Reaction to Cyber Shockwave

I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton.

The fake NSC meeting was held in response to a fictitious "cyber attack" against US mobile phones, primarily caused by a malicious program called "March Madness." For more details, read the press releases here, or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday.

In this post I'd like to capture a few thoughts.

  • Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people. (Then watch others criticize it!) I agree that the participants' understanding of how mobile malware works, propagates, etc. was lacking, but that's realistic! It was important to talk about a mass incident -- any mass incident -- to get policymakers and the public thinking about this problem.

  • I think the real value of the exercise was revealing the planning deficiencies when cyber events are involved. Since this exercise supposedly occurred in the future, I was disappointed to not hear mention of the National Cyber Incident Response Plan, currently in draft. More worrying, I didn't hear a single mention of FEMA or the National Response Framework. One of the laws of incident response is that the worst time to determine how to respond to an incident is during the incident!

  • I was reminded that, during a crisis, time is of the essence. Unfortunately, lack of time works against all of the factors that would help craft a better policy response, such as 1) sufficient understanding of the incident; 2) realistic options for containment; 3) workable recovery methods; 4) clear attribution and location of the adversary; 5) identification of the adversary's motive; 6) support for the public's confidence and safety; and 7) preservation of the means to communicate information to the public, among other factors.

  • I was disturbed but not surprised to see the tension between preserving the Constitution, individual liberties, and property rights, vs "aggressive" action which is "ratified" following Presidential order. I was impressed by the simulated Attorney General's defense of the law despite intimations by some of her colleagues that the President could pretty much do whatever he wanted.

  • On a related note, it sounded like the President has much more power if an attack is determined to be an act of war, but making that determination carries its own risks. For example, don't acts of war require retaliation? If so, how will that happen? At one point the question of "kind-for-kind" retaliation was mentioned, and the simulated Secretary of Defense said Cyber Command could take action.

  • Speaking of action, sufficient attribution was a hot topic. First the team learned that a server linked to the March Madness app was located in Irkutsk, in Russia. The Russian government denied involvement, even to the extent that a server in Russia was even a conduit for the event. At that point, participants wanted to know if Cyber Command could "shut down" the server in Russia, like that was important. That bothered me because it could have been irrelevant as a containment or recovery action! The team also questioned if taking action against the Russian server could be an act of war. Again the AG was helpful, framing the issue in two senses: 1) the Afghanistan scenario, where the US took action against the Taliban following the 9/11 attacks for harboring attackers, and 2) the telecom "common carrier" scenario, which essentially indemnifies carriers for the content on their pipes.

  • Next intelligence sources learned a person in Sudan was involved. As you might expect, options for finding and taking hold of that person were discussed. Even the word "rendition" was mentioned! The simulated Director of National Intelligence wanted to acquire and forensically analyze any electronic equipment used by the Sudan party to scope the intrusion, determine attribution, and potentially aid with recovery. Of course this was complicated by a lack of extradition treaties with Sudan, although larger geopolitical factors were mentioned as ways to gain cooperation with the Sudanese government.

  • The role of the military, particularly the National Guard, was mentioned several times. Some thought the military might need to protect critical infrastructure, while others thought the military should deploy to the streets to project force and calm the public. I could relate to this situation after living through the Beltway sniper attacks one month after I moved my family to northern VA. (Police were everywhere for weeks, even though they couldn't really protect anyone.)

  • To complicate the situation, after the first hour news came of a bomb attack on two power stations, leading to or aggravating electrical grid failures on the east coast. I thought this was unnecessary. In the scenario wrap-up, the participants focused mainly on the cyber elements. I thought the exercise could have stayed focused on 100% cyber without bringing in a traditional terrorism angle.

  • Some of the simulated government positions are worth mentioning specifically. For example, when asked what DHS could do, the simulated secretary said that [US-]CERT will be "overwhelmed" and will need NSA's help! DoD said there was no effect on the nation's nuclear weapons. DoJ said the President could not order people to not use their phones, and others reinforced that it would make the President look weak when people would ignore him. The Counselor to the President said to forget about attribution and instead focus on the effect of the incident in order to determine if it were an act of war. Several advisors recommended getting Congressional leaders involved to provide political cover for Presidential decisions. DHs said that the various "sector" groups were not designed to response to a crisis like this. State repeatedly cautioned against speculation, particularly regarding the Russian Army video linked to the March Madness malware app.

  • A few interesting parallels appeared. I mentioned Afghanistan already. One participant likened the event to weapons of mass destruction. I could easily see this being similar to a biological or chemical weapon attack. The simulated Secretary of the Treasury invoked the financial crisis, where decision makers crafted policy on the fly, stretching their authorities and seeking new powers as the situation deteriorated in 2007-2008. President Lincoln suspending habeas corpus during the Civil War was mentioned too.

  • I thought the role of the simulated Cyber Coordinator revealed the weakness of the position. Most of the other participants relied on one, two, or three forms of authority when providing advice. They 1) offered specific expertise, e.g., the AG talking about the law; and/or 2) specific news, e.g., word from the Intel Community, and/or 3) explanations of what their agencies were doing, e.g., State describing interactions with other governments. The simulated Cyber Coordinator didn't do much of those, and when he tried to apply expertise, he was wrong or wrong-headed. I cringed when he mentioned having ISPs require user PCs to be "secure" or to force them to apply patches. Just how would that happen? I could see a useful Cyber Coordinator be the person who knows the technology and its limitations, but outside of that role I have a lot of doubts.

  • It should have been clear that the National Security Council couldn't really do anything to contain or recover from the malware problem, let alone understand how much the situation could deteriorate. Understanding the consequences alone would require real analysis and input from their agencies, probably in NSA or Cyber Command. Taking steps to recover would be really baffling. I think planning and exercising the National Cyber Incident Response Plan with specific scenarios would be a good answer.

  • Wolf Blitzer's questions after the exercise weren't that great. You are not going to get a former government or security official to name foreign adversaries on national television. That reminded me of the briefings during the first Gulf War. Don't journalists know officials are not going to break their security clearances to answer questions like that?

So, I already see lots of comments on Twitter and elsewhere claiming Cyber Shockwave was lame or a waste of time. As you can see it raised a lot of issues that I consider very important. I'm glad BPC organized this event and that CNN televised it. At the very least people are talking about digital security.


Matt Franz said…

In 2010, we are satisfied with just "raising awareness?" We shouldn't be. DHS's CyberStorm I (which I participated in) involved the actual organizations and individuals in government and critical infrastructure asset owners and vendors. Of course whether anything was actually learned/implemented from those exercises is another story, but that is beside the point.

In comparison, Cyber Shockwave seems much more manufactured (Cyber Storm lacked the titillating teaser videos and a 2 hour CNN special with the talking heads) and would seem to designed to exploit the media's appetite for all things Cyber-scary in this new decade. As was the case with 60 Minutes piece a while, I don't believe that any dumbed-down coverage of digital security is good for "the cause." I don't see much practical value media expose's and public show exercises (CyberStorm was FOUO, BTW) and their only possibly value could be to prepare the way for imminent legislation.

- mdf
Excellent Richard. I may be one of the few people in the US without TV so I cannot view the show until CNN posts it. Thank you for the detailed analysis.

Kyle Maxwell said…
I'll be spending some time this week going over it in more detail, but the only criticism I have thus far of the exercise itself is the name. "Cyber ShockWave"? Seriously? Did a thirteen-year-old name this? :p
Bill Wildprett said…
Thanks so much Richard, for your thoughtful review! I missed CNN's first showing so will schedule the DVR to grab it and after watching, will return to your comments.

I'd be interested in viewer demographics outside us security folks and public-affairs people. If even a portion of the average CNN audience watched it, some benefit in security awareness must have occurred.

We'll see...
Unknown said…

Just caught the last 40 minutes or so of the CNN presentation of the event. IMHO, and as you pointed out, the most important aspect of this exercise wasn't what was done or how the panelist reacted, but will be the future lessons learned report that will come from this. I was involved in something similar in 2002 and the biggest impact was the "wake up call" that things needed to be fixed and changed. I hope that message and the subsequent results will be the outcome of this as well.

Anonymous said…
If I may summarize for those that don't want to have their brains ooze out their ears..

All your private networks are belong to the Gubment.*

* only during times of 'crisis' of course.
Anonymous said…
In the scenario that the simulation assumed, the battle is already lost. The government's inability to prevent such severe and widespread effects implies such soft targets, and such a dearth of cyber capabilities, that the possibility of an appropriate response is already lost.

In real life, the response would probably be something crude and stupid, which would only make things worse - bombs, severing cables, or trying pointlessly to chase elusive hackers in remote jurisdictions.

Obviously the only rational way to approach this issue is to secure the computer systems here in the US, so they're not so vulnerable to this sort of thing. That in turn would necessitate replacing the easy-to-exploit operating system that predominates today with a default-secure one, and replacing proprietary code with open source.

But of course this real solution is politically impossible as long as corporations rule the government. No one dares to even mention it. Consequently the cyber-security crisis grows ever worse, and the pols resort to onerous and harmful impositions on citizens to avoid addressing the real problem.
Matt Olney said…
Hey Richard. I through a post up on the VRT blog and referenced this. I'm pretty firmly in the camp that the program was the worst combination of cyber-theater and FUD.

Raising awareness is only of use if it is informed awareness. If an otherwise uninformed viewer came away from this with the idea that this was the face of the cyber threat, then a disservice has been done. There is simply no intelligent interpretation that could be taken from this.

Nothing fails to scale like security and nothing is of the scale of the Fed. While the government can take the lead in encouraging (by carrot or stick) critical infrastructure and DIB improvements in security, incident response is, by necessity the realm of the affected agency/company/organization. If the fed wants to help, then they need to provide a highly interactive coordination center where companies can come to work together in a trusted environment.
Anonymous said…
Your thoughts...

Microsoft Uses Court Order To Cripple Waledac Botnet
By Jennifer LeClaire February 25, 2010 10:11AM

Microsoft has virtually shut down the Waledac botnet through a court order shutting down 277 domain names. Microsoft's Operation b49 moved to act before the Waledac cybercriminals could respond. Waledac is one of the most active spam bots and one of the 10 largest in the U.S. While Microsoft broke the Waledac control links, affected PCs remain infected.
john said…
I was involved in something similar in 2002 and the biggest impact was the "wake up call" that things needed to be fixed and changed.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics