The fake NSC meeting was held in response to a fictitious "cyber attack" against US mobile phones, primarily caused by a malicious program called "March Madness." For more details, read the press releases here, or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday.
In this post I'd like to capture a few thoughts.
- Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people. (Then watch others criticize it!) I agree that the participants' understanding of how mobile malware works, propagates, etc. was lacking, but that's realistic! It was important to talk about a mass incident -- any mass incident -- to get policymakers and the public thinking about this problem.
- I think the real value of the exercise was revealing the planning deficiencies when cyber events are involved. Since this exercise supposedly occurred in the future, I was disappointed to not hear mention of the National Cyber Incident Response Plan, currently in draft. More worrying, I didn't hear a single mention of FEMA or the National Response Framework. One of the laws of incident response is that the worst time to determine how to respond to an incident is during the incident!
- I was reminded that, during a crisis, time is of the essence. Unfortunately, lack of time works against all of the factors that would help craft a better policy response, such as 1) sufficient understanding of the incident; 2) realistic options for containment; 3) workable recovery methods; 4) clear attribution and location of the adversary; 5) identification of the adversary's motive; 6) support for the public's confidence and safety; and 7) preservation of the means to communicate information to the public, among other factors.
- I was disturbed but not surprised to see the tension between preserving the Constitution, individual liberties, and property rights, vs "aggressive" action which is "ratified" following Presidential order. I was impressed by the simulated Attorney General's defense of the law despite intimations by some of her colleagues that the President could pretty much do whatever he wanted.
- On a related note, it sounded like the President has much more power if an attack is determined to be an act of war, but making that determination carries its own risks. For example, don't acts of war require retaliation? If so, how will that happen? At one point the question of "kind-for-kind" retaliation was mentioned, and the simulated Secretary of Defense said Cyber Command could take action.
- Speaking of action, sufficient attribution was a hot topic. First the team learned that a server linked to the March Madness app was located in Irkutsk, in Russia. The Russian government denied involvement, even to the extent that a server in Russia was even a conduit for the event. At that point, participants wanted to know if Cyber Command could "shut down" the server in Russia, like that was important. That bothered me because it could have been irrelevant as a containment or recovery action! The team also questioned if taking action against the Russian server could be an act of war. Again the AG was helpful, framing the issue in two senses: 1) the Afghanistan scenario, where the US took action against the Taliban following the 9/11 attacks for harboring attackers, and 2) the telecom "common carrier" scenario, which essentially indemnifies carriers for the content on their pipes.
- Next intelligence sources learned a person in Sudan was involved. As you might expect, options for finding and taking hold of that person were discussed. Even the word "rendition" was mentioned! The simulated Director of National Intelligence wanted to acquire and forensically analyze any electronic equipment used by the Sudan party to scope the intrusion, determine attribution, and potentially aid with recovery. Of course this was complicated by a lack of extradition treaties with Sudan, although larger geopolitical factors were mentioned as ways to gain cooperation with the Sudanese government.
- The role of the military, particularly the National Guard, was mentioned several times. Some thought the military might need to protect critical infrastructure, while others thought the military should deploy to the streets to project force and calm the public. I could relate to this situation after living through the Beltway sniper attacks one month after I moved my family to northern VA. (Police were everywhere for weeks, even though they couldn't really protect anyone.)
- To complicate the situation, after the first hour news came of a bomb attack on two power stations, leading to or aggravating electrical grid failures on the east coast. I thought this was unnecessary. In the scenario wrap-up, the participants focused mainly on the cyber elements. I thought the exercise could have stayed focused on 100% cyber without bringing in a traditional terrorism angle.
- Some of the simulated government positions are worth mentioning specifically. For example, when asked what DHS could do, the simulated secretary said that [US-]CERT will be "overwhelmed" and will need NSA's help! DoD said there was no effect on the nation's nuclear weapons. DoJ said the President could not order people to not use their phones, and others reinforced that it would make the President look weak when people would ignore him. The Counselor to the President said to forget about attribution and instead focus on the effect of the incident in order to determine if it were an act of war. Several advisors recommended getting Congressional leaders involved to provide political cover for Presidential decisions. DHs said that the various "sector" groups were not designed to response to a crisis like this. State repeatedly cautioned against speculation, particularly regarding the Russian Army video linked to the March Madness malware app.
- A few interesting parallels appeared. I mentioned Afghanistan already. One participant likened the event to weapons of mass destruction. I could easily see this being similar to a biological or chemical weapon attack. The simulated Secretary of the Treasury invoked the financial crisis, where decision makers crafted policy on the fly, stretching their authorities and seeking new powers as the situation deteriorated in 2007-2008. President Lincoln suspending habeas corpus during the Civil War was mentioned too.
- I thought the role of the simulated Cyber Coordinator revealed the weakness of the position. Most of the other participants relied on one, two, or three forms of authority when providing advice. They 1) offered specific expertise, e.g., the AG talking about the law; and/or 2) specific news, e.g., word from the Intel Community, and/or 3) explanations of what their agencies were doing, e.g., State describing interactions with other governments. The simulated Cyber Coordinator didn't do much of those, and when he tried to apply expertise, he was wrong or wrong-headed. I cringed when he mentioned having ISPs require user PCs to be "secure" or to force them to apply patches. Just how would that happen? I could see a useful Cyber Coordinator be the person who knows the technology and its limitations, but outside of that role I have a lot of doubts.
- It should have been clear that the National Security Council couldn't really do anything to contain or recover from the malware problem, let alone understand how much the situation could deteriorate. Understanding the consequences alone would require real analysis and input from their agencies, probably in NSA or Cyber Command. Taking steps to recover would be really baffling. I think planning and exercising the National Cyber Incident Response Plan with specific scenarios would be a good answer.
- Wolf Blitzer's questions after the exercise weren't that great. You are not going to get a former government or security official to name foreign adversaries on national television. That reminded me of the briefings during the first Gulf War. Don't journalists know officials are not going to break their security clearances to answer questions like that?
So, I already see lots of comments on Twitter and elsewhere claiming Cyber Shockwave was lame or a waste of time. As you can see it raised a lot of issues that I consider very important. I'm glad BPC organized this event and that CNN televised it. At the very least people are talking about digital security.