Stories

Cybersecurity firm hosts election hacking war games

Roll of I Voted stickers
Photo: Justin Sullivan/Getty Images

Cybersecurity firm Cybereason will host on Thursday a unique tabletop experiment on election security from its Boston headquarters. Some players will represent a hacker group trying to disrupt the election, while others will play city emergency responders trying to stop it. But these play-hackers won't be allowed to attack the election itself — they will have to disrupt it by disrupting the city, finding ways to keep people from voting.

Why it matters: There are dozens of ways to interfere with an election without touching voting equipment, ranging from causing traffic jams to blasting air conditioning in a polling place on an already cold day. Nearly all of our attention to election security has focused on attacks Russia has already tried or on the most obvious target — the voting machines themselves. But the next wave of attacks won't play by the rulebook we expect bad guys to use.

Tabletop exercises are group games that are sort of like a two-team Dungeons & Dragons — no computers, just paper and brains. It's an interesting scenario to play out in your head. What needs to happen ...

  • Voters need to know where and when to vote. A hacker could conceivably depress voter turnout by uploading false stories about polling place changes or extended hours for polls that plan to close on time.
  • Voters need to get to the polls. Hackers could close a major bridge, preventing people from getting to the polls. They could tie up transportation by informing bus drivers they've been given an extra day off.
  • Voters need to wait in line to cast a vote. False reports of gun violence near polling places or a nearby explosion might reduce the amount of time someone might be willing to wait.

Handicapping the race: These war games split players into a red team of attackers and a blue team of defenders. "I would say the blue team has a fighting chance, but I wouldn’t put it greater than 50%," says Ross Rustici, Cybereason's senior director of intelligence services.

  • The red team has an asymmetric advantage in agility. They get to pick the targets from an endless list of vulnerable systems. And they get to prepare in advance.
  • Defenders have an advantage in terms of nearby and on-the-ground resources from all levels of government, but they are forced to mobilize without preparation or planning. Ed Davis, the former Boston police commissioner known for his leadership during the Boston Marathon bombing, will head up the blue team.
  • "This might be a painful simulation for the blue team," said Rustici, "but if it's painful during the tabletop, they might start coming up with ways to make it less painful in November."