The date is April 4, 2015. A major cyberattack hits two generators in Florida, knocking out power in the cities of Coral Springs and St. Augustine, leading to multiple deaths and millions of dollars lost. One month later, Congress has to get a bill to the president to fix the vulnerability. But political gridlock, media histrionics and aggressive lobbying from industry makes passage of a bill far from certain. With this as their background, 350 members of the Truman National Security Project ran a massive simulation on Saturday to see if the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis.
In a few rooms at the Washington Plaza hotel, the simulation played out dramatically over the course of four hours. The feel was Washington, D.C., at hyper-speed. Five minutes into the experiment, a poll revealed the president’s approval rating falling to 35 percent, with the public trusting Republicans more than Democrats to handle cybersecurity. Rumors about the origin of the attack moved in whispers. Within ten minutes, business interests sought full liability protection for American utility companies and software providers. Players’ phones buzzed with push notifications from dueling press releases, news reports and polls, adding a realistic urgency to the action
The exercise represented something of a first in size and scope for legislative simulations, with players drawn from Hill staff, the cybersecurity field, and the military. In theory, it showed that Congress and the White House are capable of passing a cybersecurity bill with mandatory standards for industry.
Matt Rhoades, director of the cyberspace and security program at Truman and the designer of the experiment, described it as an acid test to reveal the effectiveness of the White House’s recent Cybersecurity Framework, released in February. The framework is a set of practices and guidelines for utility companies, software designers and cybersecurity players to protect the nation’s critical infrastructure from attack.
When asked why cyber industry officials would voluntarily adopt security standards that might be costly to implement, a senior administration official, speaking to reporters at on a conference call in February, cited “enlightened self-interest,” and said, “It’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”
The White House framework received some praise for its contents, but the absence of any enforcement measure led experts such as Information Week’s Dave Frymeir to dismiss it as “a relatively small step in the direction of improved security.”
On the other side, researchers such as Eli Dourado and Andrea Castillo of George Mason University, suggest in this recent white paper that the framework, voluntary provisions and all, will likely cause more harm than solve problems.
“In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they write.
Politically, the framework represented the best White House officials could have hoped for at the time. In recent years, efforts to pass cybersecurity legislation have stalled on issues such as whether standards should be mandatory and what sort of liabilities utility companies and other industry players should face in the event of a major incident.
After years of political infighting, little has changed to make the country safer from cyberattack, hence the necessity of the experiment in the eyes of Rhoades.
“I have felt for a long time”¦ that it’s unlikely that we will get much policy movement in the cyber area without a crisis,” Rhoades told Defense One. “So that leads me to two questions. One is, what is our threshold in terms of what sort of crisis actually spurs that on? The second one is, if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions — are we making decisions that we are better off making at a more sober time than at the time of a crisis?”
As to the timing for the experiment, set for May 2015, Rhoades explained, “We wanted to give the executive order framework about a year to kick in, get out of the election season”¦ get to a time of year that makes policy more relevant.” he said. “This time next year there will be a whole new cast of characters,” he said, citing the retirement of House Intelligence Committee Chairman Mike Rogers, R-Mich., as emblematic of the changes that could influence cybersecurity policy in the coming months. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”
How did the game play out: a simulated House and Senate were barely able to pass a bill with mandatory provisions for industry to follow to improve cybersecurity. But this outcome was no liberal pipe dream. The White House had to carve out a role for industry via a public-private working group consisting of the Department of Homeland Security, a council of industry players and others. “Republicans were willing to accept the mandatory standards because they felt industry had more of a role”¦ it was important to have industry at the table as part of a legislative process that was ongoing,” said Rhoades.
Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program, who played the part of the president in the simulation, told Defense One, “This weekend’s cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation’s current cybersecurity and legal framework before a real crisis occurs.”
Though the simulation was staged, the problem it sought to address is very real. Recent research from Wired revealed as many as 25 security problems in the supervisory control and data acquisition, or SCADA, systems that connect to many of the nation’s water, power, and other critical infrastructure assets.
What We're Following See More »
"An emerging theory among U.S. military investigators is that the Army Special Forces soldiers ambushed in Niger were set up by terrorists, who were tipped off in advance about a meeting in a village sympathetic to local ISIS affiliates...The group of American Green Berets and support soldiers had requested a meeting with elders of a village that was seen as supportive of the Islamic State, and they attended the meeting at around 11 a.m. local time Oct. 4...Such meetings are a routine part of the Green Beret mission, but it wasn't clear whether this meeting was part of the unit's plan."
"The long-awaited sentencing of Army Sgt. Bowe Bergdahl was delayed Monday after a legal battle erupted over the word 'but' in President Donald Trump's most recent remarks about the case. Bergdahl's defense team argued that their client could not get a fair shake from the court because Trump, during a Rose Garden appearance on Oct. 16, at first said he couldn't talk about the case and then added: 'But I think people have heard my comments in the past.'" Trump has called him a traitor and suggested he should be executed.
"The Trump administration is coming under increased pressure from Congress to kill a landmark deal between Boeing and an Iranian airline known for engaging in terrorism over concerns the Western airline company would enable Tehran's transfer of militant fighters across the region, according to multiple sources, who told the Washington Free Beacon the administration is likely to nix the multi-billion dollar deal. The Obama administration's nuclear agreement with Iran paved the way for U.S. aerospace corporation Boeing to ink a deal with Iran's state-controlled airline, Iran Air, which was recently caught using its commercial planes to ferry Iranian militants to regional hotspots."
"Tony Podesta and the Podesta Group are now the subjects of a federal investigation being led by Special Counsel Robert Mueller, three sources with knowledge of the matter told NBC News. The probe of Podesta and his Democratic-leaning lobbying firm grew out of Mueller's inquiry into the finances of former Trump campaign chairman Paul Manafort."