We’re Saved! Experts Show How to Fix U.S. Cybersecurity

The three-hour experiment that showed how to fix our nation’s infrastructure from cyberattack.

National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
May 5, 2014, 8:18 a.m.

The date is April 4, 2015. A ma­jor cy­ber­at­tack hits two gen­er­at­ors in Flor­ida, knock­ing out power in the cit­ies of Cor­al Springs and St. Au­gustine, lead­ing to mul­tiple deaths and mil­lions of dol­lars lost. One month later, Con­gress has to get a bill to the pres­id­ent to fix the vul­ner­ab­il­ity. But polit­ic­al grid­lock, me­dia his­tri­on­ics and ag­gress­ive lob­by­ing from in­dustry makes pas­sage of a bill far from cer­tain. With this as their back­ground, 350 mem­bers of the Tru­man Na­tion­al Se­cur­ity Pro­ject ran a massive sim­u­la­tion on Sat­urday to see if the United States was cap­able of passing le­gis­la­tion to fix the na­tion’s cy­ber vul­ner­ab­il­it­ies in the af­ter­math of a na­tion­al crisis.

In a few rooms at the Wash­ing­ton Plaza hotel, the sim­u­la­tion played out dra­mat­ic­ally over the course of four hours. The feel was Wash­ing­ton, D.C., at hy­per-speed. Five minutes in­to the ex­per­i­ment, a poll re­vealed the pres­id­ent’s ap­prov­al rat­ing fall­ing to 35 per­cent, with the pub­lic trust­ing Re­pub­lic­ans more than Demo­crats to handle cy­ber­se­cur­ity. Ru­mors about the ori­gin of the at­tack moved in whis­pers. With­in ten minutes, busi­ness in­terests sought full li­ab­il­ity pro­tec­tion for Amer­ic­an util­ity com­pan­ies and soft­ware pro­viders. Play­ers’ phones buzzed with push no­ti­fic­a­tions from du­el­ing press re­leases, news re­ports and polls, adding a real­ist­ic ur­gency to the ac­tion

The ex­er­cise rep­res­en­ted something of a first in size and scope for le­gis­lat­ive sim­u­la­tions, with play­ers drawn from Hill staff, the cy­ber­se­cur­ity field, and the mil­it­ary. In the­ory, it showed that Con­gress and the White House are cap­able of passing a cy­ber­se­cur­ity bill with man­dat­ory stand­ards for in­dustry.

Matt Rhoades, dir­ect­or of the cy­ber­space and se­cur­ity pro­gram at Tru­man and the de­sign­er of the ex­per­i­ment, de­scribed it as an acid test to re­veal the ef­fect­ive­ness of the White House’s re­cent Cy­ber­se­cur­ity Frame­work, re­leased in Feb­ru­ary. The frame­work is a set of prac­tices and guidelines for util­ity com­pan­ies, soft­ware de­sign­ers and cy­ber­se­cur­ity play­ers to pro­tect the na­tion’s crit­ic­al in­fra­struc­ture from at­tack.

When asked why cy­ber in­dustry of­fi­cials would vol­un­tar­ily ad­opt se­cur­ity stand­ards that might be costly to im­ple­ment, a seni­or ad­min­is­tra­tion of­fi­cial, speak­ing to re­port­ers at on a con­fer­ence call in Feb­ru­ary, cited “en­lightened self-in­terest,” and said, “It’s very much in their in­terest to know how to ad­opt what’s con­sidered best prac­tice and to put it in a frame­work where it can be ef­fect­ively used.”

The White House frame­work re­ceived some praise for its con­tents, but the ab­sence of any en­force­ment meas­ure led ex­perts such as In­form­a­tion Week’s Dave Fry­meir to dis­miss it as “a re­l­at­ively small step in the dir­ec­tion of im­proved se­cur­ity.”

On the oth­er side, re­search­ers such as Eli Dourado and An­drea Castillo of George Ma­son Uni­versity, sug­gest in this re­cent white pa­per that the frame­work, vol­un­tary pro­vi­sions and all, will likely cause more harm than solve prob­lems.

“In real­ity, much of the func­tion­ing In­ter­net gov­ernance that users en­joy today is not a product of gov­ern­ment com­mit­tees but rather a nat­ur­al emer­gence from the rules and in­cent­ives that per­meate the In­ter­net called ‘dy­nam­ic cy­ber­se­cur­ity,’” they write.

Polit­ic­ally, the frame­work rep­res­en­ted the best White House of­fi­cials could have hoped for at the time. In re­cent years, ef­forts to pass cy­ber­se­cur­ity le­gis­la­tion have stalled on is­sues such as wheth­er stand­ards should be man­dat­ory and what sort of li­ab­il­it­ies util­ity com­pan­ies and oth­er in­dustry play­ers should face in the event of a ma­jor in­cid­ent.

After years of polit­ic­al in­fight­ing, little has changed to make the coun­try safer from cy­ber­at­tack, hence the ne­ces­sity of the ex­per­i­ment in the eyes of Rhoades.

“I have felt for a long time”¦ that it’s un­likely that we will get much policy move­ment in the cy­ber area without a crisis,” Rhoades told De­fense One. “So that leads me to two ques­tions. One is, what is our threshold in terms of what sort of crisis ac­tu­ally spurs that on? The second one is, if we are ac­tu­ally mak­ing de­cisions at the time of a crisis, are we mak­ing good de­cisions or bad de­cisions — are we mak­ing de­cisions that we are bet­ter off mak­ing at a more sober time than at the time of a crisis?”

As to the tim­ing for the ex­per­i­ment, set for May 2015, Rhoades ex­plained, “We wanted to give the ex­ec­ut­ive or­der frame­work about a year to kick in, get out of the elec­tion sea­son”¦ get to a time of year that makes policy more rel­ev­ant.” he said. “This time next year there will be a whole new cast of char­ac­ters,” he said, cit­ing the re­tire­ment of House In­tel­li­gence Com­mit­tee Chair­man Mike Ro­gers, R-Mich., as em­blem­at­ic of the changes that could in­flu­ence cy­ber­se­cur­ity policy in the com­ing months. “We wanted to see if we could take a look at how those folks may or may not feel about cy­ber is­sues.”

How did the game play out: a sim­u­lated House and Sen­ate were barely able to pass a bill with man­dat­ory pro­vi­sions for in­dustry to fol­low to im­prove cy­ber­se­cur­ity. But this out­come was no lib­er­al pipe dream. The White House had to carve out a role for in­dustry via a pub­lic-private work­ing group con­sist­ing of the De­part­ment of Home­land Se­cur­ity, a coun­cil of in­dustry play­ers and oth­ers. “Re­pub­lic­ans were will­ing to ac­cept the man­dat­ory stand­ards be­cause they felt in­dustry had more of a role”¦ it was im­port­ant to have in­dustry at the table as part of a le­gis­lat­ive pro­cess that was on­go­ing,” said Rhoades.

An­drew Borene, an ad­viser to the Cen­ter for Na­tion­al Policy’s cy­ber­space and se­cur­ity pro­gram, who played the part of the pres­id­ent in the sim­u­la­tion, told De­fense One, “This week­end’s cy­ber­se­cur­ity war­game is not about na­vel-gaz­ing on tac­tics, craft­ing talk­ing-points or look­ing at cap­ab­il­it­ies. It’s about tak­ing a group of real-world lead­ers and acid-test­ing our na­tion’s cur­rent cy­ber­se­cur­ity and leg­al frame­work be­fore a real crisis oc­curs.”

Though the sim­u­la­tion was staged, the prob­lem it sought to ad­dress is very real. Re­cent re­search from Wired re­vealed as many as 25 se­cur­ity prob­lems in the su­per­vis­ory con­trol and data ac­quis­i­tion, or SCADA, sys­tems that con­nect to many of the na­tion’s wa­ter, power, and oth­er crit­ic­al in­fra­struc­ture as­sets.

What We're Following See More »
ISIS INVOLVED
Niger Attack Possible Terrorist Set-Up
1 hours ago
THE LATEST

"An emerging theory among U.S. military investigators is that the Army Special Forces soldiers ambushed in Niger were set up by terrorists, who were tipped off in advance about a meeting in a village sympathetic to local ISIS affiliates...The group of American Green Berets and support soldiers had requested a meeting with elders of a village that was seen as supportive of the Islamic State, and they attended the meeting at around 11 a.m. local time Oct. 4...Such meetings are a routine part of the Green Beret mission, but it wasn't clear whether this meeting was part of the unit's plan."

Source:
TRUMP’S COMMENTS AT ISSUE
Bergdahl’s Sentencing Delayed Until Wednesday
1 hours ago
THE LATEST

"The long-awaited sentencing of Army Sgt. Bowe Bergdahl was delayed Monday after a legal battle erupted over the word 'but' in President Donald Trump's most recent remarks about the case. Bergdahl's defense team argued that their client could not get a fair shake from the court because Trump, during a Rose Garden appearance on Oct. 16, at first said he couldn't talk about the case and then added: 'But I think people have heard my comments in the past.'" Trump has called him a traitor and suggested he should be executed.

Source:
FOLLOWING DHS’S LEAD
Pentagon to Scrub Kaspersky from Its Systems
3 hours ago
THE LATEST
STATE-CONTROLLED AIRLINE CONNECTED WITH TERRORISM
Trump Admin to Kill Boeing Sales to Iran
5 hours ago
THE LATEST

"The Trump administration is coming under increased pressure from Congress to kill a landmark deal between Boeing and an Iranian airline known for engaging in terrorism over concerns the Western airline company would enable Tehran's transfer of militant fighters across the region, according to multiple sources, who told the Washington Free Beacon the administration is likely to nix the multi-billion dollar deal. The Obama administration's nuclear agreement with Iran paved the way for U.S. aerospace corporation Boeing to ink a deal with Iran's state-controlled airline, Iran Air, which was recently caught using its commercial planes to ferry Iranian militants to regional hotspots."

Source:
PROBE CAME FROM INQUIRY INTO MANAFORT’S FINANCES
Mueller Investigating Tony Podesta and His Firm
10 hours ago
THE LATEST

"Tony Podesta and the Podesta Group are now the subjects of a federal investigation being led by Special Counsel Robert Mueller, three sources with knowledge of the matter told NBC News. The probe of Podesta and his Democratic-leaning lobbying firm grew out of Mueller's inquiry into the finances of former Trump campaign chairman Paul Manafort."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login