A team of hackers last week squared off against the US Secret Service, the FBI, agents from the Department of Homeland Security, and officers from the Arlington, Virginia police department in a simulated 2020 national election. According to a debriefing document shared with Quartz, the imaginary 16-hour day ended in abject chaos.
Among other things, a series of vehicle attacks killed dozens of people, hundreds were injured, and authorities were ultimately forced to cancel the vote.
After successful foreign intervention in the 2016 US Election, preparing for any and all possibilities in 2020 has become an urgent task for US regulators and law enforcement. And although the United States has earmarked an additional $250 million to protect the 2020 elections from outside interference, experts say this amount “doesn’t come close” to what’s needed.
Federal oversight of voting systems is worryingly lax, and many expect adversarial nations to continue to weaponize social media to upend US elections. As retired US Army general Stanley McChrystal and David Eichenbaum, a Democratic media consultant, wrote in a recent op-ed, “America is totally unprepared for what is coming because it will be like nothing we’ve seen before. Everyone is vulnerable, and everyone will be affected.”
The recent role-playing exercise presented a real-world scenario pushed to the extreme.
Dubbed Operation Blackout, the simulation was hosted in Washington, DC by Cybereason, a Boston-based cybersecurity firm. The pretend election took place in a fictitious swing-state city called Adversaria. A group of ethical “white hat” hackers—the Red Team—took on a group of federal agents and local cops who comprised the Blue Team. Unlike most simulations like this, the Red Team was explicitly prohibited from manipulating election equipment, forcing them to focus instead on interfering in other aspects of the electoral process. (No actual hacking was allowed.)
Cybereason co-founder Yonatan Striem-Amit, a former member of Unit 8200, the Israeli military’s elite cyber warfare team, told Quartz, “In a country as fragmented as the US, the number of people needed to influence an election is surprisingly small. We attempted to create havoc and show law enforcement that protecting the electoral process is much more than the machine.”
So-called tabletop simulations like Operation Blackout necessarily involve “out-of-the-box” thinking, said Striem-Amit, which can include scenarios that may seem fantastical. However, he explained, it’s vital to train for every possibility. A White Team, made up of cybersecurity professionals from Cybereason and monitored by US government observers, set the rules and decided the outcome.
In the first round of the simulation, the Red Team, which was led by Striem-Amit, developed a strategy to launch audio and video deep-fake attacks. They took control of the Fox News website and CNN’s Twitter account, as well as the Facebook and Twitter accounts for city hall and the mayor, using them to spread disinformation about voting machines being hacked. Law enforcement—the Blue Team—responded by deploying officers and K9 units throughout the city, after the FBI informed them that a hacking attempt had occurred.
The Red Team then took control of 50 autonomous cars and five driverless buses—a move that may be more likely rooted in a future reality—and deployed a cell-site simulator that allowed them to track people’s locations and intercept their phone calls. They seized control of Adversaria’s traffic lights, causing accidents, and distributed a deep-fake video of the Democratic candidate engaging in racial and domestic violence.
A protest erupted outside the International Monetary Fund, to which the Blue Team deployed officers and agents. The National Guard was put on standby while the Blue Team informed the public that there was actually no evidence of a hack on voting machines.
The Red Team responded by hacking into telecommunications networks, initiating a round of DDoS attacks. They used their deep-fake capabilities to mimic the voices of polling station supervisors, convincing poll workers to reset all electronic voting machines. The Blue Team set up portable traffic lights, and sent 100 plainclothes cops to polling locations, and a chopper into the air.
The Red Team managed to take control of five additional autonomous buses, which began slamming into people waiting to vote at polling stations. Riots began. Cars were abandoned and hospitals began to fill up. Rumors of anti-Democrat bias among police spread on social media. The National Guard was called in.
Impersonating police commanders, the Red Team informed the law enforcement community that digital voting systems had been compromised. Meanwhile, the police responded to a hoax bomb threat on the north side of town. The Red Team leaked video footage of the vehicle attacks, and posed as ISIS to claim responsibility.
Amid all this, the election was canceled and people were told to go home. The government declared a state of emergency and martial law. The leaders of the group that attacked the election, a fictitious anarchist cell, were eventually identified and arrested.
In the aftermath, fear about the threat of terrorism grew. Rumors spread about US government collusion, although an investigation did not turn up evidence of that. More conspirators were arrested, and trials began.
The final tally: 32 dead, 200 wounded.
In a similar exercise during the run-up to the 2018 midterm elections, the Red Team “dominated” the Blue Team, according to Cybereason’s post-simulation assessment. This time, the Red Team actually failed its primary mission, which was to undermine the election as planned, the analysis said. Instead, the Red Team forced the Blue Team to cancel the election, which, under the simulation’s rules, was not the same thing.
Of course, the outcome would likely please most groups trying to subvert a US election.
“It is fair to say each team denied the other victory in the final turn,” says the Cybereason report. “The Red Team causing the death of civilians at the polls prevented the Blue Team from winning, and the Blue Team being forced to reschedule the election prevented the Red Team from winning.”
In 1984, the Irish Republican Army imparted a chilling message to police after a failed hotel bombing: “Today we were unlucky, but remember, we only have to be lucky once. You have to be lucky always.” The adage still holds true, with an adversary holding a substantial advantage over any defense, according to Cybereason, which plans to hold a follow-up exercise as the 2020 election nears.
“They can take actions across a huge spectrum of possibilities, whereas law enforcement must work within the bounds of the law,” the report says. “It is impossible for law enforcement to prepare for every scenario an attacker might implement.”
Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.
More stories from Quartz: