White House Can’t Go Too Far in Response to Crippling Cyber Attack, Experts Say
Years of warnings from industry leaders and lawmakers on U.S. cyber vulnerabilities came to life Tuesday as former federal officials participated in a real-time simulated attack on wireless networks that spread to the Internet backbone, financial system and power grid. Playing the role of the National Security Council on the morning of an attack, they debated how to respond, often deciding that forcing network operators, device makers and infrastructure owners to halt traffic, install patches and peer into packets were the best immediate options. The Cyber ShockWave exercise, which included staged cable news reports from “GNN,” was put together by the Bipartisan Policy Center.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“We will kill ourselves politically if we undersell” the gravity of the cyber attack, said former Clinton administration spokesman Joe Lockhart, portraying President Barack Obama’s counselor. Scheduled to address the nation hours later, Obama must use the full statutory power of his office, plus murky constitutional powers rarely invoked, and make a public case early to overcome certain opposition from industry and civil liberties advocates, Lockhart said. Such ideas were largely accepted by others in the simulation and go far beyond those proposed in controversial cybersecurity legislation from the Senate Commerce Committee (CD June 3 p5).
The simulation starts in November, when electric utilities adopt a wholesale trading software platform, SecureTrade, to buy and sell electric service. In February 2011 a group creates a popular smartphone application for March Madness college basketball brackets that actually includes spyware and keyloggers, funneling millions of dollars from pilfered bank accounts of users. A patch goes out in May when the source is identified, but only half of smartphone users download it, in the simulation. That leaves them vulnerable to another malware attack, launched the morning the event is staged, that automatically downloads a video of a Russian army parade and sends it to a user’s contacts, including social networking sites. The heavy data traffic starts knocking out cell service around the country and slowing other communications traffic to a crawl, in the simulation. At the same time a hot summer and hurricane damage the electric transmission system, which was already affected by the data deluge, contributing to power outages along the East Coast halfway through the exercise.
“Quarantining” smartphones to stop the spread of the malware isn’t possible, said Jamie Gorelick, former Clinton deputy attorney general, portraying the attorney general. The patch only cures the March Madness spyware, not the malware video. The government should warn consumers “preemptively” not to expect privacy on their phones as authorities investigate the source of the attacks, she said. It’s inconceivable the government wouldn’t have the authority to order ISPs and carriers to shut down phone service in the attack, said Stewart Baker, former general counsel to the National Security Agency, portraying the federal cybercoordinator.
Gorelick clarified there’s no “off the shelf” authority to make such orders. ISPs will want certification from Gorelick herself that they're acting within the law and can’t be sued later, she said. Net neutrality is “not your friend” during a cyberattack, said Fran Townsend, former George W. Bush homeland security adviser, portraying the secretary of homeland security. ISPs need explicit approval from the government to monitor and share packet information so authorities can determine whether the attack was an act of war, Townsend said. There’s no point telling consumers to turn off their phones, Lockhart said. “You've got to turn them off for them” at the operator level, and argue in “very broad, stark terms [that] this is an attack on the United States.”
Former DHS Secretary Michael Chertoff, portraying the national security adviser and leading the meeting, said he was inclined to the “tough end of the spectrum” suggested by others. He asked whether the military could temporarily “license” its young Cyber Command to protect civilian networks. That relies on a determination of whether the attacks are a national-security issue, said Charles Wald, former deputy commander of the U.S. European Command, portraying the secretary of defense.
Inherent in military involvement is determining the sponsor of the attack, said John Negroponte, former director of national intelligence (DNI), portraying the secretary of state. “We're still working on the ‘finding’ part,” said John McLaughlin, former director of central intelligence, portraying the DNI. He said the CIA had a handful of likely state sponsors but no clear “attribution,” and while authorities could “turn the NSA loose” and gather massive amounts of data, “we will be very intrusive in doing that.”
In the simulation, shortly after, GNN reported that U.S. intelligence traced the video malware to servers in a Russian city and that members of Congress were calling on Obama to demand an explanation from Moscow. Gorelick said she was reluctant to publicly blame Russia, and McLaughlin speculated the servers could have simply been a “hopping point” for the attack. U.S. retaliation -- even shutting down the Russian servers -- wasn’t a popular option. “Imagine when the tables are turned” and another country blames a cyber attack on a U.S. “hacktivist,” Gorelick said. Reports later said the perpetrator behind the March Madness application was identified in Sudan, which doesn’t have an extradition treaty with the U.S., McLaughlin said: U.S. pressure would be like “pushing on Jell-O to some extent.”