For the past few years, the Department of Homeland Security has convened exercises for state election officials to test how they’d respond to a cyberattack against voting systems. At a National Association of Secretaries of State meeting in Washington last weekend, a DHS official introduced a new product that could make it easier for local officials to run those exercises.
The tabletop exercises, as the events are known, are designed to give secretaries of state, election directors, IT leaders and other officials a war game-like environment simulating the threats posed by foreign governments and other adversaries that might try to disrupt a real election. And while the exercises have included representatives of some local governments, one of the biggest challenges statewide election officials say they have is making sure new cybersecurity tools and procedures trickle down to even the smallest, most resource-strapped jurisdictions involved in the democratic process.
The Cybersecurity and Infrastructure Security Agency on Friday published its “Elections Cyber Tabletop Exercise Package,” a 58-page guide for state and local officials to hold their own drills simulating ransomware, data breaches, disinformation campaigns and attempts to corrupt voting equipment. Matt Masterson, a senior adviser at CISA, described the document as a “tabletop in a box.”
“As we’ve gone out [to the states], one of the requests has been a resource to work with counties that’s customizable to our states,” Masterson said.
The guidebook lays out three scenarios, with the first being a phishing scheme seeking to gain access to a voter registration database ahead of a vote-by-mail election, and redirect mailings, alter voter files or deploy ransomware. The second simulates an effort by hackers to modify voter registration information and deface official websites on an election day. And the third asks participants to respond to hackers attempting to deploy “poisoned” software updates to voting equipment in an attempt to alter the vote count.
Each scenario comes with its own step-by-step series of challenges, testing participants’ ability to muster an incident response and figure out if they can resolve the situation internally, or if they need to call on assistance from their state government, the federal government or a vendor. The vote-by-mail exercise, for example, an alert from a security company warning of a hacking campaign against printers and other internet-connected devices. It escalates into alerts from CISA and the FBI, direct threats from a hacking group (called “Hippoponymous” in the manual) and eventually voters receiving incorrect ballots, followed by website defacements, a ransomware attack and media reports about a cyberattack against the election that creates public panic.
The exercise asks participants a series of questions aimed at helping craft a solid incident-response plan, such as “What systems would be prioritized for recovery efforts?” and “Would this be decided before an incident occurs?”
During his presentation at the NASS meeting, Masterson said many county governments need guidance on known who to call upon if and when they suffer a cyberattack.
“The most important thing is to get the local election officials to the people who can help them best address the issue,” he said. “Put together the contacts needed for each one of the systems. In some places you have 10 or more vendors. There ensues debate if it’s a voter registration problem or an e-pollbook problem.”
The goal of the tabletop in a box, he said, is to ensure that the more than 8,000 individual jurisdictions around the country that conduct elections can come up with robust playbooks they can turn to in the event of a real incident.