Analysis | The Cybersecurity 202: How counties are war-gaming Election Day cyberattacks

By Joseph Marks

9-12 minutes - Source: The Washington Post

---

PowerPost Analysis

Analysis Interpretation of the news based on evidence, including data, as well as anticipating how events might unfold based on past events

In this Nov. 6, 2018 file photo people vote at a polling place in Las Vegas. (AP Photo/John Locher,File)

THE KEY
PRINCETON, N.J. — If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them.
Election officials from New Jersey’s 21 counties huddled at tables in a hotel ballroom here, hashing out how they’d respond to Election Day cyberattacks. In some attack scenarios, hackers shut down voter registration databases, loaded voter files with phony information, or compromised county social media accounts so they start spreading false information about polling locations. They also prepared for what happens if attackers locked up election office computers with ransomware or shut down cellphone towers across multiple states.
How the U.S. fares during an Election Day hack is likely to rest on the response of local election administrators in the first few hours, state and federal officials told me.
“The county level is where all the risk is,” a Homeland Security Department cybersecurity official who was helping one county with its response-planning told me. “They own it in a way no state official does and certainly no federal official could. It’s always live or die at the county level.”
The war-games are a sign of how drastically local politics has changed in this new era of cyberwar -- preparing responses to attacks by a powerful nation-state is a far cry from more ordinary tasks of getting poll workers to voting locations on time and planning contingency operations for storms or other physical disasters. And there's no turning back, as federal offiicals have warned Russia is likely to try to repeat its hacking and disinformation campaign in 2020 and other U.S. adversaries, including China, Iran and North Korea, may try as well.
"I regret to report that I believe it will get worse before it gets better," former DHS Secretary Jeh Johnson, who oversaw DHS’s response to Russia’s 2016 election operation, told the New Jersey county officials during a lunchtime speech.
More than a dozen states have held election hacking war games for county officials during the past two years — many of them with help from the Department of Homeland Security. But the vast majority of those exercises have been done behind closed doors.
During the New Jersey exercise, county election officials had five minutes to game out a response plan to each hypothetical attack — typically getting their ideas by flipping through thick binders where they keep plans for all kinds of contingency scenarios.
Every time a county didn’t come up with a plan within the five-minute limit – or came up with a bad plan — a facilitator made a note in the county’s evaluation. In the coming months, state election officials will be poring over those evaluations and working one-on-one with county officials to fix everything they did wrong, officials said.
In some cases, county officials told me they’d already worked out detailed responses to numerous types of cyberattacks. In other cases, the counties were only beginning to game-plan out how they might respond to digital attacks.
Counties have trained for years to keep elections running despite physical disasters such as hurricanes and disease outbreaks, but they’ve been on a crash course learning about responding to cyberattacks since the 2016 election, Robert Giles, director of the New Jersey Division of Elections, told me.
“We've evolved so much since 2016 and I think the counties have a good handle on it now,” Giles told me. “The point of this exercise is to get them to think about all the potential things that could happen … Doing their due diligence and having a plan in place so they can be responsive.”
The exercises also give DHS a better idea of where the agency can offer more help to local election officials, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency, told reporters on the sidelines of the exercise. Krebs’s agency has been racing across the nation to do cybersecurity testing and training for state and local election officials since soon after Russia’s hacking and influence operation undermined the 2016 contest.
“It’s about both knowing what to do on a bad day but also issue spotting beforehand so we can minimize the chances of those things happening,” he said.

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

Not a regular subscriber?

PINGED, PATCHED, PWNED

A Justice Department sign. (Patrick Semansky/AP)

PINGED: Authorities arrested 281 fraudsters worldwide yesterday as part of an effort to disrupt a growing number of scams designed to dupe businesses and individuals into sending wire transfers for fraudulent reasons, the Justice Department announced in a news release. Dubbed “Operation reWired,” the effort took place over four months and included 74 arrests in the United States plus 169 in Nigeria and others in Kenya, Turkey, France and elsewhere. 

The IRS, which assisted in the investigation, found that conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns to collect nearly $100 million in refunds. Authorities seized nearly $3.7 million in total.

In “business email compromise” schemes, criminals impersonate a company’s employees over email to convince other employees to wire them money. The scams can also take on a number of other forms including fraudulent rentals or vehicle sales.

President Trump listens to national security adviser John Bolton. (Leah Millis/Reuters)

PATCHED: President Trump’s firing of national security adviser John Bolton on Tuesday removes one of the administration’s most significant architects of cybersecurity policy.

During his tenure, Bolton pushed a new, offensive cybersecurity strategy aimed at ratcheting up pain for U.S. cyber adversaries that included retaliatory cyberattacks against Russia and Iran.

Bolton was also responsible for eliminating a key White House cybersecurity coordinator position — which drew harsh criticism from cyber pros who said it would make it far tougher for the government to make key cybersecurity policy decisions. It's not clear how any of those policies will play out under Bolton's sucessor. 

Here’s a take from Politico’s Eric Geller:

Bolton's cyber legacy:
1️⃣ Eliminating WH cyber coordinator job
2️⃣ Downgrading homeland security adviser
3️⃣ Pushing for more aggressive operations to deter & punish
He was especially in sync with other officials on 3️⃣ (see NSPM 13 & CyberCom's "persistent engagement" strategy).

— Eric Geller (@ericgeller) September 10, 2019

The Iowa state flag. (Charlie Neibergall/AP)

PWNED: State election officials are pushing back against a report released by cybersecurity company NormsShield yesterday dinging a number of unnamed state election offices for leaving their systems vulnerable to digital attacks.

Vermont Secretary of State Jim Condos pointed to a number of possible discrepancies in the report, including that email accounts that NormShield said were breached did not belong to the office's domain. "At best it appears to be reflective of the State of [Vermont] IT systems — not the Secretary of State’s office,” Condos said. “We operate on our systems separate from the state.”

Iowa's Secretary of State Paul Pate said his office stopped using the domain NormShield scanned (state.ia.us) years ago. 

“You would think a firm that claims expertise in cybersecurity could do a simple Google search to find the correct address of a state website,” Pate said. 

NormShield's chief security officer, Bob Maley, shot back that his company also scanned the Iowa Secretary of State’s current domain for cybersecurity weaknesses and “found very little difference.” The erroneous domain came from a list maintained by the National Association of State Election Directors, he said.

PUBLIC KEY

— Cybersecurity news from the public sector:

President Trump on Tuesday issued a notice extending a national emergency declaration over foreign interference in U.S. elections.
The Hill

Technology is about to upend our entire national security infrastructure.
The New York Times

CEOs who signed: Amazon, AT&T, Dell, IBM, SAP, Salesforce, Visa, Mastercard, and JP Morgan Chase.
ZDNet

State officials said the theft occurred after an employee’s email account was compromised, but that all payments to beneficiaries will go out on time.
StateScoop

PRIVATE KEY

— Cybersecurity news from the private sector:

The U.S. has yet to green-light any sales to Huawei Technologies, frustrating chip makers more than two months after President Trump agreed to ease export restrictions on the Chinese telecom giant.
Wall Street Journal

As more and more devices get connected to the Internet of Things, researchers say compromising pumps has become a hot topic on cyber criminal forums.
ZDNet

Online retailer CafePress sent a letter to customers this week informing them that their personal information, including Social Security numbers, was breached.
Fast Company

THE NEW WILD WEST

— Cybersecurity news from abroad:

The Israeli-based NSO Group said on Tuesday it would abide by U.N. guidelines to...
Reuters

The Danish politician returns to the Commission in an unprecedented role to direct and enforce European digital policy.
Politico