(Photo by Bonnie Jo Mount/The Washington Post via Getty Images)SAN FRANCISCO—They brought me in the back door.
I had been standing on the steps of the old Mint in San Francisco, staring at a heavy, gold-painted door that was chained shut, until I was given better directions.
Once inside I was led down a dark hallway which, like most of the 19th century building, was lined with crumbling brick.
We turned, passed through an ancient but still impressive vault door, and into a small room with two tables, several journalists, and representatives from the security company Cybereason.
We were there to hack a US election.
This wouldn’t be a real election, of course.
Instead, we had all stepped away from the RSA Conference to play a wargame where teams explore hypothetical ways to undermine a US election.
Think of it as a game of Dungeons and Dragons, except with election meddling instead of magic missiles.
The game is the fifth such simulation carried out by Cybereason since 2018, with the most recent one in New Hampshire and the next scheduled for Paris.
Red vs.
Blue
Sam Curry, Cybereason CSO, divided us into teams.
Most of us were on the Red Team—the bad guys.
We were a domestic hacking group called Kill Organized Systems (K-OS)—it's like "chaos," get it? But chaos wasn’t our actual goal.
We were tasked not with disrupting the election or pushing a particular candidate over the top, but rather instilling lasting doubt about the election’s outcome in the populace.
Create enough chaos, and the election would be postponed.
The Blue Team—the good guys—were the Adversaria Task Force.
Their goal was to protect the election and ensure public safety.
Lastly, Curry took the role of the White Team; part referee and part game master, his role was to judge the outcomes of each team’s actions.
He would also interject new information and changing situations.
As a pre-game press release explained, “The goal of the game injections is not to put a thumb on the scales, but rather to help simulate the uncertainty and serendipity that often governs these types of situations.”
The Blue Team takes its name from the game's fictional city: Adversaria.
This bustling hamlet exists only as a map and a series of bullet points in the game, but we were told it was a major population center in a swing state.
The outcome of the election could easily hinge on the votes from Adversaria.
The city has 1,000 police officers, and is an early high-tech adopter.
The city boasts driverless vehicles and gigabit internet connections.
One twist in the exercise: the election equipment and voter rolls were off limits to attack.
This wasn’t a vote of confidence in the hardware used in American elections; it wasn’t long ago that the world’s most unsafe voting machine was being used in American elections.
Instead, the limitation was, in the words of Curry, to “stretch the mind.”
With that, the Blue and White Teams went off to a different room.
My teammates—all journalists from various outlets—sat down with Cybereason representatives meant to advise us and guide our work.
We first took stock of the tools at our disposal.
The Red Team had been busy, having already gained access to city cameras, traffic signal systems, local news broadcasts, and an emergency warning system.
Our imaginary hackers were also hard at work gaining access to city Twitter accounts, official web pages, and official email accounts.
We’d get access to these later in the game.
We also had a successful distributed denial of service (DDoS) attack against the city’s 911 call center, greatly hampering the city’s ability to respond to crises.
Anarchy in Adversaria
The game would play out over the course of four rounds, representing one election day in Adversaria.
Each turn, we’d take two actions.
We also had to chose a development, something to set in motion for the following turn.
Our decisions would be communicated via Slack to the White Team in another room.
Once the Red and Blue teams made their moves, the White Team would decide the outcomes, and then communicate some information back to each team.
This meant that we didn’t always know what actions the Blue Team had taken to thwart our actions, and they didn’t know what we were planning.
As far as what we could do, we were given few rules other than the knowledge that the White Team would decide whether our schemes worked or not.
We also didn’t do any actual hacking.
This was a thought exercise, not a demonstration of specific skills.
We did know that Adversaria was hosting an international conference in one of its districts, so our first action was to call in a bomb threat to the city district hosting the event.
We toyed with using the emergency alert system to create confusion, and I put forward that we send out a radiation warning.
Our advisors patiently reminded me that we’d likely lose access to a system once we used it.
Instead, we used our sway over Adversaria’s traffic signals to create traffic jams in four city districts known to have traffic problems.
At the same time, we chose to develop a botnet of social media accounts.
The White Team reported that our bomb threat and traffic jam were successful.
Police had been pulled off normal duty to direct traffic.
For our next move, we used our botnet to send out fake warnings that polls were closed in the areas affected by our traffic jams.
By planting a bogus claim of a protest moving through the same district, we sought to stretch the police even thinner.
For our development, we began work on a phony video that showed a voting machine malfunctioning.
Around this time, we began to seriously consider throwing our efforts behind a particular candidate.
When the White Team informed us that early results showed Republicans pulling ahead, we decided to make our efforts appear to favor Republicans.
Now, our goal was not to get a particular candidate elected, but we thought we could create maximum discord by tying our chaos to the election’s natural frontrunner.
If we could taint the reputation of the election’s winner, our mission would be success.
Our efforts were paying off.
A sudden influx of voters created long lines in one district, which led to violence in some polling places.
We also learned we gained control of Facebook pages for the mayor and governor.
(Photo by Michael Brochstein/SOPA Images/LightRocket via Getty Images) With our newfound access to official channels, we decided to push hard on the appearance of favoring a particular party.
On the mayor’s Facebook page, we posted an erroneous claim that undocumented immigrants were voting illegally in large numbers and that voters would need additional ID in order to cast their votes.
From the governor’s Facebook page, we posted the opposite: a message declaring that everything was fine and that the election was proceeding without a hitch.
To create even more confusion, we decided to use our access to official email accounts to send last-minute instructions to polling sites.
In Democratic-leaning districts, our messages said that additional ID was required, but our messages to Republican districts said no additional proof was required to vote.
For our final development, we used our access to city camera systems to commission a deepfake video of poll workers throwing out ballots.
Being good storytellers, our final turn was for pulling together all the threads we’d strung during the game.
We planted a fake news story that the ruling government itself was the real culprit behind the chaos and was attempting to influence the election.
At the same time, we released our two fake videos, and promoted them through our botnet of social media accounts.
We knew that once we used our access to the city’s Twitter account, it would be taken offline immediately.
So we chose to post something that would look incriminating once it was deleted: a fake post saying that voting machines and voter rolls had been hacked in Adversaria.
With that, the game was over.
In the end, we weren’t able to do lasting damage to confidence in Adversaria’s elections.
The Blue Team set up busses to move people between polling locations, effectively nullifying our efforts.
The mayor and chief of police were able to dispel our fake news.
Thanks to our subtle actions, we did manage to avoid arrest.
Recommended by Our Editors
Curry gave us some pointers in case we ever want to meddle in an election in the future.
We should have kept up the DDoS on the city’s 911 system, and introduced our fake news earlier in the day for maximum impact.
Developing a botnet was a good idea, but he suggested that instead of using it to push just one message, we use it to create a dialog.
If we had the bots responding to each other and mimicking opposite views, we could have robbed the government from directing the narrative.
I Hope You Learned Something
Wreaking havoc on Adversaria was a lot of fun for us, but the point was to learn something about the nature of these attacks.
Curry says the election war game series has brought up some novel approaches.
One Red Team took control of the city’s sewer; creating a sewage backup at polling places like schools could have been devastating.
A different team, on the other hand, was far less successful when it took control of the city’s autonomous vehicles and used them to harm citizens.
While certainly horrific, the election was merely delayed, and the brazen Red Team was arrested (in the game).
On the defensive side, Curry says the most successful Blue Teams are ones that call in help early in the game.
The Blue Team we faced off against also wisely created a secret back-channel communications system, so they could always get reliable information out.
But when it comes to real election interference, Curry is quick to point out the limitations of his simulation.
For one thing, the Adversaria attack was done by a single group with a single goal.
That’s not the case in the real world.
"Iran has an interest, Russia has an interest, individual agencies have an interest," explained Curry.
A real attack also would have cybercriminals paid by nation-states, says Curry, further adding to the list of players.
(John J.
Kim/Chicago Tribune/Tribune News Service via Getty Images) Curry pointed to the recent debacle with the Iowa Democratic caucus as an example of how other parties can get involved in election attacks.
In that contest, members of the group 4chan flooded phones with prank calls, making it much harder to report the outcome.
An "ideological alignment of a large group of people was able to be mobilized to embarrass the Democratic Party,” says Curry.
To him, it’s an example of a particularly canny strategy.
Voting machines would also certainly be within the scope of a real attack, but Curry wasn’t so quick to embrace paper ballots as the solution to election hacking. The solution to our voting woes is, "a literal democratization by getting more people [voting]," he says.
While my Red Team struggled to craft an effective misinformation campaign, this was a main concern for Curry.
He sees the advertising and data gathering economy that supports so much of the internet as a major boon to anyone running a misinformation and disinformation campaign.
The ad-purchasing platforms built into Facebook and other platforms are tailor-made for quickly pushing disinformation and misinformation to receptive audiences.
It’s also extremely affordable.
“We're gonna see misinformation and disinformation around the next one, we've seen it in every election over the last four years,” Curry says.
“This is a propaganda war and the tools available to propaganda people are immense.”
This may be warning worth heeding, because while I easily walked away from Adversaria, I stepped back on to the streets of San Francisco, and the next US presidential election is only nine months away.
(Photo by Bonnie Jo Mount/The Washington Post via Getty Images)SAN FRANCISCO—They brought me in the back door.
I had been standing on the steps of the old Mint in San Francisco, staring at a heavy, gold-painted door that was chained shut, until I was given better directions.
Once inside I was led down a dark hallway which, like most of the 19th century building, was lined with crumbling brick.
We turned, passed through an ancient but still impressive vault door, and into a small room with two tables, several journalists, and representatives from the security company Cybereason.
We were there to hack a US election.
This wouldn’t be a real election, of course.
Instead, we had all stepped away from the RSA Conference to play a wargame where teams explore hypothetical ways to undermine a US election.
Think of it as a game of Dungeons and Dragons, except with election meddling instead of magic missiles.
The game is the fifth such simulation carried out by Cybereason since 2018, with the most recent one in New Hampshire and the next scheduled for Paris.
Red vs.
Blue
Sam Curry, Cybereason CSO, divided us into teams.
Most of us were on the Red Team—the bad guys.
We were a domestic hacking group called Kill Organized Systems (K-OS)—it's like "chaos," get it? But chaos wasn’t our actual goal.
We were tasked not with disrupting the election or pushing a particular candidate over the top, but rather instilling lasting doubt about the election’s outcome in the populace.
Create enough chaos, and the election would be postponed.
The Blue Team—the good guys—were the Adversaria Task Force.
Their goal was to protect the election and ensure public safety.
Lastly, Curry took the role of the White Team; part referee and part game master, his role was to judge the outcomes of each team’s actions.
He would also interject new information and changing situations.
As a pre-game press release explained, “The goal of the game injections is not to put a thumb on the scales, but rather to help simulate the uncertainty and serendipity that often governs these types of situations.”
The Blue Team takes its name from the game's fictional city: Adversaria.
This bustling hamlet exists only as a map and a series of bullet points in the game, but we were told it was a major population center in a swing state.
The outcome of the election could easily hinge on the votes from Adversaria.
The city has 1,000 police officers, and is an early high-tech adopter.
The city boasts driverless vehicles and gigabit internet connections.
One twist in the exercise: the election equipment and voter rolls were off limits to attack.
This wasn’t a vote of confidence in the hardware used in American elections; it wasn’t long ago that the world’s most unsafe voting machine was being used in American elections.
Instead, the limitation was, in the words of Curry, to “stretch the mind.”
With that, the Blue and White Teams went off to a different room.
My teammates—all journalists from various outlets—sat down with Cybereason representatives meant to advise us and guide our work.
We first took stock of the tools at our disposal.
The Red Team had been busy, having already gained access to city cameras, traffic signal systems, local news broadcasts, and an emergency warning system.
Our imaginary hackers were also hard at work gaining access to city Twitter accounts, official web pages, and official email accounts.
We’d get access to these later in the game.
We also had a successful distributed denial of service (DDoS) attack against the city’s 911 call center, greatly hampering the city’s ability to respond to crises.
Anarchy in Adversaria
The game would play out over the course of four rounds, representing one election day in Adversaria.
Each turn, we’d take two actions.
We also had to chose a development, something to set in motion for the following turn.
Our decisions would be communicated via Slack to the White Team in another room.
Once the Red and Blue teams made their moves, the White Team would decide the outcomes, and then communicate some information back to each team.
This meant that we didn’t always know what actions the Blue Team had taken to thwart our actions, and they didn’t know what we were planning.
As far as what we could do, we were given few rules other than the knowledge that the White Team would decide whether our schemes worked or not.
We also didn’t do any actual hacking.
This was a thought exercise, not a demonstration of specific skills.
We did know that Adversaria was hosting an international conference in one of its districts, so our first action was to call in a bomb threat to the city district hosting the event.
We toyed with using the emergency alert system to create confusion, and I put forward that we send out a radiation warning.
Our advisors patiently reminded me that we’d likely lose access to a system once we used it.
Instead, we used our sway over Adversaria’s traffic signals to create traffic jams in four city districts known to have traffic problems.
At the same time, we chose to develop a botnet of social media accounts.
The White Team reported that our bomb threat and traffic jam were successful.
Police had been pulled off normal duty to direct traffic.
For our next move, we used our botnet to send out fake warnings that polls were closed in the areas affected by our traffic jams.
By planting a bogus claim of a protest moving through the same district, we sought to stretch the police even thinner.
For our development, we began work on a phony video that showed a voting machine malfunctioning.
Around this time, we began to seriously consider throwing our efforts behind a particular candidate.
When the White Team informed us that early results showed Republicans pulling ahead, we decided to make our efforts appear to favor Republicans.
Now, our goal was not to get a particular candidate elected, but we thought we could create maximum discord by tying our chaos to the election’s natural frontrunner.
If we could taint the reputation of the election’s winner, our mission would be success.
Our efforts were paying off.
A sudden influx of voters created long lines in one district, which led to violence in some polling places.
We also learned we gained control of Facebook pages for the mayor and governor.
(Photo by Michael Brochstein/SOPA Images/LightRocket via Getty Images) With our newfound access to official channels, we decided to push hard on the appearance of favoring a particular party.
On the mayor’s Facebook page, we posted an erroneous claim that undocumented immigrants were voting illegally in large numbers and that voters would need additional ID in order to cast their votes.
From the governor’s Facebook page, we posted the opposite: a message declaring that everything was fine and that the election was proceeding without a hitch.
To create even more confusion, we decided to use our access to official email accounts to send last-minute instructions to polling sites.
In Democratic-leaning districts, our messages said that additional ID was required, but our messages to Republican districts said no additional proof was required to vote.
For our final development, we used our access to city camera systems to commission a deepfake video of poll workers throwing out ballots.
Being good storytellers, our final turn was for pulling together all the threads we’d strung during the game.
We planted a fake news story that the ruling government itself was the real culprit behind the chaos and was attempting to influence the election.
At the same time, we released our two fake videos, and promoted them through our botnet of social media accounts.
We knew that once we used our access to the city’s Twitter account, it would be taken offline immediately.
So we chose to post something that would look incriminating once it was deleted: a fake post saying that voting machines and voter rolls had been hacked in Adversaria.
With that, the game was over.
In the end, we weren’t able to do lasting damage to confidence in Adversaria’s elections.
The Blue Team set up busses to move people between polling locations, effectively nullifying our efforts.
The mayor and chief of police were able to dispel our fake news.
Thanks to our subtle actions, we did manage to avoid arrest.
Recommended by Our Editors
Curry gave us some pointers in case we ever want to meddle in an election in the future.
We should have kept up the DDoS on the city’s 911 system, and introduced our fake news earlier in the day for maximum impact.
Developing a botnet was a good idea, but he suggested that instead of using it to push just one message, we use it to create a dialog.
If we had the bots responding to each other and mimicking opposite views, we could have robbed the government from directing the narrative.
I Hope You Learned Something
Wreaking havoc on Adversaria was a lot of fun for us, but the point was to learn something about the nature of these attacks.
Curry says the election war game series has brought up some novel approaches.
One Red Team took control of the city’s sewer; creating a sewage backup at polling places like schools could have been devastating.
A different team, on the other hand, was far less successful when it took control of the city’s autonomous vehicles and used them to harm citizens.
While certainly horrific, the election was merely delayed, and the brazen Red Team was arrested (in the game).
On the defensive side, Curry says the most successful Blue Teams are ones that call in help early in the game.
The Blue Team we faced off against also wisely created a secret back-channel communications system, so they could always get reliable information out.
But when it comes to real election interference, Curry is quick to point out the limitations of his simulation.
For one thing, the Adversaria attack was done by a single group with a single goal.
That’s not the case in the real world.
"Iran has an interest, Russia has an interest, individual agencies have an interest," explained Curry.
A real attack also would have cybercriminals paid by nation-states, says Curry, further adding to the list of players.
(John J.
Kim/Chicago Tribune/Tribune News Service via Getty Images) Curry pointed to the recent debacle with the Iowa Democratic caucus as an example of how other parties can get involved in election attacks.
In that contest, members of the group 4chan flooded phones with prank calls, making it much harder to report the outcome.
An "ideological alignment of a large group of people was able to be mobilized to embarrass the Democratic Party,” says Curry.
To him, it’s an example of a particularly canny strategy.
Voting machines would also certainly be within the scope of a real attack, but Curry wasn’t so quick to embrace paper ballots as the solution to election hacking. The solution to our voting woes is, "a literal democratization by getting more people [voting]," he says.
While my Red Team struggled to craft an effective misinformation campaign, this was a main concern for Curry.
He sees the advertising and data gathering economy that supports so much of the internet as a major boon to anyone running a misinformation and disinformation campaign.
The ad-purchasing platforms built into Facebook and other platforms are tailor-made for quickly pushing disinformation and misinformation to receptive audiences.
It’s also extremely affordable.
“We're gonna see misinformation and disinformation around the next one, we've seen it in every election over the last four years,” Curry says.
“This is a propaganda war and the tools available to propaganda people are immense.”
This may be warning worth heeding, because while I easily walked away from Adversaria, I stepped back on to the streets of San Francisco, and the next US presidential election is only nine months away.