Thursday, February 18, 2010

Cyber Shockwave Post Mortem

When the grid goes down, almost everything goes down. Lessons learned, there are plenty. But first, the Bipartisan Policy Center (BPC)'s own summary of the game:
Cyber ShockWave highlighted the immediate, real dangers of cyber-terrorism by bringing together a bipartisan group of former senior administration and national security officials playing the roles of Cabinet members. The simulation envisioned an attack that unfolds over a single day in July 2011. When the Cabinet convenes to face this crisis, 20 million of the nation's smart phones have already stopped working. The attack, the result of a malware program that had been planted in phones months earlier through a popular "March Madness" basketball bracket application, disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.
By all accounts I've read, it was chaos from start to finish. An overwhelming trio of info problems faced the surrogate executive decision makers: 1) of a lack of quality information, 2) a lack of confidence in the information being received and communicated, and ultimately, 3) information overload ... all of which led to paralysis.

The echoes of 9/11 and in particular, the control room confusion depicted in the fantastic film version of "Flight 93", are quite strong. If you can't tell who's attacking you or how or why, how can you decide upon the right courses of action in near-real time? The compulsion to action is great in these situations, but absent the most fundamental situational awareness, almost all actions are futile or worse. And by the time you do begin to understand what's going on, it's far too late for meaningful defense. At best, offense and well-informed reprisal are for another day.

Dark Reading's take, which finds the US response wanting, is here. And the Dark Reading's CS blog touches on Shockwave as well.  Written by the Computer Security Institute's (CSI) director, Robert Richardson, some of his points are definitely worth a look. The first addresses the profound lack of crucial domain knowledge in the crisis room:
The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed--and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody
While there's little cyber security practioners can do to address some of the initial Shockwave concerns, Richardson finds two gaps we could begin to help close:
... how we improve attribution of attacks to their perpetrators and the question of how easily subverted software is kept off the networks are two areas that the security community can potentially address.
The first is a cyber forensics master challenge and as to the latter, we're not going to keep software off networks (networks exist to move software and data). But I suggest we can make software much more difficult to subvert, and should be making that a top priority.

And of course, cyber attacks on US and Global assets never stop, they only escalate in strength and complexity. Here's the latest reported by the Wall Street Journal.

What's next? CNN will air the event exclusively as "We Were Warned: Cyber Shockwave" on Saturday, February 20 and Sunday, February 21 at 8:00pm, 11:00pm and 2:00am ET each night.

No comments: