404 Tech Support

Cyber Shockwave – A War Game We Lost

On February 16th, the United States government participated in a war game that was different from any others in recent years. Moving from the conventional attacks, threats, and worries of the past this most recent war game started with our digital infrastructure. An app was downloaded by over 20 million smart phones called March Madness. This app activated a malicious bit of code right before this simulation began and proved itself to be a worm that spread to other phones through your contact list. Meanwhile, the president’s “cabinet members” (played by former senior administration and national security officials) have convened to advise the president and plan a reaction as more intelligence and news is presented in real time.

What will the government’s response be? Well, I think the saying goes “There’s a map for that.”

That map doesn’t look good and neither did the results of the war game which was created by the Bipartisan Policy Center. CNN presented a taping of the simulation last week called We Were Warned and I can only hope the results were a bit eye-opening. You can see the intriguing trailer for the event on YouTube:

I wasn’t able to find a streaming video available on CNN, fortunately I had it on my DVR. If you’ve missed the video, you can settle for the official transcript. The special was hosted by Wolf Blitzer and included these officials as actors inside a mock White House Situation Room:

As the simulation continued, intel came in stating that users in Scandinavia and Japan were being affected by this attack as well. As the dialog continues and the situation escalates, the Attorney General informs the room that the government doesn’t have the authority to quarantine cell phones which the Cyber Coordinator argues. Can the President advise to people in his upcoming address to turn off their phones? Some in the Situation Room try to say that the government needs to turn cell phones off for people instead because ineffectiveness will be worse than the current problem.

Similar to an act of terrorism, a state may not be responsible, it may be hosting malicious individuals or malicious guests may just be within its borders. At the same time intel comes forth that reveals the attack is originating from servers in a Russian city. Now, Internet access is slowing to a crawl in general as the virus has passed from phones to computers through their synchronization process. Meanwhile, debate continues on whether the National Guard should be called up. A high priority goal now is to avoid wide-scale public panic. Further intel is found that discloses that the perpetrator behind the attack is in Sudan and Russia denies any involvement. The problem continues to escelate though as the East coast is starting to lose electric power. Two IEDs (Improvised Explosive Devices) were reported as being used to blow up two different electrical substations on the east coast.

The simulation continued until it reached the 2 hour limit at which point Wolf Blitzer concludes with some good questions for the actors:

BLITZER: We are going to continue now with “We Were Warned: Cyber Shockwave.” We have just seen a fictional scenario where a cyber attack crippled the United States infrastructure and the economic system.
But what could we really learn from what we have just seen, and what is being done to prevent a real cyber war? We are going to get some answers now from these former high-level officials in the U.S. government who participated in this war room simulation.
And I guess the first question goes to John Negroponte. Was it really realistic? In the real world of today, could the United States face this kind of crisis?

NEGROPONTE: It didn’t — none of it struck me as particularly outlandish, no.


BLITZER: Charles Wald, do you believe that the United States is prepared right now to deal with this threat?

WALD: I think we’re preparing for it. I don’t think we are prepared as much as we should be.

I think the scenario we saw today is believable. It may be more difficult than we have made it look potentially, but I think people would like to do this to us. And I think it would be a non-state actor, myself.

So I think we need to continue to now treat cyber threats the same way we do WMD, for example. We need to put the same emphasis on that, and we need to be thinking through this and start developing better policy, and understanding the process better. It is still very abstract to most people, I think.

BLITZER: Ambassador Negroponte, does Al Qaeda today have these savvy, sophisticated computer experts that could launch this kind of attack?

BLITZER: Jamie Gorelick, it sounds to me, based on everything we heard you say during this war game right now, that the legal questions are so murky and muddy out there, that it sort of cries out for some either new legislation or a decision-making process that comes to grips with what is out there right now.

GORELICK: Well, we have to come to grips, as you put it, with the implications for our personal privacy and the relationship between the federal government and the private sector.

I mean, our national security rests on a bed of wholly-owned private enterprise, and unless we are very clear as to what we expect from them, expect from private enterprise in the easy times, and what we need from them in the time of crisis, we are going to be left to the kind of “Let’s just do it and figure it out later.”

BLITZER: The people who are watching this program on CNN in the United States and around the world right now, they are going to be scared, Stewart Baker, because they are going to come to the conclusion, “You know what? The United States is not prepared for this kind of an attack.” Is that an appropriate conclusion that they should come to?

BAKER: I think unfortunately that that is true. In fact, I’m writing a book called “Skating on Stilts,” and I think that is exactly what we are doing — we are skating toward a fall.

BLITZER: Do you see any evidence, Joe Lockhart, that the Obama Administration is on top of this issue – and answer the question honestly.

LOCKHART: I am going to have to think about it. And this will be a first with you, Wolf, that I answer a question honestly. Seriously, yes, they are on top of it. But you don’t solve problems like this by people like this around the table being on top of it.

You know, Jamie will back me on this — countless meetings in the second half of the Clinton Administration on counter-terrorism, bio- terrorism, cyber-terrorism – particularly with the work Jamie was doing.

But without things like this, or without a full-blown crisis, it doesn’t rise to the level where people within government take it seriously enough, people within industry take it serious enough, and, most importantly, the public.

So, the question I think you asked, is the public scared? Yes, and that’s a good thing. Because when the public has a demand, the government provides the supply.

There was plenty of bureaucracy apparent through the event. Politics were being played full-swing amidst the crisis. Certain people had to be involved just so they could put their name/stamp of approval on the project. The things that kept sticking out at me throughout this war game was the complete and utter lack of policy and prepared reactions. We kept hearing things like:

It’s unprecedented…
Our laws don’t cover this…
This is uncharted territory…
We need international-level treaties and declarations about being able to turn off servers…
Do we need to create the authority to allow the government to step into the private sector to do incredible things in dire situations?

A question relevant to IT was found near the end:

CHERTOFF: Let me ask you two questions, though, to press you on this because I’m sure the president is going to ask me about this.

First of all, some of what you want us to do involves getting people and institutions to use the tools they already have — patches, anti-viral software — and actually simply download them and implement them. And a lot of people don’t do it.

How do you make them do it? And, do you say, instead of asking voluntarily to do it, do you simply make them do it by doing it from a remote location? In other words, do you have the ISPs and the telecoms make people or download it on their own volition even if people don’t do it themselves?

The conclusion was reached that for the private sector and privacy, acts need to be: Reasonable. Temporary. Necessary. Not over reaching. The Secretary of Defense also presented the conclusion that Cyber Command will need to stand up and take the lead in developing the new Rules of Engagement. The binary means of handling a situation, international overseas war-fighting and domestic traditional law enforcement has proven itself to be outdated and useless in a situation like Cyber Shockwave.

In conclusion, the Cyber ShockWave war game makes my meetings look very boring. More importantly, I can only hope the USA is more prepared because of this simulation. It is very apparent that the lack of digital-relevant policies and the abundance of politics makes it hard for the cabinet to do anything productive at all. We watched over an hour the situation became worse and worse while no concrete, helpful measures were taken by this group. Fortunately steps are beginning to be made like the House bill being introduced to bolster Cyber Security. We’re still way behind where we should be.