanning”) for the County devices, but does not audit the practices of employees to identify behavioral sources of network vulnerability.

F16 Page 28

The Internal Audit Division of the County Controller’s Office “performs internal audits of departments’ operations,” which has sometimes included cyber hygiene assessments.

F17 Page 28

The Internal Audit Division of the County Controller’s Office has not performed a cyber hygiene assessment of the Elections Division of ACRE.

Recommendations 14

R1
Page 29

Incorporate Communications into Election Security Definition: ACRE should adopt a policy that defines election security to include the security of the ACRE website, ACRE staff email accounts, social media accounts used for ACRE announcements, and other platforms ACRE uses for publishing election announcements. ACRE should implement this recommendation
R2
Page 29

Publish Updated Security Policy: ACRE should update the ACRE website’s written descriptions of the election security163 to incorporate the policy resulting from R1 on the security of election communications in addition to the current focus on security of (a) registration, (b) vote casting, and (c) results tabulation. ACRE should implement this recommendation by June 30, 2020. Protect the County’s Email
R3
Page 29

Prevent Spoofing with DMARC: ISD, CMO, and ACRE should improve email security for employees involved in election announcements by configuring and enabling DMARC for at least the smcacre.org and smcgov.org domains. ISD, CMO, and ACRE should implement this recommendation
R4
Page 29

Combat ACRE Email Account Phishing with FIDO Keys: ACRE should provide FIDO physical security keys to each of its permanent elections employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should implement this recommendation
R5
Page 29

Combat Other Email Account Phishing with FIDO Keys: ACRE should identify County employees outside of ACRE that have a role in election announcements (e.g., Chief Communications Officer, senior ISD employees, etc.) and ask that the departments of the identified employees provide FIDO physical security keys to each of the identified employees and require the use of those FIDO keys as part of their multi-factor authentication for accessing their County email accounts. ACRE should complete this recommendation by December 31, 2019. Protect ACRE’s Website
R6
Page 29

Combat Website Account Phishing with FIDO Keys: ACRE should require all County employees whose user accounts allow them to alter the ACRE website164 to use FIDO physical security keys as part of their multi-factor authentication. ACRE should implement this recommendation by December 31, 2019. Assessor-County Clerk-Recorder and Elections. “Election Security and Accuracy.” Accessed April 27, 2019. https://www.smcacre.org/post/election-security-and-accuracy. Including all accounts capable of directly editing the ACRE website, managing the smcacre.org domain, and any administrator account capable of managing other accounts that can edit the website or manage the domain.
R7
Page 30

Combat Island Hopping with FIDO Key Vendor Requirement: ACRE and ISD should require employees and contractors of any vendor that hosts the ACRE website to use FIDO physical security keys as part of their multi-factor authentication.165 ACRE and ISD should implement this recommendation by December 31, 2019. Protect the Social Media Accounts
R8
Page 30

Stop Sharing Social Media Account Passwords: ACRE and CMO should implement procedures whereby communications staff manage official County social media accounts with multi-user administration, and no employees share social media account passwords. ACRE and CMO should implement this recommendation
R9
Page 30

Request FIDO Key Feature If Not Available: ACRE and CMO should jointly draft and send a FIDO-key feature request citing this report to the social media companies used by the County to broadcast election announcements, but that do not currently offer FIDO account security protections—especially Instagram and Nextdoor. ACRE and CMO should implement this recommendation
R10
Page 30

Combat ACRE Social Media Account Phishing with FIDO Keys: ACRE should require any employee social media accounts capable of administering the official ACRE social media pages listed in Table 1 to use FIDO physical security keys as part of their multi- factor authentication. ACRE should implement this recommendation
R11
Page 30

Combat SMC Social Media Account Phishing with FIDO Keys: CMO should require any employee social media accounts capable of administering the official San Mateo County social media pages listed in Table 1 to use FIDO physical security keys as part of their multi-factor authentication. CMO should implement this recommendation by December 31, 2019. Improve Cyber Hygiene
R12
Page 30

Coordinate Election Security with Interdepartmental Working Group: ACRE and ISD should create an election security working group that meets periodically and is responsible for evaluating and improving the security of elections (a) registration, (b) vote casting, (c) results tabulation, and (d) communication within San Mateo County. ACRE and ISD should implement this recommendation
R13
Page 30

Evaluate Free DHS Elections Security Assistance Programs: ACRE and ISD election- security working group should evaluate the benefits of having all members of the election- security working group participate in any of the free DHS elections security assistance 165 At a minimum for any user account with a public portal capable of administering the ACRE website, any virtual private network (VPN) account that can access a private portal capable of administering the ACRE website, any account capable of managing the smcacre.org domain, and every email account within the vendor organization. programs listed in Table 2. ACRE and ISD should implement this recommendation
R14
Page 31

Offer Behavioral Cyber Hygiene Audits: ISD and the County Controller’s Office should develop a behavioral auditing program consisting of sampling the day-to-day routines and security practices of employees, contractors, and/or vendors and offer to audit each department within the County periodically to (1) evaluate compliance with existing cyber hygiene policies and (2) provide proactive advice on cyber hygiene improvements that could inform new policies. ISD and the Controller’s Office should begin to implement this recommendation by offering to audit ACRE and ISD (itself) in time to finish

Conclusions 1

CL1 Page 6

The Grand Jury finds that the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure.

No Responses Found 1

Government entities assigned to respond to this report. No response documents have been linked in our database.

San Mateo County Assessor Elected County Office