We’re Saved! Experts Show How to Fix U.S. Cybersecurity

The three-hour experiment that showed how to fix our nation’s infrastructure from cyberattack.

National Journal
Patrick Tucker, Defense One
May 5, 2014, 8:18 a.m.

The date is April 4, 2015. A ma­jor cy­ber­at­tack hits two gen­er­at­ors in Flor­ida, knock­ing out power in the cit­ies of Cor­al Springs and St. Au­gustine, lead­ing to mul­tiple deaths and mil­lions of dol­lars lost. One month later, Con­gress has to get a bill to the pres­id­ent to fix the vul­ner­ab­il­ity. But polit­ic­al grid­lock, me­dia his­tri­on­ics and ag­gress­ive lob­by­ing from in­dustry makes pas­sage of a bill far from cer­tain. With this as their back­ground, 350 mem­bers of the Tru­man Na­tion­al Se­cur­ity Pro­ject ran a massive sim­u­la­tion on Sat­urday to see if the United States was cap­able of passing le­gis­la­tion to fix the na­tion’s cy­ber vul­ner­ab­il­it­ies in the af­ter­math of a na­tion­al crisis.

In a few rooms at the Wash­ing­ton Plaza hotel, the sim­u­la­tion played out dra­mat­ic­ally over the course of four hours. The feel was Wash­ing­ton, D.C., at hy­per-speed. Five minutes in­to the ex­per­i­ment, a poll re­vealed the pres­id­ent’s ap­prov­al rat­ing fall­ing to 35 per­cent, with the pub­lic trust­ing Re­pub­lic­ans more than Demo­crats to handle cy­ber­se­cur­ity. Ru­mors about the ori­gin of the at­tack moved in whis­pers. With­in ten minutes, busi­ness in­terests sought full li­ab­il­ity pro­tec­tion for Amer­ic­an util­ity com­pan­ies and soft­ware pro­viders. Play­ers’ phones buzzed with push no­ti­fic­a­tions from du­el­ing press re­leases, news re­ports and polls, adding a real­ist­ic ur­gency to the ac­tion

The ex­er­cise rep­res­en­ted something of a first in size and scope for le­gis­lat­ive sim­u­la­tions, with play­ers drawn from Hill staff, the cy­ber­se­cur­ity field, and the mil­it­ary. In the­ory, it showed that Con­gress and the White House are cap­able of passing a cy­ber­se­cur­ity bill with man­dat­ory stand­ards for in­dustry.

Matt Rhoades, dir­ect­or of the cy­ber­space and se­cur­ity pro­gram at Tru­man and the de­sign­er of the ex­per­i­ment, de­scribed it as an acid test to re­veal the ef­fect­ive­ness of the White House’s re­cent Cy­ber­se­cur­ity Frame­work, re­leased in Feb­ru­ary. The frame­work is a set of prac­tices and guidelines for util­ity com­pan­ies, soft­ware de­sign­ers and cy­ber­se­cur­ity play­ers to pro­tect the na­tion’s crit­ic­al in­fra­struc­ture from at­tack.

When asked why cy­ber in­dustry of­fi­cials would vol­un­tar­ily ad­opt se­cur­ity stand­ards that might be costly to im­ple­ment, a seni­or ad­min­is­tra­tion of­fi­cial, speak­ing to re­port­ers at on a con­fer­ence call in Feb­ru­ary, cited “en­lightened self-in­terest,” and said, “It’s very much in their in­terest to know how to ad­opt what’s con­sidered best prac­tice and to put it in a frame­work where it can be ef­fect­ively used.”

The White House frame­work re­ceived some praise for its con­tents, but the ab­sence of any en­force­ment meas­ure led ex­perts such as In­form­a­tion Week’s Dave Fry­meir to dis­miss it as “a re­l­at­ively small step in the dir­ec­tion of im­proved se­cur­ity.”

On the oth­er side, re­search­ers such as Eli Dourado and An­drea Castillo of George Ma­son Uni­versity, sug­gest in this re­cent white pa­per that the frame­work, vol­un­tary pro­vi­sions and all, will likely cause more harm than solve prob­lems.

“In real­ity, much of the func­tion­ing In­ter­net gov­ernance that users en­joy today is not a product of gov­ern­ment com­mit­tees but rather a nat­ur­al emer­gence from the rules and in­cent­ives that per­meate the In­ter­net called ‘dy­nam­ic cy­ber­se­cur­ity,’” they write.

Polit­ic­ally, the frame­work rep­res­en­ted the best White House of­fi­cials could have hoped for at the time. In re­cent years, ef­forts to pass cy­ber­se­cur­ity le­gis­la­tion have stalled on is­sues such as wheth­er stand­ards should be man­dat­ory and what sort of li­ab­il­it­ies util­ity com­pan­ies and oth­er in­dustry play­ers should face in the event of a ma­jor in­cid­ent.

After years of polit­ic­al in­fight­ing, little has changed to make the coun­try safer from cy­ber­at­tack, hence the ne­ces­sity of the ex­per­i­ment in the eyes of Rhoades.

“I have felt for a long time”¦ that it’s un­likely that we will get much policy move­ment in the cy­ber area without a crisis,” Rhoades told De­fense One. “So that leads me to two ques­tions. One is, what is our threshold in terms of what sort of crisis ac­tu­ally spurs that on? The second one is, if we are ac­tu­ally mak­ing de­cisions at the time of a crisis, are we mak­ing good de­cisions or bad de­cisions — are we mak­ing de­cisions that we are bet­ter off mak­ing at a more sober time than at the time of a crisis?”

As to the tim­ing for the ex­per­i­ment, set for May 2015, Rhoades ex­plained, “We wanted to give the ex­ec­ut­ive or­der frame­work about a year to kick in, get out of the elec­tion sea­son”¦ get to a time of year that makes policy more rel­ev­ant.” he said. “This time next year there will be a whole new cast of char­ac­ters,” he said, cit­ing the re­tire­ment of House In­tel­li­gence Com­mit­tee Chair­man Mike Ro­gers, R-Mich., as em­blem­at­ic of the changes that could in­flu­ence cy­ber­se­cur­ity policy in the com­ing months. “We wanted to see if we could take a look at how those folks may or may not feel about cy­ber is­sues.”

How did the game play out: a sim­u­lated House and Sen­ate were barely able to pass a bill with man­dat­ory pro­vi­sions for in­dustry to fol­low to im­prove cy­ber­se­cur­ity. But this out­come was no lib­er­al pipe dream. The White House had to carve out a role for in­dustry via a pub­lic-private work­ing group con­sist­ing of the De­part­ment of Home­land Se­cur­ity, a coun­cil of in­dustry play­ers and oth­ers. “Re­pub­lic­ans were will­ing to ac­cept the man­dat­ory stand­ards be­cause they felt in­dustry had more of a role”¦ it was im­port­ant to have in­dustry at the table as part of a le­gis­lat­ive pro­cess that was on­go­ing,” said Rhoades.

An­drew Borene, an ad­viser to the Cen­ter for Na­tion­al Policy’s cy­ber­space and se­cur­ity pro­gram, who played the part of the pres­id­ent in the sim­u­la­tion, told De­fense One, “This week­end’s cy­ber­se­cur­ity war­game is not about na­vel-gaz­ing on tac­tics, craft­ing talk­ing-points or look­ing at cap­ab­il­it­ies. It’s about tak­ing a group of real-world lead­ers and acid-test­ing our na­tion’s cur­rent cy­ber­se­cur­ity and leg­al frame­work be­fore a real crisis oc­curs.”

Though the sim­u­la­tion was staged, the prob­lem it sought to ad­dress is very real. Re­cent re­search from Wired re­vealed as many as 25 se­cur­ity prob­lems in the su­per­vis­ory con­trol and data ac­quis­i­tion, or SCADA, sys­tems that con­nect to many of the na­tion’s wa­ter, power, and oth­er crit­ic­al in­fra­struc­ture as­sets.

What We're Following See More »
WILL APPEAR TOGETHER TOMORROW
As Expected, Clinton Goes with Kaine
1 days ago
THE LATEST
SO MUCH FOR THE RATINGS BUMP
Convention Ratings Same as 2012
1 days ago
THE LATEST
8,000 DOCUMENTS
Wikileaks Releases Trove of DNC Docs
1 days ago
THE DETAILS

"Wikileaks published more than 8,000 documents purportedly taken from the Democratic National Committee Friday, just days before the start of the party's convention in Philadelphia. The documents included briefings on off-the-record fundraisers and candid photographs."

Source:
YES, WE KAINE?
Clinton Announcing VP Pick Today
1 days ago
THE LATEST

Hillary Clinton "is widely expected to announce her choice" of vice president "in an email to supporters while on a campaign swing in Florida on Friday afternoon." The consensus: it'll be Sen. Tim Kaine of Virginia, although Sen. Cory Booker of New Jersey and Agriculture Secretary Tom Vilsack are also said to be in the running.

Source:
EARLY BUMP FOR TRUMP?
New Round of Polls Show a Tight Race
1 days ago
THE LATEST
  • A Rasmussen Reports poll shows Donald Trump ahead of Hillary Clinton, 43%-42%, the fourth week in a row he's led the poll (one of the few poll in which he's led consistently of late).
  • A Reuters/Ipsos survey shows Clinton leading 40%-36%. In a four-way race, she maintains her four-point lead, 39%-35%, with Gary Johnson and Jill Stein pulling 7% and 3%, respectively.
  • And the LA Times/USC daily tracking poll shows a dead heat, with Trump ahead by about half a percentage point.
×