The United States has experienced a widespread cyber attack, infecting telecommunications and other IT structures throughout the U.S. infrastructure. The attacks have left the U.S. telecom and IT infrastructure virtually disabled throughout the country.
While this is fortunately just a war game, the results are equally scary. Today, the Bipartisan Policy Center hosted a mock cyber attack called Cyber ShockWave, which simulated a meeting with the National Security Council (with Michael Chertoff playing the head of the NSC) and how it would look to respond to an ongoing attack.
The event featured a number of former U.S. government officials who played the part of senior members of the NSC. The exercise sought to examine how the NSC would react to a major cyber attack in real time.
The war game was set in 2011, with the United States coming off a series of natural disasters. An application used in smart phones turns out to have malware installed and leads to a cascading effect on the telecom networks. Later in the exercise, portions of the power grid are taken down through IED attacks.
An electronic trading system is also eventually knocked offline, the telecom sector shuts down and the Internet becomes virtually unusable. Also, power throughout much of the Eastern seaboard is also disrupted. With the electronic trading system offline, a mere 8 hours could cost the US around $9 million.
The event highlighted some of the significant difficulties in dealing with attacks coming through cyberspace. Some of the major issues include attribution and a host of legal implications.
Attribution is commonly perceived as a principle issue with regards to attacks in cyberspace. In cyberspace, it is much easier for individuals or governments to carry out attacks and use misdirection to make the attack appear to emanate from another area. At the end of the exercise, John Negroponte, a former U.S. diplomat playing the role of Secretary of State, said “attribution was one of the hardest issues to deal with.”
During the exercise, a server hosting the attack appeared to be based in Russia. However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event.
The policy implications of responding to a cyber attack could potentially cause a significant and cascading problem. If the US were to reach out into a foreign country to shut down a server that is causing the attack, what happens when a ‘hacktivist’ using US servers conducts a cyber attack against China or Russia? Would they too then have the authorization or justification to respond by shutting down a US server?
The exercise also grappled with the role the military can and should play in the event of any cyber attack. A number of participants advocated for the DoD to actually take the lead role in defending not only the networks but also other aspects of the critical infrastructure. Fran Townsend, former Assistant to President George W. Bush and serving in the exercise as the Secretary of Homeland Security, advocated for ceding her authority to the DoD and supporting them in a ‘homeland defense’ model rather than homeland security.
Another point raised during the evolution was that the private sector is not standing idly by watching these attacks occur and doing nothing. The private sector is also looking to combat the attacks against their networks.
“We are going to have to have a war hardened sector,” said Jamie Gorelick, former member of the 9/11 Commission.
The mock NSC even discussed potentially nationalizing power companies and service providers if they failed to act in the national interest.
Ultimately, in the several hours that the war game lasted, the United States was increasingly beset by attack with little knowledge of who perpetrated it. The exercise revealed the complexities that U.S. policy makers would face in the event of an attack.
Several suggestions for policy makers moving forward is to establish firm guidelines and practices before an attack occurs along with developing sound doctrinal definitions of what constitutes an act of cyberwar and was is considered a legally justifiable response.