Perimeter
2/17/2010
10:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Will Cyber Shockwave Make Some Waves?

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.Cyber Shockwave assembled a group that was tasked to play top-level government officials in a National Security Council meeting. The eye-catching thing about the exercise, hosted by the Bipartisan Policy Center, was that the panel members were all prominent former holders of top-level government jobs. Stewart Baker, who worked on cybersecurity at the DHS through last year, played Cyber Coordinator. Deputy Commander of the U.S. European Command Charles F. Wald played Secretary of Defense. Director of National Intelligence John Negroponte played Secretary of State. And so on for a cast of 10.

For me, and I think everyone else in the room, a couple of things became very clear very quickly. First, if the lights are going to go out in North America (as they were in Eastern cities during the second hour of the exercise), then they will be out long before anyone in the White House has any idea what they want to do about it. The president will be urging calm, which I'll bet will just work like magic.

Second, in any situation where serious harm was being done to electronic and electrical infrastructures, the only effective response would be to declare it an act of war or, failing that, for the president to make a significant grab for additional executive powers under Article 2 of the Constitution. Calling it an act of war is likely to be impossible in any normal sense, because attributing a cyberattack to a specific nation state would be next to impossible in the short term. Consider recent events: Was the Chinese state behind the Aurora attacks? If so, then it's arguably an act of war, a state-sponsored incursion on our domestic territory.

As for the executive power grab, well, there won't really be any good alternative. Something definitive will have to be done, it will involve the private companies that own the digital infrastructure, and it will involve compelling them to do what they won't do voluntarily for fear of subsequent legal liability for their actions.

Those two things came across loud and clear and, while I'm not sure the scenario of smartphones bringing down the cell phone system was all that horrifying, the idea of executive rule by fiat was indeed a bit creepy. I should add, too, that the overall scenario had a lot of intellectual weight behind it because the several sponsors -- which included General Dynamics (and specifically involved some of the forensics heavy hitters in their Advanced Information Systems division), Georgetown University (and experts from their Institute for Law, Science and Global Security, SMobile, Symantec, Paypal -- helped build aspects of the scenario and keep it within the realm of the credible.

For me, though, there was a third realization. The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed -- and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. And it just is never going to be the head of the DHS. And nobody seems to have had Howard Schmidt's cell phone number when the attacks on Google were announced.

Anyway, a lot of what was in play at Cyber Shockwave were policy concerns. Should the government lay out a declarative policy on the circumstances in which it would retaliate against an attacking nation or terrorist organization? That sort of knotty concern. Not necessarily things that you or I are likely to get much say about. But how we improve attribution of attacks to their perpetrators and the question of how easily subverted (or, as in this scenario, Trojan Horse) software is kept off the networks are two areas that the security community can potentially address. I doubt, frankly, that we can do much about either without some degree of government regulation -- vendors don't have much incentive to do things that improve the overall security of the Internet, a point made quite convincingly by former Secretary of Homeland Security Michael Chertoff, who played National Security Adviser in the simulation. How do we get regulation that works well? It just might be time to send an email or two to our representatives.

In the meanwhile, CNN taped the event and will air it Saturday and Sunday, so you can check it out for yourself.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.