CyberShockwave = CyberFAIL Difference of Opinons
I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton.
The fake NSC meeting was held in response to a fictitious “cyber attack” against US mobile phones, primarily caused by a malicious program called “March Madness.” For more details, read the press releases here, or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday.
The Rest HERE
So, I already see lots of comments on Twitter and elsewhere claiming Cyber Shockwave was lame or a waste of time. As you can see it raised a lot of issues that I consider very important. I’m glad BPC organized this event and that CNN televised it. At the very least people are talking about digital security. Posted by Richard Bejtlich at 22:11 7 comments
Bejtlich and I differ in opinions on a few things but I think he has some good points. I was reactive that night at the superciliousness of the exercise as presented by CNN. Now that I have had time to think a bit, let me put some more words around what I spewed out on Saturday in hopefully a more cogent way.
Tao’s thoughts will be followed by my own.
- Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people.
I still feel that this was no real exercise. One would hope that in such meetings today, we would have technically savvy people there on hand to talk to the technical aspects of what was happening and what course to take. If we do not have someone technical in the SITROOM then we are hosed from the get go. You need to have SME’s there to explain the situation technically.
- I think the real value of the exercise was revealing the planning deficiencies when cyber events are involved. Since this exercise supposedly occurred in the future, I was disappointed to not hear mention of the National Cyber Incident Response Plan, currently in draft.
I agree here. It would have been nice if they had talked about this response plan, but I am not so sure that this will get off the ground. Never mind the fact that were this type of attack to happen within say, the next 5 years, I am sure we would still not have the infrastructure to handle it properly as a country.
The turf wars that have started now likely will still be being fought and there will likely be no clear direction to follow. I really think that this country has yet to really hit by an attack from which it will learn and change. Until then, we will have talking heads in bunkers making bad decisions while the outside world goes to shit.
I was disturbed but not surprised to see the tension between preserving the Constitution, individual liberties, and property rights, vs “aggressive” action which is “ratified” following Presidential order. I was impressed by the simulated Attorney General’s defense of the law despite intimations by some of her colleagues that the President could pretty much do whatever he wanted.
This is classic talking head NSC blather. It was exacerbated by the fact that there were no technical SME’s on the panel to help the talking heads understand the complexities of the problem. When they started talking about the constitutionality of pulling cell phones offline as well as taking over telcos, I was just beyond rational thought.
Were they to start doing these things it would only lend to the pandemonium that this attack and the press chatter about it would have caused. This would only amp it up and make the nation go into panic mode.
Additionally, you could see as is pointed out above, that they seem to think that the president has carte blanche here to “protect the nation” but in doing these things, or even advocating them, they are doing this country a dis-service.
To complicate the situation, after the first hour news came of a bomb attack on two power stations, leading to or aggravating electrical grid failures on the east coast. I thought this was unnecessary. In the scenario wrap-up, the participants focused mainly on the cyber elements. I thought the exercise could have stayed focused on 100% cyber without bringing in a traditional terrorism angle.
Here I diverge again from Tao’s opinion. The cyber attack in question was a part of a larger attack that culminated with the explosion and taking down of the grid. Of course in the future this may not be necessary because the grid will be “smart” technology that is likely to be easily hacked and taken down in a massively larger plot. This would work even better because of the connectivity planned for these systems.
In this case though, if this were a nation state actor they likely would take out the northeast grid at a sensitive location to make things worse. Of course the NE has the economic center of NY, so you can see where I am going here. Tao seems to miss that point. It’s not all about the cyber. In fact, I am more worried about a blended attack than I am a straight cyber one simply because, as the panel said, the systems are disparate and segregated. You couldn’t take them all down at once. Unless that is, you have invested a lot of time hacking and back door-ing them all before the attack goes live.
This is another thing that was not talked about on the panel and may not have been apparent to many in the audience.
I thought the role of the simulated Cyber Coordinator revealed the weakness of the position. Most of the other participants relied on one, two, or three forms of authority when providing advice. They 1) offered specific expertise, e.g., the AG talking about the law; and/or 2) specific news, e.g., word from the Intel Community, and/or 3) explanations of what their agencies were doing, e.g., State describing interactions with other governments. The simulated Cyber Coordinator didn’t do much of those, and when he tried to apply expertise, he was wrong or wrong-headed. I cringed when he mentioned having ISPs require user PCs to be “secure” or to force them to apply patches. Just how would that happen? I could see a useful Cyber Coordinator be the person who knows the technology and its limitations, but outside of that role I have a lot of doubts.
Yes, there is no authority nor was there comprehension of the issues at hand by the one in charge. I think that we have much more to learn from episodes like this and yes, this was a learning experience, however, it need not have been on CNN. Unless this little event was a chance for the counterintel folks to pass out a healthy helping of “disinformation” we just let the world know pretty well how fubar we are where this attack type is concerned.
On the issue of Tao’s cringing at the desire for ISP’s etc to enforce secure practices online, I don’t agree fully. I think that we need to get educated, but do stop at forcing people to be secure. However, I do agree that forcing corporations, military, contractors, etc that interface with the “infrastructure” should be forced to practice security. By law we already have rules about securing credit card and personal data, why not go further and audit companies to such standards around INFOSEC in general?
After all, its all of these places that are the weak spots and getting hacked lately by the likes of China right? How about more legislation, oversight, and action here?
In closing, I just want to re-iterate that this CNN show was poorly thought out. The whole “War of the Worlds This is a simulation” crap was almost not necessary because it was so patently useless. So yes, it may have brought up some questions that may be usefull to those in power, but mostly, it just led to more FUD for the public.