OK, I can't help this, and while probably unfair, I have to share some of the funnier Twitter responses on this:
“@katelynxop9 Has CNN lost it? Just tuned in to CyberShockwave. I thought only the Weather channel ran those "It could happen tomorrow" stories...”
“@Tigerbeard Michael Chertoff should stick to what he does best: failing to conquer Castle Greyskull. #cybershockwave”
“@shandy_d Hey hey! #cybershockwave is on CNN! Let's see if this panel of old white guys can put me to sleep. #insomniaWARS”
On his blog, Richard Bejtlich had a somewhat more level take on the exercise:
“Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people. (Then watch others criticize it!) I agree that the participants' understanding of how mobile malware works, propagates, etc. was lacking, but that's realistic! It was important to talk about a mass incident -- any mass incident -- to get policymakers and the public thinking about this problem."
Well….yes. However, this was pitched as a cyber-security mile marker. A test of how we, as a country, are able to handle a cyber-attack. But that isn’t what we were shown, that isn’t what happened here. What happened was a series of issues came up and, while they were reportedly caused by a “cyber attack”, there was nothing in the response that was driven by the obstacles presented by a "cyber" threat. Instead there was talk of sending the National Guard in to protect critical infrastructure and ensure there was no looting in major cities. There were arguments about retaliation and attribution. There was even a questionable discussion of what the impact would be: "Air traffic controllers depend on the Internet" -- (Stephen Friedman, National Economic Council Director 2002-2004 and participant in “CyberShockwave” as Secretary of the Treasury) and how to solve it in the future: “We are going to say to the private sector “I’m sorry, you’re going to have to delay bringing this hot new application to market until you can assure it is safe””*. (Jamie Gorelick, Deputy Attorney General 1994-1997 and participant in “CyberShockwave” as Attorney General) But all of this concentrated on how to wield powers of the federal government, not how to actually mitigate an attack.
Look, an event like this isn’t going to be like 9/11, as much as the fear mongers would like you to think so. This isn’t a plane hitting a building and killing 3000 people and leaving us all staring at the television while our brains desperately trying to figure out what the hell the images meant. This won’t be a cowardly attack on our country that will deliver a blow and then leave us with nothing to do but stare at the rubble. This will be an outright pitched battle between attackers and thousands of largely anonymous security practitioners at companies both large and small. Every hardcore incident handler, reverse engineer and malware analyst will be on this thing like a pack of rabid spider monkeys before the policy makers have even gotten their ugly red/yellow/blue striped tie on. Seriously, Mr. McLaughlin, that thing was an atrocity. (John McLaughlin, CIA deputy director, 2000-2004, CIA Acting Director, 2004 and participant in “CyberShockwave” as Director, National Intelligence).
No, this won’t be over in a single horrifying moment. Nor will it be solved by suddenly deciding to “license Cyber Command to defend the country” – (Michael Chertoff, Secretary of the Department of Homeland Security, 2005-2009 and participant in “CyberShockwave” as a National Security Advisor) or by having the NSA barge in and dictate to ISPs, telcos and energy companies what to do. A successful response to a broad, highly technical attack that we would expect to precede the kind of events described here can only come from cooperation between disparate sets of highly talented incident handlers and highly technical contact points in the government.
Will this happen? Well...it isn't looking great right now. The Federal Government still seems focused on a “we’re going to come in here and fix things” attitude. Take for example, Jamie Gorelick’s comment: "The Secretary of Homeland Security has said we're in communication with various industries but that communication has to be very different if we are to fix this. It has to be directive." The difference between cyber-threats and the threats we’ve faced in the past is that the America’s fighters are, for the most part, not Government employees, and there is no real recognition from any of the participants in this exercise that they understand that.
So was the Washington Post justified in their headline “War game reveals U.S. lacks cyber-crisis skills”? No, of course not. There were no cyber-crisis things that popped up that we could apply skills to. All that happened was that a group of political operatives showed up and the organizers said "cyber" and then went on to describe this series of increasingly awful events. So what did our panelists do? They flailed and grasped at straws. They argued for the quaranting of cell phones, the nationalization of power generation and telecommunications companies. They talked about the use of extraordinary renditions to pick up the attackers so they could be interrogated. They talked for hours about how to justify the full use of executive power. Urging action without regard to the constraints of law, Joe Lockhart said: “We will be judged…did we carve out every absolute option, every piece of power we had?...I don't think that we should be debating whether we federalize the national guard, the president should say "We are federalizing it". ….in a crisis you take extraordinary steps." (Joe Lockhart, White House Press Secretary from 1998-2000 and participant in “CyberShockwave” as a counselor to the President). But none of these actions would have made things better.
CyberShockwave did nothing to tell us about how prepared we are to weather a cyber-attack. The proposed scenario is…well, let’s say the feasibility of that scenario is being debated. Also, there was nothing but the old way in responding to situation. No understanding of the complexities of the systems involved. No acknowledgment that those systems are diverse and unique. No demonstration of any understanding of why the cyber attack threat poses such a challenge. The biggest advesary to this group seemed to be the private sector, that they were continually trying to find ways to dictate to or federalize. Cooperation never appeared as an option to them.
The lack of a true "cyber" element means that we could have tuned into CNN Sunday night and have been greeted with:
"Wolf Blitzer here and on a special CNN Presents, our panel of well regarded political heavy weights will be faced with..." and then any of the following:
"an EMP triggered by a terrorist organization."
"a violent coronal mass ejection."
"a coordinated terrorist bomb attack on critical power infrastructure."
"a bizarre blackhole related event stemming from an experiment at the Large Hadron Collider."
and a great deal of the conversation will have been the same. This was indeed, to use Bejtlich's words, a "mass incident". But it had almost no relation to how a cyber-attack would have occurred or been responded to. It was simply an exercise in what the government would do if faced with something it didn't understand and hadn't prepared for.
So what DID we learn from all of this? Well…we learned what some highly placed folks think is necessary to fight the threat. We also know what they think they need to do to get the extraordinary power they feel they need. In the final moments of the CNN presentation, Joe Lockhart left us with this statement on why fear mongering works:
"Is the public scared? Yes, and that's a good thing. Because when the public has a demand, the government provides the supply."**
On the flip side, the current administration may have a better grasp on how to respond. The actual agencies that would come into play might be able to provide a more accurate representation of the needs of the private sector in responding to an incident of this level. It is even likely that technical relationships are already in place between key governmental agencies and private industry that will allow the rapid sharing of what is being seen and what is effective as a mitigation. There might even be a plan for rapidly standing up a coordinating organization to manage data flow both into and (far more importantly) out of the federal side. And you should do the same.
Now is the time for you to start building the informal systems that are going to be necessary to weather a significant, sustained cyber attack. Many critical infrastructure organizations already do this, but any industry vertical can do the same. Find out who your peers are in other organizations in your verticals. Meet them at conferences, hit them up in email, give them a call. Reach out NOW and establish the relationships, the trust networks and the formal and informal agreements that will allow you to rapidly share information in the face of an attack. I know that this will be challenging when, in many cases, it is your& competitors that you will be speaking to. But they face the same external threats you do and will be the outside group with the best chance to work with you to handle a coordinated attack.
Remember: Technology won’t save you. People will save you. Time to pick your team, and don't be foolish enough to think that everyone you need works at your company.
* -- Why the hell didn't we think of that?
** -- Yikes.