In a RSA 2020 simulation, the Red Team compromised email accounts, created deepfake videos and spread disinformation on Election Day in Adversaria.
Bad actors who want to muck up an election can do plenty of harm without tampering with voter rolls or voting machines. Business email compromise, social media hijacking, and even access to city cameras and traffic signals can cause enough trouble to influence voters and election results.
At RSA 2020, Cybereason assembled a group of journalists and other conference attendees to be the Red Team, in charge of creating just enough chaos to cause residents of the fictional city Adversaria to doubt the results of the election.
SEE: Iowa caucus app fiasco: How it happened and lessons learned (free PDF) (TechRepublic)
Deepfake videos and social media takeovers
Police officers and city officials led the Blue Team, defended the election, and responded to deepfake videos and social media takeovers.
The 90-minute session represented Election Day, with each round covering a three-hour segment of the day. The Red Team got a list of capabilities at the start of the game which included access to:
Traffic control systems
Local news broadcast
Emergency warning systems
In each five-minute round, the Red Team could take two actions and set another task in motion that could develop into a new attack vector.
The Red Team called in a bomb threat to a busy convention center, created deepfake videos of election workers throwing out ballots, turned off the traffic control system in certain districts, and sent false news reports to the TV station about polling places closing down.
SEE: Quick glossary: Cybersecurity countermeasures (TechRepublic Premium)
Measuring the impact of election tampering
During the simulation, the White Team reviewed actions from each side and decided how these moves influenced the situation. At the end of each round, the White Team told both sides how effective their actions were and described any new conditions in the scenario.
In the end, the Red Team did create some chaos but it did not result in lasting damage. The White Team describe the ultimate outcome of actions taken by the attackers and the defenders:
A local news channel was compromised at the beginning of the game, reporting falsely that the government was trying to influence the election results.
The Red Team lost control of the city's Twitter account when the city took back control of all its social media accounts.
There was an announcement of investigation into election tampering and fake videos.
Buses were set up between polling stations to address worries about polling places.
A press release came out from the mayor, police chief, and board of elections dispelling misinformation spread by the Red Team.
Overall, the Blue Team successfully defended the elections and minimized chaos.
SEE: Employee political activity policy (TechRepublic Premium)
How to strengthen emergency response plans
Cybereason offered this advice to governments preparing for 2020 elections:
Collaborate with other government agencies: Establish relationships with cyber centers and other levels of government. Make sure that the police department has a means to communicate with the rest of the government and has existing relationships with the city communications office. The police department and the city press officers should coordinate in the event of an incident.
Coordinate with the private sector: Coordinate with major providers of infrastructure and transportation ahead of time, including private companies that provide the technical aspects of that infrastructure. Understanding where components like the power grid are vulnerable can help prevent attacks on utilities.
Develop playbooks: Run specific-to-your city tabletop exercises that account for conditions unique to your community. Thinking about these concerns ahead of time will prevent having to do this during a crisis.
Use multiple media channels: Have several alternate means of communication. Assume that cellphones can be compromised, social media is unreliable, and that radios have weaknesses like jamming. Make sure to practice out-of-band communications, and have a default contingency to establish central communications and coordination.
Take region into account: Understand local nuances and concerns in the community to prepare for when they may be manipulated or put at odds.
Deploy early: Have a police presence in place before the event because this will lessen the psychological impact on civilians if more officers must be deployed, especially in areas where law enforcement is viewed with distrust.
Cybereason has conducted several tabletop simulations over the last several months in Boston, New Hampshire, and London. The next event is in Paris.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)