Annual election security tabletop drill put officials through ‘Armageddon-like’ test
The Department of Homeland Security this week held its third annual tabletop exercise for state and local election officials, simulating how some of the worst-case scenarios, including potential cyberattacks, physical attempts to disrupt the voting process and civil unrest would play out.
On top of the usual situations past drills have included, including network intrusions by foreign government hackers, this year’s event incorporated effects of the COVID-19 pandemic, which has already forced states to rethink how their voters will cast ballots in what is anticipated to be a presidential election with very high turnout.
The exercise, which featured about 2,100 participants from federal, state and local governments, as well as private-sector election technology vendors, was convened — as in previous years — virtually over three days, with officials from 37 states taking part in what has become an annual opportunity to go through what one participant called an “Armageddon-like” situation in which every potential meltdown can happen.
One scenario during the exercise forced election officials to deal with website defacements of secretaries of states’ voter lookup or election-night reporting sites, combined with a disinformation campaign, according to a U.S. official who participated.
Along with digital vandalism, election officials have also been increasingly concerned by ransomware attacks that’ve disrupted other parts of state and local governments. During a National Association of Counties webinar last week, county leaders were warned what a lock-up virus could do to their voter files or reporting websites.
In other tabletop scenarios this week, the pandemic “loomed large,” said a state-government official who took part in the exercise. Among the potential effects of COVID-19 discussed were the continued expansion of mail-in and absentee voting, as well as attempts to undermine those processes.
Since March, state and local officials have responded to the pandemic by shrinking the number of in-person polling places they offer and attempting to massively expand the use of mailed-in ballots.
While several states have set new records for absentee voting, many have also encountered logistical nightmares during the primary cycle. In Georgia, for instance, absentee ballots for the June 9 primary were printed by vendors as far away as Arizona, while a limited number of polling places and malfunctions with new voting machines led to thousands of in-person voters waiting longer than three hours. And in New York, absentee ballots cast for the June 23 primary were still being counted several weeks into July.
Voting by mail, despite allowing people to participate in the democratic process without having to risk exposure to a deadly contagion, has come under frequent attack from some, including President Donald Trump and members of his administration, who frequently suggest without evidence that mailed-in ballots are fraudulent, despite being absentee voters themselves.
The state official who participated in this week’s tabletop said one of the civil-unrest scenarios included people demonstrating, in person, that mail ballots lead to fraud. Others featured protests that in-person voting will be unsafe amid the pandemic, and protests against discriminatory voting practices.
The point of the annual drills, which DHS’s Cybersecurity and Infrastructure Security Agency has led since 2018, is to “game plan for various scenarios and test and improve our response plans,” according to a statement released Thursday by the executive committee of DHS’s Election Infrastructure Government Coordinating Council.
Even against the backdrop of an open-ended health crisis, election officials have made “significant progress” in defending their assets like voter registration databases, voting equipment and reporting mechanisms.
“Fortunately, election officials have been managing risk to their systems and preparing for the unexpected for as long as we’ve had elections,” the statement read.
CyberScoop’s Sean Lyngaas contributed reporting.