[Image via youtube]

It was Election Day 2019 yesterday in many communities across America, but in a conference room near DC it was already Election Day 2020 as election officials and law enforcement conducted “war games” to prepare for the very worst scenarios that could play out as Americans head to the polls next year. The Washington Post’s “Cybersecurity 202” newsletter has more:

As voters head to the polls today in Virginia’s odd-year contest, federal officials and local police are war-gaming how adversaries could disrupt next year’s contest without hacking any election systems at all.   

Officials from the FBI, Department of Homeland Security and U.S. Secret Service are working with cops in Arlington to game out how to respond if hackers from Russia or elsewhere in 2020 disrupt electricity at polling places, shut down streetlights, or hijack radio and TV stations to suppress voter turnout and raise doubts about election results.

They’ll also test how to respond if adversaries launch social media campaigns to incite fights at polling places — or to spread rumors about riots or violence that deter people from going out to vote. Cybersecurity experts and academics will play the mock hackers, lobbing new challenges at officials throughout the day. 

This exercise focused not on the voting process itself but rather public perception of the process:

The exercise underscores how hackers could destroy public faith in an election’s outcome without changing any votes. And that’s particularly concerning because many of these potential targets are far more vulnerable than voting machines.

“If you can prevent people from getting to the polls … if you can effectively disenfranchise certain segments of the population, that’s far more disruptive to the republic than taking out a few voting machines,” Sam Curry, chief security officer at Cybereason, the company organizing the war game, told me. 

These sorts of role playing games have become a common method for federal, state and local officials to hone their election defense but the scope is rarely so broad. The event is a prime example of how officials are trying to get ahead of adversaries on election disruption rather than just defend against the sort of election systems probing and social media misinformation the Kremlin launched in 2016. 

And participants are keenly aware they only have a year left to plan. “We actually chose this day because in a year we’ll be going to the polls for a massive election and one that is pregnant with opportunity for people to disrupt, run misinformation and disinformation campaigns and for people take advantage of,” Curry said.  “It’s our sincere hope that law enforcement will use the year between now and then to get ready and to make sure that things do go off well.”

Curry’s direction to the people playing adversary hackers is to try to raise as many doubts about the legitimacy of the election as possible without prompting officials to invalidate the results and start over. “If [an election] is messy and you think that the system has been broken and your franchise has been lost, then that becomes a reality whether or not voter rolls are hacked,” he told me.

Yesterday’s session was just the latest, with some evidence that defense in these situations is improving:

Cybereason ran two similar war games during the past year in Boston with federal officials, Boston police and Massachusetts State Police. Both times, a neutral team of cybersecurity experts and former government officials rated the hacker and defender teams and declared a winner at the end.

In the first event, the hackers clearly came out ahead, “creating a lot of havoc and panic,” Curry told me. By the second one, however, the defenders had sharpened their responses and were able to blunt some of the most damaging attacks.

As one big example, they were able to push back on misinformation by maintaining a constant presence on local TV stations, he said. The local police also got a lot savvier about who they could contact for help in the state and federal government, he said.

And those improvements are important because local police, who aren’t always attuned to cybersecurity threats, will often be the first responders to an Election Day hack that hits outside polling places.

“The hope is that folks realize that there’s a cyber dimension to everything,” Curry told me. “What I want is for them to go home and say, let’s start doing the prep work in peacetime. Let’s make sure we’re ready when the crisis comes and we know exactly who to call.”

This last point is really the most important; the goal of these exercises is not so much to practice what exactly to do in a crisis as it is help the election community and law enforcement be more aware of what resources (including one another) the have when the worst occurs. Kudos to all involved for their participation – here’s hoping that preparation isn’t put to the test! Stay alert – and stay tuned …