Feb 26 2020

DHS Rolls Out ‘Tabletop in a Box’ Election Cybersecurity Tool

As the 2020 election season arrives, these exercises can help keep state and local officials sharp when it comes to countering threats.

With the 2020 election primary season fully underway, state and local election officials are ramping up their cybersecurity efforts to counter malicious threats. They are also getting support from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Several weeks ago, CISA released a 58-page guide, its “Elections Cyber Tabletop Exercise Package,” which it calls a “tabletop in a box.” The guide is designed to allow state and local officials to conduct election security drills simulating phishing and ransomware attacks, corrupted voter registration information, disinformation campaigns and attacks on voting equipment. 

As StateScoop reports, such tabletop exercises, “are designed to give secretaries of state, election directors, IT leaders and other officials a war game-like environment simulating the threats posed by foreign governments and other adversaries that might try to disrupt a real election.”

Tabletop exercises can be used to “enhance general awareness, validate plans and procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined incident,” the guide states. 

Generally, the exercises are “aimed at facilitating conceptual understanding, identifying strengths and areas for improvement, and/or achieving changes in perceptions.”

MORE FROM STATETECH: See our infographic on how protect election data and voter information.

How State and Local Officials Can Prepare for Election Security Threats

In the first scenario presented in the guide, a threat actor attempts to interfere with vote-by-mail elections. “After using phishing to penetrate state and local government systems, they attempt to redirect mailings, alter voter registration data, and deploy ransomware on networks to delay or discredit the election,” the guide notes. In the second scenario, malicious actors target state and local election officials with a spear-phishing campaign and get access to election assets. Once they are inside the agency’s network, they attempt to “modify voter registration data as well as interfere with legitimate voter registration by promoting fake websites during the whole registration period.” 

In this situation, the hackers also deface election websites and install ransomware at state and local election offices. “By modifying voter registration data and impacting the printing of pollbooks, election officials are inundated with an increase of election day registration/same day registration requests,” the guide notes. 

The third scenario focuses on Election Day itself, as hackers deploy “poisoned software updates” to get access to voting equipment and change the vote count. Social media would also be used to “encourage users to launch independent attacks against state and local government networks.”

“As we’ve gone out [to the states], one of the requests has been a resource to work with counties that’s customizable to our states,” Matt Masterson, a senior cybersecurity adviser at CISA, tells StateScoop. 

Each scenario has a step-by-step series of challenges, pushing state and local officials to respond to specific threats and to determine if they can handle issues on their own or if they need the resources of the state government, the federal government or a cybersecurity vendor. 

The scenarios are designed to get state and local officials to think through pressing questions, such as:

  • Does your organization conduct a cyber risk assessment to identify organization-specific threats and vulnerabilities?
  • What are your most significant threats and vulnerabilities? What are your highest cybersecurity risks?
  • What entities connect to your state or county’s voter registration database? Does your organization maintain contact information with all relevant parties in case of an incident? What entity is responsible for securing the voter registration database?
  • How would your organization respond to the discovery of a malicious, unauthorized administrator account on your systems? Who would be informed internally? Who would be informed externally (e.g., law enforcement, cybersecurity insurance partners)?
  • How would your organization respond to emerging news and social media issues? Does your organization have preapproved messages for immediate release as part of a larger communications plan?

“The most important thing is to get the local election officials to the people who can help them best address the issue,” Masterson says. “Put together the contacts needed for each one of the systems. In some places you have 10 or more vendors. There ensues debate if it’s a voter registration problem or an e-pollbook problem.”

YinYang / Getty Images