Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Election Security's Sticky Problem: Attackers Who Don't Attack Votes

If election defenders are protecting votes, and adversaries are attacking something else entirely, both sides might claim success, "Operation BlackOut" simulation shows.

(image: Lost_in-the_Midwest)

Let's say it's four weeks until Election Day 2020 and threat actors are busy at work planning to disrupt the election. Election officials are working to thwart their nefarious plans: Who will come out on top? That's the biggest question Operation BlackOut sought to answer in a simulated election event held on Aug. 19.

More than 40 cybersecurity professionals gathered virtually in the event organized and managed by Cybereason to see whether the essential mechanisms of an election were subject to successful attack and whether they could, to any significant extent, be defended. The participants came from law enforcement, government, security consulting, and academic organizations, divided into red and blue teams contending over a successful election in the mythical city of Adversaria.

One of the rules of the simulation was that voting machines were off-limits: The red team couldn't assume that the equipment for actual voting was vulnerable.

And that led to an interesting situation and philosophical question: If what the adversary was attacking and what the defenders were protecting were two different things, could both sides claim success?

Four Weeks to Election

Each team submitted one development (a capability being developed) and two actions in each of four turns: Each turn represented one week of time. From the beginning, it was obvious that the two teams had different priorities.

The blue team focused on providing a safe voting environment that was available to as many voters as possible. The red team sought to disrupt voting and reduce confidence in the election's results.

Both teams shared an early realization: communication was the primary battleground. The blue team sought to get in front of misinformation with clear instructions from authoritative sources such as the mayor and supervisor of elections, while the red team turned to hacking social media influencer accounts, official municipal accounts, and disinformation robocalls to sow confusion.

One of the lessons drawn by both sides was how inexpensive it was for the red team to have an impact on the election process. There was no need to "spend" a zero-day or invest in novel exploits. Manipulating social media is a known tactic today, while robocalls are cheap-to-free.

Countering the red team's tactics relied on coordination between the various government authorities and ensuring communication redundancy between agencies. Anticipating disinformation plans that might lead to unrest also worked well for the blue team, as red team efforts to bring violence to polling places were put down before they bore fruit.

The red team also tried to interfere with voting by mail; they hacked a major online retailer to send more packages through the USPS than normal, and used label printers to put bar codes with instructions for resetting sorting machines on a small percentage of those packages. While there was some slowdown, there was no significant disruption of the mail around the election.

Lessons learned
The blue team was successful in providing safe voting for the election and in making sure that ballots cast, either in person or by mail, were counted. The red team was successful in raising doubts about the election's validity, especially among voters from one party. Those doubts in 30% of the voters persisted for at least a year after the election.

So what lessons did participants take away from the exercise?

One lesson is that the low cost of sowing confusion means that it doesn't take a nation-state: Any group with an interest in disrupting an election or the faith in its results has a shot at doing so. That possibility forms part of the next lesson.

No one can account for every possibility; the attacker still has an advantage. To even the odds a bit, defenders must consider as many possibilities as they can and make sure that lines of communication and responsibility are clear. Tabletop exercises (like this one) can be crucial in broadening defenders' thinking about just what is possible.

Those lines of communication need to go between governmental agencies and between government and private sector organizations so that the possibility of learning and communicating as much as possible are realized. Defenders should also develop playbooks for many scenarios and distribute those playbooks to the organizations and individuals responsible for enacting the defense tactics they contain.

A final lesson was the extent to which "winning" is a game of perception: The public perception must be that the election is safe, accurate, and reliable. In this case, the blue team had police officers deployed to polling places to visibly reassure voters that voting is safe. Other locations and environments might require other actions to produce the same results. Defenders who know the population they're defending can put that knowledge to use for the best results in a critical activity.


About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights