<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=116645602292181&amp;ev=PageView&amp;noscript=1">

Subscribe for Updates

 

Recent times have seen election tampering by special interest groups and foreign powers in the United States, Europe and Asia. With looming, late 2020 elections across the world and a global pandemic underway, Cybereason has been hosting election security tabletop exercises in partnership with both public and private sector professionals to test our resilience to possible disruptions.

Operation Blackout Summary of Events

Virtual Edition - August 19, 2020

This was a simulation with professionals playing the role of hackers and actual law enforcement officials drawing off their experience to respond to disruptions. No actual hacking was conducted during the exercise. 

The goal of the tabletop exercise is to examine and advance the organizational responsiveness of government entities to an anarchic group’s attempts to undermine democratic institutions and systems of governance in the republic. 

Most election security discussions and exercises focus on the mechanics and minutiae of hacking election equipment or contaminating and violating the integrity of voter roles. This exercise explicitly excluded targeting election equipment from consideration to focus instead on everything else in the electoral system.

The Teams

The scenario pitted a team of veteran law enforcement officers and government officials against a group of ethical hackers, academics and security professionals from the private sector. The law enforcement team was the Blue Team: Adversaria Task Force, and the ethical hackers were known as the Red Team: Kill Organized Systems (K-OS) hacktivist group. 

The game administration and control as well as ad hoc role needs in the game sequence was controlled by a Control Team, run by Cybereason. A Cybereason-staffed team both adjudicated the event and provided government support options as appropriate. 

The Setup

The event took place in the fictional city of Adversaria in the weeks leading up to a typical election day. Turns in the simulation lasted 15 minutes of real time, modeling 3 weeks from the election, 2 weeks from the election, 1 week from the election, and the day of the election. The event started with a short strategy turn and was followed by three additional turns. 

Once both teams had submitted their turn moves, the Control Team decided how these moves impacted the simulation. They then informed the teams of any changes to the environment, and teams pursued the next round of moves. Each team is allowed a set of two actions and one development per turn, known as their turn moves. 

Red Team Moves:

  • Development: A development is a capability the team wishes to develop so they may use it on subsequent turns. For example, the Red Team may wish to develop the capability to use deep fake technology. They would need to expend a development turn to develop the capability, then they may use the capability on the next turn in the game. 
  • Action: An action is a capability the team wishes to expend during a turn. For example, the Red Team may wish to gain access to the social media accounts of the local government. They would need to expend an action turn to use this action. 

Blue Team Moves:

  • Development: A development is a capability the team wishes to develop, typically by asking for assistance by calling up reserves, calling on other agencies, or by getting assistance in other ways. For example, Blue Team may wish to call the federal government (the Control Team) for additional support if they need more boots on the ground. They would need to expend a development turn to develop the capability, then they may use the capability on the next turn in the game. 
  • Action: An action is an assignment of a group of officers to a task. For example, the Blue Team may wish to deploy 100 police officers to polling stations at zones 3, 4, and 7. They would need to use an action to deploy the officers during a turn.

There is a lot of leeway for what makes up an action or development. In a single action, one may accomplish several goals. For example, the Blue Team may expend one action to deploy 100 police officers to polling stations at zones 3, 4, and 7, while also using the same action to send harbor patrol to watch bridges. For both teams, action turns can be turned into development turns if so desired, but the reverse was not allowed.

The Control Team determines what moves are too far out of scope for the turn:

TURNS

Introduction for All Participants by Control Team

Turn 1: Strategy

Red Team Submits

 1 Development and 2 Actions

Blue Team Submits 

1 Development and 2 Actions 

Control Team Updates the Environment to Reflect Red and Blue Team Actions 

Turn 2

Red Team Submits

 1 Development and 2 Actions

Blue Team Submits 

1 Development and 2 Actions 

Control Team Updates the Environment to Reflect Red and Blue Team Actions 

Turn 3

Red Team Submits

 1 Development and 2 Actions

Blue Team Submits 

1 Development and 2 Actions 

Control Team Updates the Environment to Reflect Red and Blue Team Actions 

Turn 4

Red Team Submits

2 Actions

Blue Team Submits 

2 Actions 

Control Team Updates the Environment to Reflect Red and Blue Team Actions

Hot Wash and Distribution of Final Results 

An outline of the schedule for the exercise.

Expectations

Cybereason conducted several similar exercises, including two preceding the U.S. midterm elections: one in September 2018 and one earlier in the year, both in Boston. Several additional tabletop exercises took place in 2019 and early 2020 in Washington DC, San Francisco, Manchester, New Hampshire, Paris and London. The results of those simulations were expected to be reflected at least partially in this exercise, despite this exercise taking a different, virtual format.

Results

  • Election results showed a marginal democratic victory determined by a coin toss. 
  • Robocalls went out saying votes counted for mail-in voters, encouraging them to stay home, but this was generally discounted by non-mail-in voters. 
  • Some citizens from several districts were re-routed to vote in District 1, however, the majority voted from home. Violence at the polls was easily handled by a strong police presence in all districts and District 1 in particular where the Red Team tried to create a conflict.
  • The mayor, governor and police chief were all seen at the polls.
  • City Hall delivered a strong message.
  • The Republican party filed a class-action lawsuit the day after the election.
  • The validity of the election was questioned for a year by 30 percent of right-wing voters, with a large “Not My President” and #AmericaStrong movement trending and eclipsing #AdversariaStrong 

Lessons Learned

Communications are the New Battleground

  • Recognizing that having clear channels of information or disinformation was very important for affecting public sentiment for both sides. 
  • Control of social media networks for municipalities allowed the Red Team to easily spread misinformation through supposedly “legitimate” channels. 
  • Lesson Learned: Law enforcement must create open lines of communication between government departments and also media sources and social media companies. The government can only extend their capabilities so far without the support of the platforms upon which misinformation is spread. This becomes even more critical as we try to compensate for a heavily skewed towards mail in ballot-style election. 

It Doesn’t Cost Much to Cause Confusion

  • Many of the activities performed by the Red Team were simple, cheap, and commoditized. These activities do not necessarily require a nation state attacker to carry out; just someone motivated and with a little knowledge. 
  • Lesson Learned: Elections can be targeted by anyone looking to cause chaos, not just by nation state threat actors. It’s critical to understand that it doesn’t take very much time, money, or effort to cause some level of confusion. 

You Can’t Prepare for Every Scenario

  • To this day, the adversary still has the advantage over the defender. They are able to take actions across a huge spectrum of possibilities, whereas law enforcement must work within the bounds of the law. It is impossible for law enforcement to prepare for every scenario an attacker might implement.
  • Lesson Learned: It’s critical for law enforcement to proactively prepare and be aware of the potential actions an attacker may take.  These tabletop exercises give law enforcement a deeper understanding of what can go wrong and how, so  they may use that information to develop processes that prepare them for the worst outcomes. 

Actionable Insights for Law Enforcement and Government

Communication is Key

  • Use Media Effectively: Broadcast media is the bully pulpit. Make sure it's used effectively to help counteract the effects of misinformation through other channels.
  • Use Multiple Channels: Have several alternate means of communication.  Assume that cell phones can be compromised, social media is unreliable, and that radios have weaknesses like jamming. Make sure to practice out-of-band communications, and have a default contingency to establish central communications and coordination.
  • Don’t Forget Radio: The amateur radio service can provide alternate means of communications in the event of an issue with the main communication channels. Having a local amateur operator part of the ARRL at precincts or dispatch can help tremendously in the event main communication channels fail.

Developing Technology Poses Unknown Threats 

  • Coordinate with the Private Sector: Coordinate with major providers of infrastructure and transportation ahead of time, including private companies that provide the technical aspects of that infrastructure. Understanding where things like the power grid are vulnerable can help prevent potential attacks on key utilities.

You Can’t Prepare for Every Scenario

  • Collaborate with Other Government Agencies: Take advantage of government resources to augment existing law enforcement and provide additional intelligence. Use peacetime to establish relationships with cyber centers and other levels of government. Make sure that the police department has a means to communicate with the rest of the government and has existing relationships with the city communications office. The police department and the city press officers should be coordinated in the event of an incident and should convene in the event of a crisis.
  • Develop Playbooks: Run specific-to-your city tabletop exercises that account for existing idiosyncrasies in your community, city, and other relationships. In a crisis, you don’t want to be thinking about “how” to do things or what your options are, but should be running playbooks like a well oiled machine. If professional sports teams work this way on the field, local government and law enforcement should be just as prepared around elections.
  • Take Region Into Account: As with any good police work, understand the regional nuances and sensitivities in the community to adequately prepare for when they will be  manipulated or put at odds.
  • Consider Non-conventional Scenarios: Law enforcement and government should always try to think outside the box. Even though their role is limited to public safety, and crime prevention, recognizing that there are possibilities for physical safety issues from infrastructure is key.
  • Deploy Early: Ensure good resource deployment prior to the elections by having a police presence in place before the event. This will lead to less of a psychological impact on civilians if more officers must be deployed, especially in areas where law enforcement is viewed with distrust.

Feedback and Next Steps

While each subsequent election security simulation improves on the one before, the consensus was that this was a solid immersive experience for practicing cyber incident readiness much as war games prepare the military in times of peace. These exercises will continue to be critical as we get closer to the November 3rd election and beyond in order to consider every possible avenue of attack and prepare a strong defense. 

Final Comment 

Cybereason would like to thank all participants for their willingness to dedicate valuable time and energy to this event, and for their faith in suspending disbelief to engage in an immersive tabletop experience. 

Finally, no actual hacking was performed and no innocent bystanders, hackers, networks, systems, police officers, students, social networks, or republics were harmed in the course of this simulation or its aftermath.

Appendix: Event Record

TURNS

Introduction for All Participants by Control Team

Turn 1: Strategy

Red Team Move

  • Sending to Districts 3, 4, 8, 10 fake ballots so they vote with our invalid letters, where the letters state that, "sending this more than once is a federal felony with more than five years in prison" on them.
  • Absentee voter registration process - submit for an absentee ballot on behalf of voters in Districts 3, 4, 8, 10 with incorrect addresses -  those absentee ballots should instead be sent to citizens in Districts 1, 2, 6.
  • Hack into amazon and ebay in order to control their shipping process.

Blue Team Move

  • Work with the U.S. Post Office to specifically deploy secure drop boxes for mail-in ballots.
  • Have the city PR unit reach out via local news daily, make sure to include reinforcement of  pandemic guidance.
  • Also, recommend avoiding unofficial outlets for news regarding the election
  • Also,  encourage people to deposit their mail-in ballot in a secure drop box, take it to the post office or local election clerk.  The Blue Team reinforced that no one will come to take your ballot personally. Call the police if anyone does come collect a ballot.

 

Control Team Updates the Environment to Reflect Red and Blue Team Actions

UPDATE TO ALL:

Secretary of State and governor working with the post office to begin a deployment program for Ballot Drop boxes - also encouraging people to deposit ballots in secured drop boxes, take it to the post office or local election clerk

Reminder sent to call police if anyone asks for your ballot

Governor warns against unofficial outlets for news on and nearing election

City Health Department making PSAs on pandemic guidance for Election Day

UPDATE TO RED:

Hack in progress for Amazon/eBay. Expected access mid turn 3

Fake ballots being mailed, expected to arrive at next break mid turn 2

Submission for absentee ballots in progress, expected development mid turn 2

 

Turn 2

Red Team Move

  • Attack against test results reporting- > reporting on positive results.
  • Report dramatic increase in positive results
  • Add reminders about physical contact with surfaces and objects being more contagious.
  • Fill envelopes with epoxy glue and send to mass mail sorting facilities to cause physical damage to mass sorting machines.
  • Prepare more social media assets - accounts from activists, news, etc.

Blue Team Move

  • Public Statement
  • No indications of any issues with vote counting or vote delivery.
  • Give updates daily on the number of ballots received and processed and try to give maximum transparency.  Re-iterate only
  • Reiterate to voters to only listen to official news about the election.  If you receive an absentee ballot you did not request please throw it away.  Show what an official ballot looks like on TV.
  • Confirm California story directly.
  • Reach out to FBI/DHS/State Police resources for any intel on plans to disrupt the election and any ‘’fake news’ on social media. 
  • Develop River/Harbor Patrol Oversight of the Bridge Connections N/S.
  • Develop extra resource officers on-duty to handle unrest or any other issues such as

traffic on Election Day.

  • Reach out to social media looking for potential issues.
  • Intensive cybersecurity scrub of traffic control systems ahead of any election day events.

Control Team Updates the Environment to Reflect Red and Blue Team Actions

UPDATE TO ALL:

International medical community findings that pandemic is on the upswing dramatically because disease is more contagious than expected - huge media attention and fear in social media

Exposé by the WSJ that post offices are not only delinquent in infrastructure maintenance but throwing out sorting systems from post offices. Post office claims mail sabotage. WSJ shows evidence of glue residue causing extensive damage to a system, but political influence suspected by the President over PostMaster General from liberal media.

Public statement from the state government with emphasis on transparency: Give updates daily on the number of ballots received and processed. Emphasis to only monitor official news channels: local TV news. If you received an absentee ballot that you did not request, please throw it away: demonstration of what ballots really look like.

Increased patrol presence by river/harbor oversight on bridges in Adversaria.

UPDATE TO BLUE:

FBI reports fake news quiet. Darkweb showing interest in private sector delivery services.

Reserves called up

No word from Twitter, Facebook, Instagram or any other social media. Please be specific if you want a mid-turn update

UPDATE TO RED:

You now have access to Amazon routing system

You now have access to three political news activists social media. Please update us on the leaning of these activists ASAP

Turn 3

Red Team Move

  • Amplify existing reports on fake mail-in ballots by reporting real ballots in Districts 1, 2, 6 were submitted by illegal immigrants using names of registered voters; use 2 of the social media acts to spread this info.
  • Redirect 5 percent of all small Amazon packages to the ballots, especially those with powders of any sorts to the voting areas/ballot counting, and another one percent of packages get barcodes added that reset mail sorting machines to USPS, FedEx, UPS.
  • Hack into as many local and national news outlets as possible with any leaning whatsoever, official website for the city governor etc.

Blue Team Move

  • Communicate that the bomb threat was a hoax designed to sow doubt in the election, but 

there was no evidence of any explosive activity.

  • We have been monitoring the election boxes

heavily.

  • Statement from the city officials that the

pandemic is not more contagious than originally thought the story was “fake news” designed

to suppress voter turnout on election day. 

  • Full press conference with entire city council and major civil servants
  • (Total love fest to inspire the citizens.  Adversaria Strong. Local faith leaders and community leaders up front showing support)
  • Have the Mayor make a statement that voter turnout will NOT be suppressed in our city and

that the fake news efforts to suppress turnout will not work. 

  • And encourage all citizens to vote either by mail

or in person in this election. This isn't just a right, it’s a responsibility.

  • Suspend all mass transit fares on voting day.
  • Make sure all police and fire resources are on standby for election day including bomb squad and tactical teams as well as anti-riot teams.
  • Call in all city social service staff for de-escalation needs.
  • Ensure that the National Guard is available if needed for election day.
  • Freeze all city websites after updates for election day by hash. Alert on any changes.

Control Team Updates the Environment to Reflect Red and Blue Team Actions

UPDATE TO ALL:

News stories in conservative media of illegals trying to influence the election by using fake ballots - cries of election fraud from the right

Governor's update in full press conference: (1) Communicate that the Bomb Threat was a hoax designed to sow doubt in the election, but there was no evidence. (2) Monitoring the election boxes heavily. (3) Statement from  city officials that the pandemic is not more contagious than originally thought and was "fake news" designed to suppress voter turnout on election day. (4) AdversariaStrong started around notion of no voting fear or suppression

#AdversariaStrong trending

Mass Transit suspension announced on voting day

Voting counting centers evacuated due to Anthrax fears when powder residue was found in multiple ballot counting areas. DHS and FBI respond and announce hoaxes. Amazon distribution centers out of action, and strikes at major offices.

USPS and UPS both experience long mail lags.

FedEx identifies external hacking and prevents distribution. The CEO of FedEx offers to fill the gap in this time of need by providing free ballot collection and distribution in a press conference.

UPDATE TO BLUE

Police, fire, bomb squad and tac all available. Social services called in. National guard on standby. IT sites frozen

UPDATE TO RED:

Access to 3 largest local news networks in Adversaria is now available

Turn 4

Red Team Move

  • Morning of - Robocalls + SMS telling people their vote has been received and discouraging them from voting; attempting to vote now is a federal felony with five years in prison.
  • Misinformation campaign that reports that due to the covid outbreak in the southern areas of the city, polls in Districts 4,6,7,8,10 are closed and redirected to District 1 to vote there. Because these regions are closed, the mass transit fare is now free. This is because there is a massive outbreak in those areas. Reminder, there is a protest in these areas. News of massive rerouting is causing a lot of ICE activity in the streets.

Blue Team Move

  • Execute Robo-Calls encouraging all citizens to vote in person if they have not already mailed in a ballot. Or to ensure their vote is counted, drop off their mail-in ballot at their local clerk’s office. 
  • Vote only once.
  • Dispatch crowd control to Districts 1, 2, 6 to ensure demonstrations stay peaceful.
  • Have Police Chief, Mayor, and City Council members out and about encouraging people to vote. 
  • Accept any ballots postmarked by election date.
  • City officials need to communicate on official channels that at this time there is no evidence of election fraud. 
  • Tell citizens to expect that we will not be able to finalize election results for several days

regardless of what any particular candidate says.

Final Control Team Updates the Environment to Reflect Red and Blue Team Actions

Election Results: Marginal Democratic Victory (not enough influence, so coin toss determined)

Robocalls go out saying vote counted, no need to vote encourages mail-in voters to stay home but generally discounted by non mail-in voters.

Some citizens from Districts 4, 6, 7, 8, 10 vote in District 1; most from those Districts vote at home. Violence at the polls handled easily by strong police presence in all districts and surprisingly in District 1, the most affluent area of the city

Public figures seen at the polls:Mayor, Governor, Police Chief

Strong message from City Hall 

Republican Party files class action lawsuit day after the election

Validity of election questioned for 1 year by 30% of right wing with a large “Not My President” social movement and #AmericaStrong trending and eclipsing “AdversariaStrong

Hot Wash and Distribution of Final Results: Blue Team Wins