The date is April 4, 2015. A major cyberattack hits two generators in Florida, knocking out power in the cities of Coral Springs and St. Augustine, leading to multiple deaths and millions of dollars lost. One month later, Congress has to get a bill to the president to fix the vulnerability. But political gridlock, media histrionics and aggressive lobbying from industry makes passage of a bill far from certain. With this as their background, 350 members of the Truman National Security Project ran a massive simulation on Saturday to see if the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis.
In a few rooms at the Washington Plaza hotel, the simulation played out dramatically over the course of four hours. The feel was Washington, D.C., at hyper-speed. Five minutes into the experiment, a poll revealed the president’s approval rating falling to 35 percent, with the public trusting Republicans more than Democrats to handle cybersecurity. Rumors about the origin of the attack moved in whispers. Within ten minutes, business interests sought full liability protection for American utility companies and software providers. Players’ phones buzzed with push notifications from dueling press releases, news reports and polls, adding a realistic urgency to the action
The exercise represented something of a first in size and scope for legislative simulations, with players drawn from Hill staff, the cybersecurity field, and the military. In theory, it showed that Congress and the White House are capable of passing a cybersecurity bill with mandatory standards for industry.
Matt Rhoades, director of the cyberspace and security program at Truman and the designer of the experiment, described it as an acid test to reveal the effectiveness of the White House’s recent Cybersecurity Framework, released in February. The framework is a set of practices and guidelines for utility companies, software designers and cybersecurity players to protect the nation’s critical infrastructure from attack.
When asked why cyber industry officials would voluntarily adopt security standards that might be costly to implement, a senior administration official, speaking to reporters at on a conference call in February, cited “enlightened self-interest,” and said, “It’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”
The White House framework received some praise for its contents, but the absence of any enforcement measure led experts such as Information Week’s Dave Frymeir to dismiss it as “a relatively small step in the direction of improved security.”
On the other side, researchers such as Eli Dourado and Andrea Castillo of George Mason University, suggest in this recent white paper that the framework, voluntary provisions and all, will likely cause more harm than solve problems.
“In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they write.
Politically, the framework represented the best White House officials could have hoped for at the time. In recent years, efforts to pass cybersecurity legislation have stalled on issues such as whether standards should be mandatory and what sort of liabilities utility companies and other industry players should face in the event of a major incident.
After years of political infighting, little has changed to make the country safer from cyberattack, hence the necessity of the experiment in the eyes of Rhoades.
“I have felt for a long time”¦ that it’s unlikely that we will get much policy movement in the cyber area without a crisis,” Rhoades told Defense One. “So that leads me to two questions. One is, what is our threshold in terms of what sort of crisis actually spurs that on? The second one is, if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions — are we making decisions that we are better off making at a more sober time than at the time of a crisis?”
As to the timing for the experiment, set for May 2015, Rhoades explained, “We wanted to give the executive order framework about a year to kick in, get out of the election season”¦ get to a time of year that makes policy more relevant.” he said. “This time next year there will be a whole new cast of characters,” he said, citing the retirement of House Intelligence Committee Chairman Mike Rogers, R-Mich., as emblematic of the changes that could influence cybersecurity policy in the coming months. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”
How did the game play out: a simulated House and Senate were barely able to pass a bill with mandatory provisions for industry to follow to improve cybersecurity. But this outcome was no liberal pipe dream. The White House had to carve out a role for industry via a public-private working group consisting of the Department of Homeland Security, a council of industry players and others. “Republicans were willing to accept the mandatory standards because they felt industry had more of a role”¦ it was important to have industry at the table as part of a legislative process that was ongoing,” said Rhoades.
Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program, who played the part of the president in the simulation, told Defense One, “This weekend’s cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation’s current cybersecurity and legal framework before a real crisis occurs.”
Though the simulation was staged, the problem it sought to address is very real. Recent research from Wired revealed as many as 25 security problems in the supervisory control and data acquisition, or SCADA, systems that connect to many of the nation’s water, power, and other critical infrastructure assets.
What We're Following See More »
President Obama became a surprise topic of contention toward the end of the Democratic debate, as Hillary Clinton reminded viewers that Sanders had challenged the progressive bona fides of President Obama in 2011 and suggested that someone might challenge him from the left. “The kind of criticism that we’ve heard from Senator Sanders about our president I expect from Republicans, I do not expect from someone running for the Democratic nomination to succeed President Obama,” she said. “Madame Secretary, that is a low blow,” replied Sanders, before getting in another dig during his closing statement: “One of us ran against Barack Obama. I was not that candidate.”
It’s all about the 1% and Wall Street versus everyone else for Bernie Sanders—even when he’s talking about race relations. Like Hillary Clinton, he needs to appeal to African-American and Hispanic voters in coming states, but he insists on doing so through his lens of class warfare. When he got a question from the moderators about the plight of black America, he noted that during the great recession, African Americans “lost half their wealth,” and “instead of tax breaks for billionaires,” a Sanders presidency would deliver jobs for kids. On the very next question, he downplayed the role of race in inequality, saying, “It’s a racial issue, but it’s also a general economic issue.”
It’s been said in just about every news story since New Hampshire: the primaries are headed to states where Hillary Clinton will do well among minority voters. Leaving nothing to chance, she underscored that point in her opening statement in the Milwaukee debate tonight, saying more needs to be done to help “African Americans who face discrimination in the job market” and immigrant families. She also made an explicit reference to “equal pay for women’s work.” Those boxes she’s checking are no coincidence: if she wins women, blacks and Hispanics, she wins the nomination.
Under pressure from a judge, the State Department will release about 550 of Hillary Clinton’s emails—“roughly 14 percent of the 3,700 remaining Clinton emails—on Saturday, in the middle of the Presidents Day holiday weekend.” All of the emails were supposed to have been released last month. Related: State subpoenaed the Clinton Foundation last year, which brings the total number of current Clinton investigations to four, says the Daily Caller.