As voters head to the polls today in Virginia's odd-year contest, federal officials and local police are war-gaming how adversaries could disrupt next year's contest without hacking any election systems at all.
Officials from the FBI, Department of Homeland Security and U.S. Secret Service are working with cops in Arlington to game out how to respond if hackers from Russia or elsewhere in 2020 disrupt electricity at polling places, shut down streetlights, or hijack radio and TV stations to suppress voter turnout and raise doubts about election results.
They'll also test how to respond if adversaries launch social media campaigns to incite fights at polling places -- or to spread rumors about riots or violence that deter people from going out to vote. Cybersecurity experts and academics will play the mock hackers, lobbing new challenges at officials throughout the day.
The exercise underscores how hackers could destroy public faith in an election’s outcome without changing any votes. And that’s particularly concerning because many of these potential targets are far more vulnerable than voting machines.
“If you can prevent people from getting to the polls … if you can effectively disenfranchise certain segments of the population, that's far more disruptive to the republic than taking out a few voting machines,” Sam Curry, chief security officer at Cybereason, the company organizing the war game, told me.
These sorts of role playing games have become a common method for federal, state and local officials to hone their election defense but the scope is rarely so broad. The event is a prime example of how officials are trying to get ahead of adversaries on election disruption rather than just defend against the sort of election systems probing and social media misinformation the Kremlin launched in 2016.
And participants are keenly aware they only have a year left to plan. “We actually chose this day because in a year we'll be going to the polls for a massive election and one that is pregnant with opportunity for people to disrupt, run misinformation and disinformation campaigns and for people take advantage of," Curry said. "It's our sincere hope that law enforcement will use the year between now and then to get ready and to make sure that things do go off well.”
Curry's direction to the people playing adversary hackers is to try to raise as many doubts about the legitimacy of the election as possible without prompting officials to invalidate the results and start over. “If [an election] is messy and you think that the system has been broken and your franchise has been lost, then that becomes a reality whether or not voter rolls are hacked,” he told me.
Cybereason ran two similar war games during the past year in Boston with federal officials, Boston police and Massachusetts State Police. Both times, a neutral team of cybersecurity experts and former government officials rated the hacker and defender teams and declared a winner at the end.
In the first event, the hackers clearly came out ahead, “creating a lot of havoc and panic,” Curry told me. By the second one, however, the defenders had sharpened their responses and were able to blunt some of the most damaging attacks.
As one big example, they were able to push back on misinformation by maintaining a constant presence on local TV stations, he said. The local police also got a lot savvier about who they could contact for help in the state and federal government, he said.
And those improvements are important because local police, who aren’t always attuned to cybersecurity threats, will often be the first responders to an Election Day hack that hits outside polling places.
“The hope is that folks realize that there's a cyber dimension to everything,” Curry told me. “What I want is for them to go home and say, let's start doing the prep work in peacetime. Let's make sure we're ready when the crisis comes and we know exactly who to call.”
PINGED, PATCHED, PWNED
PINGED: DHS’s Cybersecurity and Infrastructure Security agency will be running a 24/7 operations center looking for hacking attempts against the odd-year election today, re-upping a model the agency first used to protect the 2018 midterms.
Representatives from tech and social media companies, state election offices and political parties will all be on hand at a DHS operations center to help respond to hacking and disinformation operations, CISA said. State and local officials will be able to dial into the center through an online portal.
The odd-year elections are far smaller than the 2018 midterms, but they represent the last chance for a broad test run as DHS tries to hone its response to disruption efforts from Russia and elsewhere. The ballot will include state and local races, including governors contests in three states.
CISA Director Chris Krebs will also be in Pennsylvania to highlight joint election security efforts with the state in a live streamed event.
Democrats, meanwhile, are using Election Day as an opportunity to slam Republicans for blocking bills that would deliver more election security money to states and impose cybersecurity mandates. They'll hold a media call urging Senate Majority Leader Mitch McConnell (R-Ky.) to pass election security legislation this morning.
PATCHED: Hackers can now take over Alexa, Siri and other voice-assisted devices with just a flashlight or laser pen, Nicole Perlroth at the New York Times reports. The newly discovered attack allows hackers to control Internet-connected devices without physical access to them or even being on the same WiFi-network, researchers in Japan and the University of Michigan reported yesterday.
The technique, which tricks microphones into responding to light signals like they're voice commands, could be used to con devices into performing a range of tasks, from turning lights on and off to making online purchases. In one case, researchers were able to open a garage door connected to a voice assistant.
“This opens up an entirely new class of vulnerabilities,” said Kevin Fu, an associate professor of electrical engineering and computer science at the University of Michigan. “This is the tip of the iceberg.”
Researchers have notified Tesla, Amazon, Apple and Google about the hack, Nicole reports, though it's hard to say how many devices could be at risk. Amazon told the Times it wasn't aware of any criminal hackers using the attacks. (Amazon CEO Jeff Bezos also owns The Washington Post).
PWNED: Hackers are taking over advertisers' Facebook accounts and racking up tens of thousands of dollars in charges for ad campaigns that spread malicious links, Alfred Ng at CNET reports. By taking over legitimate advertisers' accounts, hackers can go undetected by Facebook long enough to spread links that attempt to steal users’ personal information and credit card data.
In one instance, hackers were able to reach more than 60,000 users, getting the credit card information of at least 24 people in the hour before Facebook shut them down. Some advertisers reported Facebook taking days to respond to hacked accounts and having their accounts locked in the process.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Senate Committee on Homeland Security and Governmental Affairs will host a hearing on Threats to the Homeland with FBI Director Christopher A. Wray testifying at 2:30 p.m.
- CISA Director Christopher C. Krebs, director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will join Pennsylvania state officials to discuss ongoing joint election security efforts in Harrisburg, Pa. at 12:15 p.m.
- The Judiciary Committee’s subcommittee on crime and terrorism will host a hearing entitled “How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors on Tuesday at 2:30 p.m. Eastern time
- The Senate Judiciary Committee will host a hearing on Reauthorizing the USA FREEDOM Act of 2015 on Wednesday at 2:30 p.m. Eastern time