Election officials from New Jersey’s 21 counties huddled at tables in a hotel ballroom here, hashing out how they’d respond to Election Day cyberattacks. In some attack scenarios, hackers shut down voter registration databases, loaded voter files with phony information, or compromised county social media accounts so they start spreading false information about polling locations. They also prepared for what happens if attackers locked up election office computers with ransomware or shut down cellphone towers across multiple states.
How the U.S. fares during an Election Day hack is likely to rest on the response of local election administrators in the first few hours, state and federal officials told me.
“The county level is where all the risk is,” a Homeland Security Department cybersecurity official who was helping one county with its response-planning told me. “They own it in a way no state official does and certainly no federal official could. It’s always live or die at the county level.”
The war-games are a sign of how drastically local politics has changed in this new era of cyberwar -- preparing responses to attacks by a powerful nation-state is a far cry from more ordinary tasks of getting poll workers to voting locations on time and planning contingency operations for storms or other physical disasters. And there's no turning back, as federal offiicals have warned Russia is likely to try to repeat its hacking and disinformation campaign in 2020 and other U.S. adversaries, including China, Iran and North Korea, may try as well.
"I regret to report that I believe it will get worse before it gets better," former DHS Secretary Jeh Johnson, who oversaw DHS’s response to Russia’s 2016 election operation, told the New Jersey county officials during a lunchtime speech.
More than a dozen states have held election hacking war games for county officials during the past two years — many of them with help from the Department of Homeland Security. But the vast majority of those exercises have been done behind closed doors.
During the New Jersey exercise, county election officials had five minutes to game out a response plan to each hypothetical attack — typically getting their ideas by flipping through thick binders where they keep plans for all kinds of contingency scenarios.
Every time a county didn’t come up with a plan within the five-minute limit – or came up with a bad plan — a facilitator made a note in the county’s evaluation. In the coming months, state election officials will be poring over those evaluations and working one-on-one with county officials to fix everything they did wrong, officials said.
In some cases, county officials told me they’d already worked out detailed responses to numerous types of cyberattacks. In other cases, the counties were only beginning to game-plan out how they might respond to digital attacks.
Counties have trained for years to keep elections running despite physical disasters such as hurricanes and disease outbreaks, but they’ve been on a crash course learning about responding to cyberattacks since the 2016 election, Robert Giles, director of the New Jersey Division of Elections, told me.
“We've evolved so much since 2016 and I think the counties have a good handle on it now,” Giles told me. “The point of this exercise is to get them to think about all the potential things that could happen … Doing their due diligence and having a plan in place so they can be responsive.”
The exercises also give DHS a better idea of where the agency can offer more help to local election officials, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency, told reporters on the sidelines of the exercise. Krebs’s agency has been racing across the nation to do cybersecurity testing and training for state and local election officials since soon after Russia’s hacking and influence operation undermined the 2016 contest.
“It’s about both knowing what to do on a bad day but also issue spotting beforehand so we can minimize the chances of those things happening,” he said.
PINGED, PATCHED, PWNED
PINGED: Authorities arrested 281 fraudsters worldwide yesterday as part of an effort to disrupt a growing number of scams designed to dupe businesses and individuals into sending wire transfers for fraudulent reasons, the Justice Department announced in a news release. Dubbed “Operation reWired,” the effort took place over four months and included 74 arrests in the United States plus 169 in Nigeria and others in Kenya, Turkey, France and elsewhere.
The IRS, which assisted in the investigation, found that conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns to collect nearly $100 million in refunds. Authorities seized nearly $3.7 million in total.
In “business email compromise” schemes, criminals impersonate a company’s employees over email to convince other employees to wire them money. The scams can also take on a number of other forms including fraudulent rentals or vehicle sales.
PATCHED: President Trump’s firing of national security adviser John Bolton on Tuesday removes one of the administration’s most significant architects of cybersecurity policy.
Bolton was also responsible for eliminating a key White House cybersecurity coordinator position — which drew harsh criticism from cyber pros who said it would make it far tougher for the government to make key cybersecurity policy decisions. It's not clear how any of those policies will play out under Bolton's sucessor.
Here’s a take from Politico’s Eric Geller:
PWNED: State election officials are pushing back against a report released by cybersecurity company NormsShield yesterday dinging a number of unnamed state election offices for leaving their systems vulnerable to digital attacks.
Vermont Secretary of State Jim Condos pointed to a number of possible discrepancies in the report, including that email accounts that NormShield said were breached did not belong to the office's domain. "At best it appears to be reflective of the State of [Vermont] IT systems — not the Secretary of State’s office,” Condos said. “We operate on our systems separate from the state.”
Iowa's Secretary of State Paul Pate said his office stopped using the domain NormShield scanned (state.ia.us) years ago.
“You would think a firm that claims expertise in cybersecurity could do a simple Google search to find the correct address of a state website,” Pate said.
NormShield's chief security officer, Bob Maley, shot back that his company also scanned the Iowa Secretary of State’s current domain for cybersecurity weaknesses and “found very little difference.” The erroneous domain came from a list maintained by the National Association of State Election Directors, he said.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: