As social media accounts become part of the critical infrastructure that governs our day-to-day lives, there is a strong case that their use for official purposes be regulated by legislation.
Social media has become an important conduit for official and emergency government communications with the public. With such communications having the power to critically affect national security, social networks have become a hacker’s paradise and need to be taken more seriously.
US President Donald Trump’s official Twitter account is one example of how social media is now a popular channel for engaging with the public in realtime. At the more extreme end of the scale, recent events in Hawaii and Japan saw false missile alerts sent due to human error, causing populations to spiral into turmoil. These incidents highlight how social media accounts are becoming part of the critical infrastructure that governs our day-to-day lives.
It’s clear that communications, or mis-communications, of this kind have the potential to wreak havoc. But the question is: should the use of these social media accounts — like Twitter, Facebook, YouTube, LinkedIn and more — for official and emergency purposes, be regulated by legislation?“Until these platforms are officially treated as critical infrastructure, we should consider applying the same cybersecurity practices followed by the energy, water, gas and ports industries.”
In Australia, telecommunications carriers are subject to the Telecommunications Sector Security Reforms (TSSR), while other critical infrastructure falls under the recently introduced Security of Critical Infrastructure Act (2018). This act is primarily focused on major infrastructure assets like power and water, that supply essential services to more than 100,000 people.
In both the TSSR and the act, scope is given for the relevant minister to direct a provider or intermediary “to do, or not do, a specified thing that is reasonably necessary to protect networks and facilities from national security risks.”
Under the Security of Critical Infrastructure Act, the relevant minister can also nominate additional industry centres for inclusion, provided the minister is satisfied there is a risk that the assets or services could have a prejudicial effect on national security.
Top of the priority list currently are airports and data centres. It’s possible the minister will declare social media communications as subject to the act, but, at this stage, it’s unlikely.
Top-grade cybersecurity practices essential
So, what should governments be doing when it comes to securing social media accounts used for timely or sensitive communications? Until these platforms are officially treated as critical infrastructure, we should consider applying the same cybersecurity practices followed by the energy, water, gas and ports industries.
Government personnel operating social media for official or emergency purposes should undertake a review of how their accounts are managed. Hardening communication platforms should include stepping up password management practices. This will help eliminate the chance of delays to the delivery of critical information or the exploitation of accounts for nefarious purposes, such as issuing false or misleading information.“To strengthen these platforms against both external and internal attacks by unauthorised personnel, government departments should treat their social media accounts as privileged.”
Hackers know the value and vulnerability of social media today, and are already hijacking official accounts. In 2017, a rogue Twitter employee shut down Donald Trump’s Twitter account for 11 minutes in an act of protest.
Disgruntled employees aren’t the only risk – hackers could use any one of several social engineering techniques, such as phishing, to gain access to passwords for social media. If they did so, they’d be able to issue false statements on a public social media account, potentially causing fear and panic.
Government personnel within specific departments or offices commonly share access to social media accounts. This means that potentially dozens of people throughout an agency have access, admin or editing rights on these platforms. Not least, passwords for these accounts are usually shared between team members, rarely changed, and often re-used across a number of accounts.
Any account with a shared or re-used password can be an easy target for a hacker or corrupt insider. There is also rarely a record of which team member published each post — increasing the possibility of a false alert being deliberate and untraceable.
Just two minutes after the missile alert was issued on Twitter in Hawaii, the governor was told it was a false alarm. While other government officials rushed to assure the public there was nothing to worry about, the governor did not tweet for more than 17 minutes. The cause of his silence? He forgot his username and password.
To strengthen these platforms against both external and internal attacks by unauthorised personnel, government departments should treat their social media accounts as privileged. That way, simple acts of forgetting, sharing or re-using passwords won’t cause delays, such as what happened in Hawaii.
Privileged account security tips
As best practice to properly secure and protect social media accounts, government departments should employ privileged account security, including:
- Arrange transparent access: To make it harder for hackers to find and exploit credentials, authorised users must be able to seamlessly authenticate access to an account without having to remember passwords. This allows for immediate access in emergency situations, such as the incident in Hawaii.
- Remove shared credentials: Use a digital vault to store passwords and remove the accountability challenges of shared logins. Users will then need to login individually for access to shared social media platforms.
- Automate password rotations: Continuously changing privileged credentials safeguards against attackers using retired passwords. Regularly automating password changes can also update access privileges, reducing the possibility of an outsider getting their hands on valid credentials.
- Review account activity: For visibility of individual users’ activity across social media accounts, a record of events can be created. This way, posts can be linked to authorised users, and rogue employees can be more easily identified.
Governments the world over are reviewing their critical infrastructure safeguards and national security precautions. As we continue to see in situations such as those in the US, Hawaii, and Japan, the public has developed a huge level of trust in communications distributed by government organisations.
Social media has become a credible and dependable medium for official communications, and it’s clear these platforms are neither inherently secure nor infallible. It’s critical to re-think how any medium used for official and emergency communications is treated and secured.
Shay Nahari is Head of Red-Team Services at CyberArk.