With just weeks until the midterm elections, police in Massachusetts gathered last Thursday to practice responding to cyberattacks from an adversary bent on disrupting the democratic process.
The simulation, hosted at the Boston headquarters of network security company Cybereason, pitted a police team that included former Boston Police Commissioner Ed Davis against a red team portraying hackers looking to exacerbate political divisions. The tabletop drill was a strategic duel, with the red team trying to suppress the vote and the cops mobilizing resources in response.
The aim of the exercise was to show state and municipal authorities the type of coordinated and clever cyberattacks on critical infrastructure that are possible, according to Cybereason’s Ross Rustici, who helped devise the exercise.
Davis said that point hit home. “I think it was an eye-opening experience for everyone who was there,” he told CyberScoop, adding: “People left that exercise with the sober realization that this can happen to us.”
While the Department of Homeland Security in August hosted an election security exercise in which 44 states participated, the agency has said there are no more national level drills planned before the midterms. The onus is therefore on states, cities, and the private sector to do their own drilling.
The Cybereason exercise began with chaos: the red team ordered a distributed denial of service attack on a 911 call center (these were all theoretical decisions rather than actual network effects). Not long after that, the red team – comprised of Cybereason executives, graduate students from Boston College, and staff from the Boston mayor’s office – used the potent weapon of disinformation to force law enforcement to divert resources.
The attackers used a TV network to broadcast erroneous reports of a gas leak and explosions in one of the fictional city’s districts, mirroring the actual gas explosions that rocked three towns in Massachusetts the week before. (In another real-world parallel to that scenario, Russian government-linked hackers reportedly knocked a French TV network off-air in 2015.)
The blue team – which, according to Cybereason, included cops from Boston and Lowell, a representative of the state police, and a state cybersecurity official – responded to the broadcast by setting up a command post and evacuating people from the area. That gave the red team room to maneuver toward their goal of disrupting the vote.
Representing a fictional hacktivist group, the red team wanted to sow doubt in the minds of people already “predisposed to thinking there’s tampering in the election system,” Rustici said. “And a lot of what they did, I think, would have been ultimately successful, at least in the near term.”
However long the odds of such a scenario actually occurring may be, the act of mapping out and defending the infrastructure needed to hold an election makes a democracy more resilient to attack. As Rustici put it, “You’re never going to completely eradicate [the threat], but you can minimize it to the point of [an attack] not being successful.”
During the drill (in which staff from the Massachusetts governor’s office also participated), the police team stuck to their strengths by focusing on local security, leaving the national-level response to the incident to the FBI and DHS, according to Rustici. “They have individual response plans for a lot of the physical, tangible effects that were thrown at them,” he said. “But in totality, in the way in which they were thrown in such a layered manner, I think was overwhelming from a resource perspective.”
The exercise culminated in a move by the red team to disable traffic lights in portions of the fictional city, creating rush-hour gridlock as people would be trying to reach to the polls. That maneuver arguably won the game, and the lesson in potential disruption resonated with the cops.
“I think it’s a bit of a wake-up call to the people who work in this area all the time,” said Davis, who was Boston’s top cop during the 2013 Boston Marathon bombing. “The more we do this and the more we understand our vulnerability, the better off we are in responding to it.”