RSA CONFERENCE 2018 - San Francisco - Good-natured bickering between participants of a cyber war game exercise here Tuesday showed how federal agencies both collaborate with and differ from one another when responding to incidents. The areas where opinions diverge most: how much attribution is enough to act upon, when it's appropriate to use "kinetic" military action as part of a cyber incident response, and when a cyberattack becomes an act of war.

The discussion took place in a session called "Cyber War Game — Behind Closed Doors with the National Security Council," mediated by CrowdStrike CTO Dmitri Alperovitch and Columbia University research scholar Jason Healey. Representing the members of the National Security Council were former high-ranking officials of US federal agencies that are regular attendees of the council.

Playing the role of Department of Homeland Security was Suzanne Spaulding, former under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, and currently senior adviser for the Center for Strategic and International Studies. Playing the role of Department of Justice was John Carlin, former assistant attorney general for the DOJ's National Security Division and currently a partner at Morrison Foerster LLP, where he chairs its global risk and crisis management team. Playing the role of Department of Defense was Eric Rosenbach, former chief of staff to the secretary of defense, and currently co-director of the Belfer Center for Science and International Affairs at Harvard University.

The exercise proposed a scenario in which the US had uncovered military dimensions of the Iranian nuclear program and discovered that Iran's pursuit of a nuclear weapons program posed a threat. In addition, a series of cyber campaigns began, including a leak of documents from previous intrusions into Congress and wiper malware destroying those networks.

Later in the exercise, attribution for the first cyberattacks is confirmed to be from Iran. New attacks begin, including in other countries (critical infrastructure in Israel), and a compromise of a subway control system in Los Angeles that forced one train crash that caused fatalities.

As Carlin (DOJ) explained, there are two primary objectives in this exercise: "Stop the cyberattacks. And stop the nuclear development." All participants agreed that the cyberattacks are the more immediate threat to be contained.

However, they differed somewhat on how to contain the threat.

Spaulding spoke about reaching out to more potential victims, gathering forensic data and sharing threat intelligence with state transportation authorities. Carlin spoke about determining attribution, setting up surveillance, and determining what legal response and sanction actions are available to the government depending upon what "red lines" had been crossed — for example, what kind of response had the US government already stated it would take if a cyberattack had caused bodily harm to a US citizen, as this had. 

Rosenbach took it further: "This is an armed attack against the United States," he said, noting that if a train had crashed because of an explosive device instead of a cyberattack, nobody would question that it was anything else. Loss of life or significant economic consequences will change the nature of the response, he said.

The participants also diverged on the topic of attribution, with Rosenbach stating that we've been in the habit of delaying response because we require too much confirmation of attribution.  

Spaulding said, "The conversation about attribution will be happening not just in the United States," noting that other nations may also have a vested interest, either politically or as potential victims. 

Rosenbach added that other nations, particularly those that have already suffered from attacks by Iran, may be "champing at the bit" to respond in kind.

Spaulding said, "There will be this instinct that we need to charge forward, and that might be the right answer ... but we need to consider the potential impact on private entities."

In terms of this war-gaming exercise, Rosenbach said that "the nuclear threat should shape response," but participants should aim to meet "cyberattacks with cyber solutions." However, he added that "adversaries need to know when you're serious about taking action."  

Carlin told Rosenbach that regardless of what response the US decided to make to Iran's maneuvers, "I would want the secretary of defense to tell the president that the first message should not come through Twitter."

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Related Content: