We’re Saved! Experts Show How to Fix U.S. Cybersecurity

The three-hour experiment that showed how to fix our nation’s infrastructure from cyberattack.

National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
May 5, 2014, 8:18 a.m.

The date is April 4, 2015. A ma­jor cy­ber­at­tack hits two gen­er­at­ors in Flor­ida, knock­ing out power in the cit­ies of Cor­al Springs and St. Au­gustine, lead­ing to mul­tiple deaths and mil­lions of dol­lars lost. One month later, Con­gress has to get a bill to the pres­id­ent to fix the vul­ner­ab­il­ity. But polit­ic­al grid­lock, me­dia his­tri­on­ics and ag­gress­ive lob­by­ing from in­dustry makes pas­sage of a bill far from cer­tain. With this as their back­ground, 350 mem­bers of the Tru­man Na­tion­al Se­cur­ity Pro­ject ran a massive sim­u­la­tion on Sat­urday to see if the United States was cap­able of passing le­gis­la­tion to fix the na­tion’s cy­ber vul­ner­ab­il­it­ies in the af­ter­math of a na­tion­al crisis.

In a few rooms at the Wash­ing­ton Plaza hotel, the sim­u­la­tion played out dra­mat­ic­ally over the course of four hours. The feel was Wash­ing­ton, D.C., at hy­per-speed. Five minutes in­to the ex­per­i­ment, a poll re­vealed the pres­id­ent’s ap­prov­al rat­ing fall­ing to 35 per­cent, with the pub­lic trust­ing Re­pub­lic­ans more than Demo­crats to handle cy­ber­se­cur­ity. Ru­mors about the ori­gin of the at­tack moved in whis­pers. With­in ten minutes, busi­ness in­terests sought full li­ab­il­ity pro­tec­tion for Amer­ic­an util­ity com­pan­ies and soft­ware pro­viders. Play­ers’ phones buzzed with push no­ti­fic­a­tions from du­el­ing press re­leases, news re­ports and polls, adding a real­ist­ic ur­gency to the ac­tion

The ex­er­cise rep­res­en­ted something of a first in size and scope for le­gis­lat­ive sim­u­la­tions, with play­ers drawn from Hill staff, the cy­ber­se­cur­ity field, and the mil­it­ary. In the­ory, it showed that Con­gress and the White House are cap­able of passing a cy­ber­se­cur­ity bill with man­dat­ory stand­ards for in­dustry.

Matt Rhoades, dir­ect­or of the cy­ber­space and se­cur­ity pro­gram at Tru­man and the de­sign­er of the ex­per­i­ment, de­scribed it as an acid test to re­veal the ef­fect­ive­ness of the White House’s re­cent Cy­ber­se­cur­ity Frame­work, re­leased in Feb­ru­ary. The frame­work is a set of prac­tices and guidelines for util­ity com­pan­ies, soft­ware de­sign­ers and cy­ber­se­cur­ity play­ers to pro­tect the na­tion’s crit­ic­al in­fra­struc­ture from at­tack.

When asked why cy­ber in­dustry of­fi­cials would vol­un­tar­ily ad­opt se­cur­ity stand­ards that might be costly to im­ple­ment, a seni­or ad­min­is­tra­tion of­fi­cial, speak­ing to re­port­ers at on a con­fer­ence call in Feb­ru­ary, cited “en­lightened self-in­terest,” and said, “It’s very much in their in­terest to know how to ad­opt what’s con­sidered best prac­tice and to put it in a frame­work where it can be ef­fect­ively used.”

The White House frame­work re­ceived some praise for its con­tents, but the ab­sence of any en­force­ment meas­ure led ex­perts such as In­form­a­tion Week’s Dave Fry­meir to dis­miss it as “a re­l­at­ively small step in the dir­ec­tion of im­proved se­cur­ity.”

On the oth­er side, re­search­ers such as Eli Dourado and An­drea Castillo of George Ma­son Uni­versity, sug­gest in this re­cent white pa­per that the frame­work, vol­un­tary pro­vi­sions and all, will likely cause more harm than solve prob­lems.

“In real­ity, much of the func­tion­ing In­ter­net gov­ernance that users en­joy today is not a product of gov­ern­ment com­mit­tees but rather a nat­ur­al emer­gence from the rules and in­cent­ives that per­meate the In­ter­net called ‘dy­nam­ic cy­ber­se­cur­ity,’” they write.

Polit­ic­ally, the frame­work rep­res­en­ted the best White House of­fi­cials could have hoped for at the time. In re­cent years, ef­forts to pass cy­ber­se­cur­ity le­gis­la­tion have stalled on is­sues such as wheth­er stand­ards should be man­dat­ory and what sort of li­ab­il­it­ies util­ity com­pan­ies and oth­er in­dustry play­ers should face in the event of a ma­jor in­cid­ent.

After years of polit­ic­al in­fight­ing, little has changed to make the coun­try safer from cy­ber­at­tack, hence the ne­ces­sity of the ex­per­i­ment in the eyes of Rhoades.

“I have felt for a long time”¦ that it’s un­likely that we will get much policy move­ment in the cy­ber area without a crisis,” Rhoades told De­fense One. “So that leads me to two ques­tions. One is, what is our threshold in terms of what sort of crisis ac­tu­ally spurs that on? The second one is, if we are ac­tu­ally mak­ing de­cisions at the time of a crisis, are we mak­ing good de­cisions or bad de­cisions — are we mak­ing de­cisions that we are bet­ter off mak­ing at a more sober time than at the time of a crisis?”

As to the tim­ing for the ex­per­i­ment, set for May 2015, Rhoades ex­plained, “We wanted to give the ex­ec­ut­ive or­der frame­work about a year to kick in, get out of the elec­tion sea­son”¦ get to a time of year that makes policy more rel­ev­ant.” he said. “This time next year there will be a whole new cast of char­ac­ters,” he said, cit­ing the re­tire­ment of House In­tel­li­gence Com­mit­tee Chair­man Mike Ro­gers, R-Mich., as em­blem­at­ic of the changes that could in­flu­ence cy­ber­se­cur­ity policy in the com­ing months. “We wanted to see if we could take a look at how those folks may or may not feel about cy­ber is­sues.”

How did the game play out: a sim­u­lated House and Sen­ate were barely able to pass a bill with man­dat­ory pro­vi­sions for in­dustry to fol­low to im­prove cy­ber­se­cur­ity. But this out­come was no lib­er­al pipe dream. The White House had to carve out a role for in­dustry via a pub­lic-private work­ing group con­sist­ing of the De­part­ment of Home­land Se­cur­ity, a coun­cil of in­dustry play­ers and oth­ers. “Re­pub­lic­ans were will­ing to ac­cept the man­dat­ory stand­ards be­cause they felt in­dustry had more of a role”¦ it was im­port­ant to have in­dustry at the table as part of a le­gis­lat­ive pro­cess that was on­go­ing,” said Rhoades.

An­drew Borene, an ad­viser to the Cen­ter for Na­tion­al Policy’s cy­ber­space and se­cur­ity pro­gram, who played the part of the pres­id­ent in the sim­u­la­tion, told De­fense One, “This week­end’s cy­ber­se­cur­ity war­game is not about na­vel-gaz­ing on tac­tics, craft­ing talk­ing-points or look­ing at cap­ab­il­it­ies. It’s about tak­ing a group of real-world lead­ers and acid-test­ing our na­tion’s cur­rent cy­ber­se­cur­ity and leg­al frame­work be­fore a real crisis oc­curs.”

Though the sim­u­la­tion was staged, the prob­lem it sought to ad­dress is very real. Re­cent re­search from Wired re­vealed as many as 25 se­cur­ity prob­lems in the su­per­vis­ory con­trol and data ac­quis­i­tion, or SCADA, sys­tems that con­nect to many of the na­tion’s wa­ter, power, and oth­er crit­ic­al in­fra­struc­ture as­sets.

What We're Following See More »
STAFF PICKS
Bannon Still Collecting Royalties from ‘Seinfeld’
49 minutes ago
WHY WE CARE

The Hollywood Reporter takes a look at a little-known intersection of politics and entertainment, in which Trump campaign CEO Steve Bannon is still raking in residuals from Seinfeld. Here's the digest version: When Seinfeld was in its infancy, Ted Turner was in the process of acquiring its production company, Castle Rock, but he was under-capitalized. Bannon's fledgling media company put up the remaining funds, and he agreed to "participation rights" instead of a fee. "Seinfeld has reaped more than $3 billion in its post-network afterlife through syndication deals." Meanwhile, Bannon is "still cashing checks from Seinfeld, and observers say he has made nearly 25 times more off the Castle Rock deal than he had anticipated."

Source:
IT’S ALL CLINTON
Reliable Poll Data Coming in RE: Debate #1
1 hours ago
WHY WE CARE
NEXT THURSDAY
Trump Transition Team Meeting with Silicon Valley VIPs
3 hours ago
THE DETAILS

Donald Trump's "transition team will meet next week with representatives of the tech industry, multiple sources confirmed, even as their candidate largely has been largely shunned by Silicon Valley. The meeting, scheduled for next Thursday at the offices of law and lobbying firm BakerHostetler, will include trade groups like the Information Technology Industry Council and the Internet Association that represent major Silicon Valley companies."

Source:
WHAT WILL PASS?
McConnell Doubts Criminal Justice Reform Can Pass This Year
3 hours ago
THE LATEST
ALSO FIRED UNATTRACTIVE WAITRESSES
Trump Did Business with Cuba
4 hours ago
THE LATEST

Today in bad news for Donald Trump:

  • Newsweek found that a company he controlled did business with Cuba under Fidel Castro "despite strict American trade bans that made such undertakings illegal, according to interviews with former Trump executives, internal company records and court filings." In 1998, he spent at least $68,000 there, which was funneled through a consluting company "to make it appear legal."
  • The Los Angeles Times reports that at a golf club he owns in California, Trump ordered that unattractive female staff be fired and replaced with prettier women.
×