The date is April 4, 2015. A major cyberattack hits two generators in Florida, knocking out power in the cities of Coral Springs and St. Augustine, leading to multiple deaths and millions of dollars lost. One month later, Congress has to get a bill to the president to fix the vulnerability. But political gridlock, media histrionics and aggressive lobbying from industry makes passage of a bill far from certain. With this as their background, 350 members of the Truman National Security Project ran a massive simulation on Saturday to see if the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis.
In a few rooms at the Washington Plaza hotel, the simulation played out dramatically over the course of four hours. The feel was Washington, D.C., at hyper-speed. Five minutes into the experiment, a poll revealed the president’s approval rating falling to 35 percent, with the public trusting Republicans more than Democrats to handle cybersecurity. Rumors about the origin of the attack moved in whispers. Within ten minutes, business interests sought full liability protection for American utility companies and software providers. Players’ phones buzzed with push notifications from dueling press releases, news reports and polls, adding a realistic urgency to the action
The exercise represented something of a first in size and scope for legislative simulations, with players drawn from Hill staff, the cybersecurity field, and the military. In theory, it showed that Congress and the White House are capable of passing a cybersecurity bill with mandatory standards for industry.
Matt Rhoades, director of the cyberspace and security program at Truman and the designer of the experiment, described it as an acid test to reveal the effectiveness of the White House’s recent Cybersecurity Framework, released in February. The framework is a set of practices and guidelines for utility companies, software designers and cybersecurity players to protect the nation’s critical infrastructure from attack.
When asked why cyber industry officials would voluntarily adopt security standards that might be costly to implement, a senior administration official, speaking to reporters at on a conference call in February, cited “enlightened self-interest,” and said, “It’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”
The White House framework received some praise for its contents, but the absence of any enforcement measure led experts such as Information Week’s Dave Frymeir to dismiss it as “a relatively small step in the direction of improved security.”
On the other side, researchers such as Eli Dourado and Andrea Castillo of George Mason University, suggest in this recent white paper that the framework, voluntary provisions and all, will likely cause more harm than solve problems.
“In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they write.
Politically, the framework represented the best White House officials could have hoped for at the time. In recent years, efforts to pass cybersecurity legislation have stalled on issues such as whether standards should be mandatory and what sort of liabilities utility companies and other industry players should face in the event of a major incident.
After years of political infighting, little has changed to make the country safer from cyberattack, hence the necessity of the experiment in the eyes of Rhoades.
“I have felt for a long time”¦ that it’s unlikely that we will get much policy movement in the cyber area without a crisis,” Rhoades told Defense One. “So that leads me to two questions. One is, what is our threshold in terms of what sort of crisis actually spurs that on? The second one is, if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions — are we making decisions that we are better off making at a more sober time than at the time of a crisis?”
As to the timing for the experiment, set for May 2015, Rhoades explained, “We wanted to give the executive order framework about a year to kick in, get out of the election season”¦ get to a time of year that makes policy more relevant.” he said. “This time next year there will be a whole new cast of characters,” he said, citing the retirement of House Intelligence Committee Chairman Mike Rogers, R-Mich., as emblematic of the changes that could influence cybersecurity policy in the coming months. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”
How did the game play out: a simulated House and Senate were barely able to pass a bill with mandatory provisions for industry to follow to improve cybersecurity. But this outcome was no liberal pipe dream. The White House had to carve out a role for industry via a public-private working group consisting of the Department of Homeland Security, a council of industry players and others. “Republicans were willing to accept the mandatory standards because they felt industry had more of a role”¦ it was important to have industry at the table as part of a legislative process that was ongoing,” said Rhoades.
Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program, who played the part of the president in the simulation, told Defense One, “This weekend’s cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation’s current cybersecurity and legal framework before a real crisis occurs.”
Though the simulation was staged, the problem it sought to address is very real. Recent research from Wired revealed as many as 25 security problems in the supervisory control and data acquisition, or SCADA, systems that connect to many of the nation’s water, power, and other critical infrastructure assets.
What We're Following See More »
"According to a new POLITICO/Morning Consult poll, the first national post-debate survey, 43 percent of registered voters said the Democratic candidate won, compared with 26 percent who opted for the Republican Party’s standard bearer. Her 6-point lead over Trump among likely voters is unchanged from our previous survey: Clinton still leads Trump 42 percent to 36 percent in the race for the White House, with Libertarian nominee Gary Johnson taking 9 percent of the vote."
After a lighthearted beginning, Donald Trump's appearance at the Al Smith charity dinner in New York "took a tough turn as the crowd repeatedly booed the GOP nominee for his sharp-edged jokes about his rival Hillary Clinton."
Evan McMullin came out on top in a Emerson College poll of Utah with 31% of the vote. Donald Trump came in second with 27%, while Hillary Clinton took third with 24%. Gary Johnson received 5% of the vote in the survey.
A new Quinnipiac University poll finds Hillary Clinton leading Donald Trump by seven percentage points, 47%-40%. Trump’s “lead among men and white voters all but” vanished from the university’s early October poll. A new PPRI/Brookings survey shows a much bigger lead, with Clinton up 51%-36%. And an IBD/TIPP poll leans the other way, showing a virtual dead heat, with Trump taking 41% of the vote to Clinton’s 40% in a four-way matchup.