Should government social media accounts be treated as critical infrastructure?
- By Shay Nahari
- Mar 16, 2018
Can a forgotten password cause more disruption than an actual cyberattack? In the case of the erroneous Twitter alert of an inbound ballistic missile in Hawaii, the answer is yes.
Then just days after the false alarm in Hawaii, a similar erroneous alert was issued in Japan. While both false alerts were attributed to employee error, each case should serve as a call for an immediately evaluation the cybersecurity procedures used to safeguard warning and communications systems.
In Hawaii, the governor was told the alarm was false two minutes after it was sent out over Twitter. While others in the government rushed to Twitter to assure the public that it was a false alert, the governor’s account was idle for more than 17 minutes. Why the delay? According to the governor himself, he forgot his Twitter username and password.
This case is a stark reminder of the growing role social media plays in our lives and its emergence as a critical communications conduit to the public.
All government officials who use social media for emergency communications should immediately review how they’re managing these accounts to eliminate the chance that a forgotten password could delay the delivery of critical information.
Reviews should also ensure communication platforms are hardened to prevent attackers from hijacking these accounts to issue false information -- a very real possibility in today’s threat landscape.
Attackers understand the power of the latest communications platforms and have targeted social media accounts to sow discord and false information over the years. One such example was a false Tweet sent from the Associated Press Twitter handle, resulting in a $136.5 billion drop in the S&P 500 index's value in minutes.
Government-related social media accounts used for timely or sensitive communications should be treated as critical infrastructure, subject to the same cybersecurity practices followed by the energy, transportation and chemical sectors.
Government social media accounts -- like Twitter, Facebook, YouTube, LinkedIn and more -- are typically shared accounts, meaning that teams of people throughout an agency have access and can post information to them. The passwords for these accounts are often shared internally among team members.
This makes them easy targets for attackers or malicious insiders. The shared nature of these accounts also means there is no record of who posted what -- making a deliberate false alert a real possibility. Making matters worse, passwords used to "secure" these accounts are rarely changed and typically used across multiple accounts.
By treating these accounts as privileged, agencies can ensure that a simple forgotten password doesn’t delay communications, while also hardening these platforms against external attacks.
To properly secure and protect social media accounts, agencies must employ best practices for privileged account security, including:
Ensure transparent access: Authorized users must be able to seamlessly authenticate to an account without knowing their passwords, making it difficult for hackers to discover and steal credentials. This kind of access would have given Hawaii's governor immediate access to his account to confirm that the missile alerts were false.
Eliminate shared credentials: Storing passwords in a digital vault requires users to login individually for access, eliminating the accountability challenges of shared credentials.
Automate password changes: Rotating privileged credentials ensures attackers can’t use old passwords across systems. Automating password changes regularly also updates access privileges, reducing the chance of an outsider stealing and using a valid credential.
Audit account activity: By creating a record of activity on social media accounts, all posts can be traced back directly to an individual authorized user, making it easy to identify rogue employees who may be posting damaging content.
The false alarms in Hawaii and Japan spotlight the significant amount of trust that the government, organizations and civilians put into social media as a credible and dependable medium for public communications. At the same time, they’re prime examples of what can go wrong when these trusted social sites aren’t managed properly.
The incident in Hawaii in particular should motivate agencies to take steps to guard against these same avoidable mistakes. Most importantly, it’s a call to action to proactively protect social media against threats both nefarious and accidental.
Shay Nahari is the head of red-team services at CyberArk.