Welcome to Codebook, the cybersecurity newsletter honing its play-by-play skills just in case hacking becomes a televised sport.
Tips? Ideas? Sandwiches? Hit reply to this email.
Today's newsletter is 1,691 words, a 6-minute read.
Illustration: Eniola Odetunde/Axios
Protecting elections from hacking threats means a lot more than protecting election systems from being hacked. Malicious hackers can find plenty of other ways to interfere with elections — notably by discouraging voting through election-day attacks on municipal systems.
Driving the news: Security firm Cybereason has been exploring that kind of election tampering in a series of tabletop simulations over the last year. Tuesday, at the third exercise — essentially a Dungeons and Dragons-style game for law enforcement, government employees and security researchers — a "red team" pretended to attack a city, while a "blue team" defended it.
How it works: Imagine a strategically placed traffic jam outside a polling place in a heavily Republican district. A hacker tampering with traffic lights is just one way someone could sway an election by influencing which voters can show up, all without touching the systems most associated with voting.
Here are additional lessons from Cybereason's games:
1. Everything is a weapon. The red team has used transportation, energy and gas, telecommunications, and government and emergency services networks in attacks. And it's easy to see how any aspect of infrastructure could be weaponized on Election Day, from causing a run on banks or a fire in a strategically chosen factory.
2. A key term to know: asymmetry. The main goal of local law enforcement, the first people who would respond to this type of attack, is to protect public safety. The main goal of someone disrupting an election is to, well, disrupt an election. The goals are asymmetrical — they don't require one group to lose for the other one to win.
3. It's good to have friends. Teams, often composed of law enforcement officials, have struggled to quickly call in federal agencies to handle the problems only federal agencies are equipped to solve or to request state resources when the local police are overburdened.
4. Worry about more than social media: Since 2016, the public has come to realize that social media disinformation is cheap and requires little technical background to launch. But it's not necessarily the most effective way for a sophisticated attacker to shape an election.
The bottom line: The frightening truth is that all critical infrastructure is election infrastructure. Weak links anywhere can be exploited to shape how voters act.
With a year to go before the 2020 election, and resurgent discussion of election security, let's take stock of the overall election security picture.
Paper trails: If you know only one thing about election security, it's that the most pressing issue has been assuring an auditable paper trail of votes. John Oliver presented a well-received piece on the topic Sunday, and even the star of "CSI: Cyber" is down.
Funding: Elections officials in states where some machines don't have a paper trail tell Codebook that the problem is cost, not will. That's where the federal government could help.
Beyond voting machines: Voting infrastructure isn't the only infrastructure that could affect the election (see above). But voting infrastructure is also more than voting machines. As a baseline, states need (and are making some progress on):
And beyond that baseline, states are finding plenty of other ways to bolster security, like California's anti-disinformation efforts.
Elections remain harder to hack than a lot of people think.
Maersk's shipping systems were among NotPetya's targets. Photo: Ina Fassbender/AFP via Getty Images
Wired reporter Andy Greenberg's new book "Sandworm" is the most detailed account yet of Russia's most destructive government-backed hackers.
That group, known as Sandworm, twice crashed the Ukrainian power grid, attempted to sabotage the South Korea Olympics, hacked U.S. elections boards, and launched the NotPetya malware, often described as the most destructive cyberattack in history.
Why it matters: If Russia ever digitally destroys something in the United States, it would likely be at Sandworm's hands, not Fancy Bear's.
"Sandworm" succeeds where a lot of cybersecurity reporting fails, covering the human cost of cyberwarfare.
NotPetya was deployed in a way that infected as many computers in Ukraine and connected to Ukrainian networks as possible. That meant a staggering number of international companies lost huge amounts of data.
Researchers at Kaspersky found traces of a threat group that had been identified in leaked NSA documents but that private-sector folks had never seen before.
Why it matters: Two and a half years after the ShadowBrokers leaked NSA documents, researchers are still making new discoveries. While it's unlikely to lead to another WannaCry, the work fills in even more gaps about what the NSA knows and we don't, and what the NSA is able to do that we don't know about.
Background: Documents leaked by the ShadowBrokers, the colorful hacker group remembered for leaking an NSA hacking tool that caused massive devastation, include code used by the NSA to identify whether other hackers reached a server before an NSA hacker did.
Enter the DarkUniverse: The group has now been rediscovered by Kaspersky, who nicknamed it DarkUniverse.
Twitter employees arrested for spying for Saudi Arabia (Axios): Federal officials charged two Twitter employees and a third man who supplied dissidents' personal information to Saudi authorities.
Law letting Russia unplug from the internet takes effect (MIT Tech Review, Axios): On Nov. 1, a Russian law went into effect allowing authorities to disconnect the nation from the global internet, ostensibly to test whether or not it could withstand a massive cyberattack.
Smart speakers are dumb to lasers (Light Commands): A global team of researchers has developed a mechanism to command smart speakers using lasers.