Simulation Shows Elections’ Soft Security Underbelly

A simulation took place today in Washington, D.C., that showed how a cyberattack could impact Election Day without ever targeting voting machines.

The simulation, which took place in a fictitious town named Adversia located in a swing state, resulted in a cancelled Election Day after 200 people were wounded and 32 were killed—an outcome that was deemed a “victory” for a Blue Team of defenders.

DevOps Connect:DevSecOps @ RSAC 2022

The Red Team of cyberattackers participating in the Operation Blackout Election Hacking Tabletop Simulation, which was Hosted by endpoint detection and response (EDR) tools provider Cybereason, lost because they were unable to influence the outcome of the election. Nevertheless, the Red Team was able to convince election officials to erase electronic votes, disrupt traffic on election day to the point that many voters would be dissuaded from voting and conduct a broad disinformation campaign.

The Red Team was deemed to have gone too far when it no longer appeared to be concerned about whether its actions were discovered. The team then hacked an autonomous city bus that plowed into people standing in lines to vote. Only then were officials aware a coordinated attack was underway and canceled the election.

The Red Team was led by Cybereason CTO Yonatan Striem-Amit, while the Blue Team was led by Danielle Wood, senior director of advisory services for Cybereason. Members of both teams were from the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Secret Service and the Arlington, Virginia, Police Department. A White Team, led by Cybereason CSO Sam Curry, judged the effectiveness of each team’s moves.

The point of the exercise was to show how an election theoretically could be influenced by cyberattacks that did not specifically target electronic voting machines. Instead, the Red Team made use of Stingray cellular surveillance devices to employ voice emulation software, which they used to send verbal orders to election officials that mimicked their boss’s voice. They then ordered the election officials to unplug voting machines that didn’t generate paper records.

The Red Team also hacked into traffic signals to snarl traffic to prevent or dissuade people from voting and launched a distributed denial-of-service (DDoS) attack to cripple communications.

The Blue Team was able to respond to each threat, but not before some level of damage had been inflicted. Curry said the Red Team might have won had it not gone “over the top” by physically attacking voters with autonomous vehicles, resulting in a more coordinated response from the agencies the Blue Team represented.

Curry said it is not likely any government agency would declare victory over any attack that resulted in the loss of life. However, the Red Team didn’t prevail in the simulation because the election was not thrown in the direction of the candidate the team favored. However, the identities of the Red Team members were discovered and several were arrested as they tried to flee the country. If this were real life, that might offer some solace to loved ones of the victims of what turned into a terrorist attack, but because of the simulation’s result, it’s also probable that come next election day many voters will choose to vote by mail.

Michael Vizard

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 436 posts and counting.See all posts by mike-vizard