We’re Saved! Experts Show How to Fix U.S. Cybersecurity

The three-hour experiment that showed how to fix our nation’s infrastructure from cyberattack.

National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
May 5, 2014, 8:18 a.m.

The date is April 4, 2015. A ma­jor cy­ber­at­tack hits two gen­er­at­ors in Flor­ida, knock­ing out power in the cit­ies of Cor­al Springs and St. Au­gustine, lead­ing to mul­tiple deaths and mil­lions of dol­lars lost. One month later, Con­gress has to get a bill to the pres­id­ent to fix the vul­ner­ab­il­ity. But polit­ic­al grid­lock, me­dia his­tri­on­ics and ag­gress­ive lob­by­ing from in­dustry makes pas­sage of a bill far from cer­tain. With this as their back­ground, 350 mem­bers of the Tru­man Na­tion­al Se­cur­ity Pro­ject ran a massive sim­u­la­tion on Sat­urday to see if the United States was cap­able of passing le­gis­la­tion to fix the na­tion’s cy­ber vul­ner­ab­il­it­ies in the af­ter­math of a na­tion­al crisis.

In a few rooms at the Wash­ing­ton Plaza hotel, the sim­u­la­tion played out dra­mat­ic­ally over the course of four hours. The feel was Wash­ing­ton, D.C., at hy­per-speed. Five minutes in­to the ex­per­i­ment, a poll re­vealed the pres­id­ent’s ap­prov­al rat­ing fall­ing to 35 per­cent, with the pub­lic trust­ing Re­pub­lic­ans more than Demo­crats to handle cy­ber­se­cur­ity. Ru­mors about the ori­gin of the at­tack moved in whis­pers. With­in ten minutes, busi­ness in­terests sought full li­ab­il­ity pro­tec­tion for Amer­ic­an util­ity com­pan­ies and soft­ware pro­viders. Play­ers’ phones buzzed with push no­ti­fic­a­tions from du­el­ing press re­leases, news re­ports and polls, adding a real­ist­ic ur­gency to the ac­tion

The ex­er­cise rep­res­en­ted something of a first in size and scope for le­gis­lat­ive sim­u­la­tions, with play­ers drawn from Hill staff, the cy­ber­se­cur­ity field, and the mil­it­ary. In the­ory, it showed that Con­gress and the White House are cap­able of passing a cy­ber­se­cur­ity bill with man­dat­ory stand­ards for in­dustry.

Matt Rhoades, dir­ect­or of the cy­ber­space and se­cur­ity pro­gram at Tru­man and the de­sign­er of the ex­per­i­ment, de­scribed it as an acid test to re­veal the ef­fect­ive­ness of the White House’s re­cent Cy­ber­se­cur­ity Frame­work, re­leased in Feb­ru­ary. The frame­work is a set of prac­tices and guidelines for util­ity com­pan­ies, soft­ware de­sign­ers and cy­ber­se­cur­ity play­ers to pro­tect the na­tion’s crit­ic­al in­fra­struc­ture from at­tack.

When asked why cy­ber in­dustry of­fi­cials would vol­un­tar­ily ad­opt se­cur­ity stand­ards that might be costly to im­ple­ment, a seni­or ad­min­is­tra­tion of­fi­cial, speak­ing to re­port­ers at on a con­fer­ence call in Feb­ru­ary, cited “en­lightened self-in­terest,” and said, “It’s very much in their in­terest to know how to ad­opt what’s con­sidered best prac­tice and to put it in a frame­work where it can be ef­fect­ively used.”

The White House frame­work re­ceived some praise for its con­tents, but the ab­sence of any en­force­ment meas­ure led ex­perts such as In­form­a­tion Week’s Dave Fry­meir to dis­miss it as “a re­l­at­ively small step in the dir­ec­tion of im­proved se­cur­ity.”

On the oth­er side, re­search­ers such as Eli Dourado and An­drea Castillo of George Ma­son Uni­versity, sug­gest in this re­cent white pa­per that the frame­work, vol­un­tary pro­vi­sions and all, will likely cause more harm than solve prob­lems.

“In real­ity, much of the func­tion­ing In­ter­net gov­ernance that users en­joy today is not a product of gov­ern­ment com­mit­tees but rather a nat­ur­al emer­gence from the rules and in­cent­ives that per­meate the In­ter­net called ‘dy­nam­ic cy­ber­se­cur­ity,’” they write.

Polit­ic­ally, the frame­work rep­res­en­ted the best White House of­fi­cials could have hoped for at the time. In re­cent years, ef­forts to pass cy­ber­se­cur­ity le­gis­la­tion have stalled on is­sues such as wheth­er stand­ards should be man­dat­ory and what sort of li­ab­il­it­ies util­ity com­pan­ies and oth­er in­dustry play­ers should face in the event of a ma­jor in­cid­ent.

After years of polit­ic­al in­fight­ing, little has changed to make the coun­try safer from cy­ber­at­tack, hence the ne­ces­sity of the ex­per­i­ment in the eyes of Rhoades.

“I have felt for a long time”¦ that it’s un­likely that we will get much policy move­ment in the cy­ber area without a crisis,” Rhoades told De­fense One. “So that leads me to two ques­tions. One is, what is our threshold in terms of what sort of crisis ac­tu­ally spurs that on? The second one is, if we are ac­tu­ally mak­ing de­cisions at the time of a crisis, are we mak­ing good de­cisions or bad de­cisions — are we mak­ing de­cisions that we are bet­ter off mak­ing at a more sober time than at the time of a crisis?”

As to the tim­ing for the ex­per­i­ment, set for May 2015, Rhoades ex­plained, “We wanted to give the ex­ec­ut­ive or­der frame­work about a year to kick in, get out of the elec­tion sea­son”¦ get to a time of year that makes policy more rel­ev­ant.” he said. “This time next year there will be a whole new cast of char­ac­ters,” he said, cit­ing the re­tire­ment of House In­tel­li­gence Com­mit­tee Chair­man Mike Ro­gers, R-Mich., as em­blem­at­ic of the changes that could in­flu­ence cy­ber­se­cur­ity policy in the com­ing months. “We wanted to see if we could take a look at how those folks may or may not feel about cy­ber is­sues.”

How did the game play out: a sim­u­lated House and Sen­ate were barely able to pass a bill with man­dat­ory pro­vi­sions for in­dustry to fol­low to im­prove cy­ber­se­cur­ity. But this out­come was no lib­er­al pipe dream. The White House had to carve out a role for in­dustry via a pub­lic-private work­ing group con­sist­ing of the De­part­ment of Home­land Se­cur­ity, a coun­cil of in­dustry play­ers and oth­ers. “Re­pub­lic­ans were will­ing to ac­cept the man­dat­ory stand­ards be­cause they felt in­dustry had more of a role”¦ it was im­port­ant to have in­dustry at the table as part of a le­gis­lat­ive pro­cess that was on­go­ing,” said Rhoades.

An­drew Borene, an ad­viser to the Cen­ter for Na­tion­al Policy’s cy­ber­space and se­cur­ity pro­gram, who played the part of the pres­id­ent in the sim­u­la­tion, told De­fense One, “This week­end’s cy­ber­se­cur­ity war­game is not about na­vel-gaz­ing on tac­tics, craft­ing talk­ing-points or look­ing at cap­ab­il­it­ies. It’s about tak­ing a group of real-world lead­ers and acid-test­ing our na­tion’s cur­rent cy­ber­se­cur­ity and leg­al frame­work be­fore a real crisis oc­curs.”

Though the sim­u­la­tion was staged, the prob­lem it sought to ad­dress is very real. Re­cent re­search from Wired re­vealed as many as 25 se­cur­ity prob­lems in the su­per­vis­ory con­trol and data ac­quis­i­tion, or SCADA, sys­tems that con­nect to many of the na­tion’s wa­ter, power, and oth­er crit­ic­al in­fra­struc­ture as­sets.

What We're Following See More »
Morning Consult Poll: Clinton Decisively Won Debate
21 hours ago

"According to a new POLITICO/Morning Consult poll, the first national post-debate survey, 43 percent of registered voters said the Democratic candidate won, compared with 26 percent who opted for the Republican Party’s standard bearer. Her 6-point lead over Trump among likely voters is unchanged from our previous survey: Clinton still leads Trump 42 percent to 36 percent in the race for the White House, with Libertarian nominee Gary Johnson taking 9 percent of the vote."

Trump Draws Laughs, Boos at Al Smith Dinner
1 days ago

After a lighthearted beginning, Donald Trump's appearance at the Al Smith charity dinner in New York "took a tough turn as the crowd repeatedly booed the GOP nominee for his sharp-edged jokes about his rival Hillary Clinton."

McMullin Leads in New Utah Poll
1 days ago

Evan McMul­lin came out on top in a Emer­son Col­lege poll of Utah with 31% of the vote. Donald Trump came in second with 27%, while Hillary Clin­ton took third with 24%. Gary John­son re­ceived 5% of the vote in the sur­vey.

Quinnipiac Has Clinton Up by 7
1 days ago

A new Quin­nipi­ac Uni­versity poll finds Hillary Clin­ton lead­ing Donald Trump by seven percentage points, 47%-40%. Trump’s “lead among men and white voters all but” van­ished from the uni­versity’s early Oc­to­ber poll. A new PPRI/Brook­ings sur­vey shows a much bigger lead, with Clinton up 51%-36%. And an IBD/TIPP poll leans the other way, showing a vir­tu­al dead heat, with Trump tak­ing 41% of the vote to Clin­ton’s 40% in a four-way match­up.

Trump: I’ll Accept the Results “If I Win”
1 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.