BOSTON — The hackers leaned back in their chairs and scanned through options to disrupt election day as if they were reading from a menu of chaos.
Fake bomb threats. Orchestrated traffic jams. A botnet of faux Twitter accounts to spread discord.
In a simulated exercise put on by the Boston-based cybersecurity firm Cybereason Sept. 20, a team of seven hackers tried to outwit a group of current and former law enforcement officials from the Massachusetts area.
In the end, the hackers did not need to be selective about their options. They decided to combine all of their ideas into a concoction of havoc to pick apart the simulated voting day.
“We wanted to sow chaos with the intention of disrupting the election,” said Danielle Wood, director of advisory services at Cybereason, who was a member of the hacker team. “The stakes are low for us. If we fail, we can always try again tomorrow.”
In the simulation, the attackers were able to spread misinformation, hack the election registration lists and alter the voting locations displayed on public websites.
Law enforcement officials who participated in the exercise said they likely would have postponed the vote.
The red team of hackers “would have severely eroded confidence in having a smooth election,” said Sean Maloney, who works for the FBI’s Boston Division and headed the team of law enforcement officers. “It is a target that is very attractive. It is the cornerstone of our democracy.”
While Cybereason admitted that a suspension of belief was required for the simulation to work, the results were an insight into what top American officials believe is one of the real risks during the upcoming mid-term elections.
Although voting machines and election registration lists may be vulnerable to hacks on a local level, it is hard to replicate the attack at scale, Jeanette Manfra, Department of Homeland Security assistant secretary for cybersecurity and communications said in August during the DEFCON conference in Las Vegas.
Instead, intelligence officials say that Russia and other countries are trying to shake confidence in the U.S. mid-term elections. However, because both foreign adversaries and the intelligence community have changed tactics, they say, it is hard to draw comparisons between the current mid-term election cycle to the 2016 presidential vote.
The exercise at Cybereason was a test-bed of this worst case scenario.
The event began with the red team of hackers and blue team of law enforcement officials meeting to discuss the ground rules. Each would go into different rooms and plot moves during a simulated election day in a mid-sized city that was called “Nolandia.”
A control team, run by Cybereason’s director of intelligence Ross Rustici, told each team about what was happening in the city as the day went on.
The rules were simple: The red team needed to spread doubt about the election’s validity. The blue team needed to protect the vote.
As the simulation began, the red team huddled around a table with a map of the city projected on a television screen. The group of Cybereason employees and Boston College students became collective of evil-doers. Their strategy was to delay the early morning vote and force long lines at the end of the day.
They discussed targeting minority communities who had poor relations with the police with disinformation campaigns to plant conspiracy theories. They posited hacking into Waze, the crowd sourced traffic app, so they could direct the cars into a lump of confusion. They launched a DDoS attack on the police station’s 911 call-center to overwhelm the authorities.
But the red team was a study in contrast with the police officers. As opposed to the free-wheeling discussions of the hackers, the current and former law enforcement officers spoke in measured tones amid the uncertainty.
“We need to communicate honestly with the public,” said Ed Davis, a blue team member and former Boston police chief. Davis rose to national prominence during the 2013 Boston Marathon bombings with his calm and collected press briefings. “We need to communicate how there is manipulation of social media and other outlets, so people have to take things with a grain of salt. They can’t believe everything they read."
The group of current and former law enforcement officers solemnly nodded in agreement.
“The blue team is responding to the effect, but not the causes,” Rustici told Fifth Domain midway during the exercise. The red-team “went after the emergency management system more aggressively that I was expecting.”
As the simulation progressed, the hackers embraced a tactic of chaos to disrupt the late-day vote by injecting conspiracy theories on social media and to make it appear as if the incumbent party was manipulating the results.
“Mwahahah,” said one red team member at the explanation of their disinformation campaign.
“Can you just type in evil laughter?,” asked another.
The team of law enforcement officials embraced a strategy of ensuring sound internal and external communications. But they were fighting a losing battle.
“There are too many moving parts,” one member said toward the end of the event. “I’m glad this is an imaginary town.”
Davis, the former Boston police chief, was clear eyed about the simulation’s practicality.
“It could happen.”