Crisis Simulation: Cyber Shockwave Reveals Unsettling Answers
London, UK - 18th February 2010, 01:45 GMT
Dear ATCA Open & Philanthropia Friends
[Please note that the views presented by individual contributors are not necessarily representative of the views of ATCA, which is neutral. ATCA conducts collective Socratic dialogue on global opportunities and threats.]
No one doubts that asymmetric threats to telecommunications and other crucial computer-run systems are real and growing. Dennis C Blair, the director of US National Intelligence, warned the Senate Intelligence Committee recently, "Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication." What happens when a cascading cyber threat strikes with domino effects? From the phone in the pocket to the military’s most sophisticated weapons system, cyber espionage and computer hacking represent an economic and national security threat to every citizen living in a digital society.
Crisis Simulation: Cyber Shockwave
Earlier this week, The Bipartisan Policy Center, a non-profit group based in Washington, DC, co-created and hosted a rare Cyber ShockWave exercise, a simulated cyber attack on the US and the subsequent response by the National Security Council (NSC). To defend against this attack, a working group of high-ranking former White House, Cabinet, national security officials, and cybersecurity experts came together. Their mission: to advise the President as the nation grappled with this 'crisis' in the middle of a doomsday cyberattack scenario.
Scene: White House situation room with the National Security Council in session.
Event: Massive cyber attack that turns the cellphones and computers of tens of millions of Americans into weapons to shut down the Internet. A cascading series of events then knocks out power for most of the East Coast amid hurricanes and a heat wave. A major electronic trading system that supports business throughout the United States is “knocked offline” bringing the economy to a standstill.
Objective: The one-of-its-kind public cyber-war game was chiefly designed to underscore the potential defencelessness of the country's digital infrastructure to a crippling cyberattack. "We were trying to tee up specific issues that would be digestible so they would become the building blocks of a broader, more comprehensive cyber strategy," said Michael V Hayden, former CIA director and co-creator of the "Cyber ShockWave" simulation.
Mechanism: Through a common application used in smart phones, a malware program is set off crippling the entire telecom network and effectively slowing the Internet to a screeching halt. one free downloadable application turns smartphones into network-jamming bots -- thereby leading to the failure of US mobile-phone networks, and in due course spreading to the wired Internet. The March Madness app, which has been downloaded by unsuspecting college football fans, hides spyware that allows hackers to steal passwords, seize eMails and create chaos. The scenario sees 60 million mobile phones being rendered ineffective; along with the crash of the Internet, a virtual collapse of finance and commerce, and the breakdown of the country's electric grid.
Former senior officials from Republican and Democratic administrations participated in the war game. Participants and witnesses were all shocked by the amount of devastation that started from malware on smart phones. Could an attack like this cripple America? Participants in the event came to the conclusion that possibly yes, an event, such as the one simulated could happen. The participants in the simulation wrestled with major difficulties in prevention and reaction to a cyber attack. As each issue was met with serious discussion, time passed making the government more unable to communicate with its population.
The war game laid bare that the US government lacks answers to key questions:
. Is the assault on cellphones an armed attack?
Half an hour into an emergency meeting of a mock National Security Council, the attorney general declared: "We don't have the authority in this nation as a government to quarantine people's cellphones." The White House cyber coordinator was "shocked" and asserted: "If we don't have the authority, the attorney general ought to find it."
. In a crisis, what power does the government have to order phone and Internet carriers to allow monitoring of their networks? How to regulate the private sector?
Participants also wrangled over how far to go in regulating the private sector, which owns the vast majority of the "critical" infrastructure that is vulnerable to a cyber attack. Stewart Baker, a former assistant secretary at the Department of Homeland Security who played the "cyber coordinator" said that the private sector was not prepared to defend against a cyber act of war and that the government needed to play a role.
. What level of privacy can citizens expect?
Jamie S Gorelick, a deputy attorney general under President Bill Clinton, pressed the issue of individual privacy. In a crisis, she said, "Americans need to know that they should not expect to have their cellphone and other communications to be private -- not if the government is going to have to take aggressive action to tamp down the threat." She recommended that the Obama administration seek legislation for comprehensive authority to deal with a cyber emergency.
. Is this an act of war?
The situation had some White House officials arguing that the massive cyberattack should be declared an act of war by the US president, and the US military be mobilised into action. Former Clinton press secretary Joe Lockhart, who played a presidential adviser during the simulation, said it was immaterial whether the attack was an act of war; it had "the effect" of an act of war.
During the war game, held over four hours at the Mandarin Oriental Hotel, three wide-screen monitors flashed maps of the United States showing network coverage and electric power ebbing. The breakdown was covered by a simulated news network, GNN. Senior administration officials watched the reporting of the unfolding crisis -- 40 million people without power in the eastern United States; more than 60 million cellphones out of service; Wall Street closed for a week; Capitol Hill leaders en route to the White House.
"People have trouble understanding warnings," said John McLaughlin, who served as acting CIA director in 2004 and who played the director of national intelligence. "It was only after September 11 that people could visualise what was possible. The usefulness of the simulation is it will help people visualise [the threat]."
Developed by Georgetown University and a number of companies, the worst-case scenario, would undoubtedly overwhelm the administration's proposed cyber defences. Sponsors, most of whom made financial donations that ranged up to USD 150,000, included General Dynamics Advanced Information Systems, PayPal, Symantec, SMobile Systems, Georgetown University and Southern Co. The Chertoff Group contributed guidance, not money. The Bipartisan Policy Center, sponsors and CNN contributed to production costs. The Bipartisan Policy Center, which focuses on issues such as health care, energy and cybersecurity, staged the war game to demonstrate to a complacent public the plausibility of an attack that could in many ways be as crippling as the 9/11 strikes in 2001. Organisers said they wanted to prod the US Congress and the Obama administration to act.
The results were hardly reassuring. They show that the asymmetric threats to the digital infrastructure are real and growing. The worst-case scenario would almost certainly overwhelm the US administration's proposed cyber defences. In a doomsday cyber attack scenario, answers are unsettling. "We're in uncharted territory here," was the most common phrase during the simulated crisis meeting of the National Security Council, the crux of the Cyber Shockwave exercise.
What was most troubling to the participants was their inability to find a guilty party. Attribution is a commonly discussed issue among cyber security officials in regard to attacks in cyberspace. At the end of the exercise, John Negroponte, a former US diplomat playing the role of Secretary of State, said, “attribution was one of the hardest issues to deal with.” In the mock event, the attack seemed to be based out of a server in Russia, however, the creator of the malware was from Sudan. For the entire event, the culprit remained unknown. John Negroponte said, “We have to engage with our allies on how to manage the cyber issue. I think we need to deal with it with non-allies as well. Maybe one possibility is to bring it before the Security Council.”
At the end of the event, one question lingered in the minds of participants and witnesses. Who could have the resources to launch a similar cyber attack? Criminal Networks, extremist organisations or other nations? “We don’t understand their capabilities,” said John McLaughlin, the former acting director of the CIA “We just don’t know the extent to which anyone could do something like this.” Negroponte concluded with the words, “We have to find a way of elevating the issue of Cyber Security and Cyber Attacks into our [diplomatic discussion].”
The event highlighted the need for the US government to change without a crisis. It seemed as though the President should take control, activate the National Guard, and strip many rights in order to create security during the emergency. Former Deputy Attorney General Jamie Gorelick pointed out many important legal issues including the limitation of presidential orders and their effect on the private sector. In the end, whilst no grand plan emerged, the Cyber ShockWave group did agree to advise the president to federalise the National Guard, even if state governors objected, and deploy the troops -- perhaps backed by the US military -- to guard power lines and prevent social unrest during such a cascading cyber crisis.
We welcome your thoughts, observations and views. To reflect further on this subject and others, please respond within Twitter, Facebook and LinkedIn's ATCA Open and related discussion platform of HQR. Should you wish to connect directly with real time Twitter feeds, please click as appropriate:
. ATCA Open
. mi2g Intelligence Unit
. Open HQR
. DK Matai