Simulation Shows Elections’ Soft Security Underbelly
A simulation took place today in Washington, D.C., that showed how a cyberattack could impact Election Day without ever targeting voting machines.
The simulation, which took place in a fictitious town named Adversia located in a swing state, resulted in a cancelled Election Day after 200 people were wounded and 32 were killed—an outcome that was deemed a “victory” for a Blue Team of defenders.
The Red Team of cyberattackers participating in the Operation Blackout Election Hacking Tabletop Simulation, which was Hosted by endpoint detection and response (EDR) tools provider Cybereason, lost because they were unable to influence the outcome of the election. Nevertheless, the Red Team was able to convince election officials to erase electronic votes, disrupt traffic on election day to the point that many voters would be dissuaded from voting and conduct a broad disinformation campaign.
The Red Team was deemed to have gone too far when it no longer appeared to be concerned about whether its actions were discovered. The team then hacked an autonomous city bus that plowed into people standing in lines to vote. Only then were officials aware a coordinated attack was underway and canceled the election.
The Red Team was led by Cybereason CTO Yonatan Striem-Amit, while the Blue Team was led by Danielle Wood, senior director of advisory services for Cybereason. Members of both teams were from the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Secret Service and the Arlington, Virginia, Police Department. A White Team, led by Cybereason CSO Sam Curry, judged the effectiveness of each team’s moves.
The point of the exercise was to show how an election theoretically could be influenced by cyberattacks that did not specifically target electronic voting machines. Instead, the Red Team made use of Stingray cellular surveillance devices to employ voice emulation software, which they used to send verbal orders to election officials that mimicked their boss’s voice. They then ordered the election officials to unplug voting machines that didn’t generate paper records.
The Red Team also hacked into traffic signals to snarl traffic to prevent or dissuade people from voting and launched a distributed denial-of-service (DDoS) attack to cripple communications.
The Blue Team was able to respond to each threat, but not before some level of damage had been inflicted. Curry said the Red Team might have won had it not gone “over the top” by physically attacking voters with autonomous vehicles, resulting in a more coordinated response from the agencies the Blue Team represented.
Curry said it is not likely any government agency would declare victory over any attack that resulted in the loss of life. However, the Red Team didn’t prevail in the simulation because the election was not thrown in the direction of the candidate the team favored. However, the identities of the Red Team members were discovered and several were arrested as they tried to flee the country. If this were real life, that might offer some solace to loved ones of the victims of what turned into a terrorist attack, but because of the simulation’s result, it’s also probable that come next election day many voters will choose to vote by mail.
