The San Mateo County civil grand jury warns that online election information held in county offices is vulnerable to cyberattacks.
While that might surprise many voters, there is precedent, according to the grand jury, which issued its report last week. In 2010, hackers hijacked the county’s election results website and in 2016 the county fell victim to a phishing attack against several employees.
Nationwide, election security is a hot topic. Last week, the U.S. Senate Intelligence Committee reported that Russia targeted elections systems in all 50 states in 2016, and that effort went largely unnoticed at the time.
The grand jury maintains San Mateo County’s election information website and social media accounts remain vulnerable to attack because the county has not put in place sufficient, secure, multifactor authentication systems — systems that require users to enter more than one password to log in to gain access.
While much of the public attention focuses on the integrity of voting machines and counting individual votes, this report focuses on the vulnerability of the county’s email and online communication platforms.
The grand jury concludes that the security protections against hijacking that the county currently uses are not adequate. The county election website and social media accounts could be used to mislead voters before an election or distribute incorrect information afterward.
“Public confidence is at stake, even if the vote itself is secure,” the report states.
The report details steps that the county could take to improve the security of these online accounts. Employees who are critical in distributing election information should better protect their accounts using FIDO keys — physical security keys that owners insert or tap to their computers or phones to complete their account sign-in process — as part of a stronger multifactor authentication process.
The grand jury also recommends that the county take advantage of free consulting services offered by the U.S. Department of Homeland Security to help them assess and improve online system security.
Mark Church, chief elections officer for San Mateo County, released a preliminary response to the report. “In cooperation with the county’s Information Services Department, we will incorporate those recommendations and best practices that are in the best interests of the public,” he said in the statement.
Church says the report failed to recognize the cyber security programs and procedures that are already in place to protect the county’s election information.
“San Mateo County voters can rest assured that our voter information, voting tabulation systems, websites and communications structure are safe and secure,” said Church in his response.
The elections office is still in the process of reviewing the report and will provide a detailed response to the San Mateo County Superior Court on or before Sept. 23.