Perimeter
2/17/2010
10:11 PM
50%
50%

Will Cyber Shockwave Make Some Waves?

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.Cyber Shockwave assembled a group that was tasked to play top-level government officials in a National Security Council meeting. The eye-catching thing about the exercise, hosted by the Bipartisan Policy Center, was that the panel members were all prominent former holders of top-level government jobs. Stewart Baker, who worked on cybersecurity at the DHS through last year, played Cyber Coordinator. Deputy Commander of the U.S. European Command Charles F. Wald played Secretary of Defense. Director of National Intelligence John Negroponte played Secretary of State. And so on for a cast of 10.

For me, and I think everyone else in the room, a couple of things became very clear very quickly. First, if the lights are going to go out in North America (as they were in Eastern cities during the second hour of the exercise), then they will be out long before anyone in the White House has any idea what they want to do about it. The president will be urging calm, which I'll bet will just work like magic.

Second, in any situation where serious harm was being done to electronic and electrical infrastructures, the only effective response would be to declare it an act of war or, failing that, for the president to make a significant grab for additional executive powers under Article 2 of the Constitution. Calling it an act of war is likely to be impossible in any normal sense, because attributing a cyberattack to a specific nation state would be next to impossible in the short term. Consider recent events: Was the Chinese state behind the Aurora attacks? If so, then it's arguably an act of war, a state-sponsored incursion on our domestic territory.

As for the executive power grab, well, there won't really be any good alternative. Something definitive will have to be done, it will involve the private companies that own the digital infrastructure, and it will involve compelling them to do what they won't do voluntarily for fear of subsequent legal liability for their actions.

Those two things came across loud and clear and, while I'm not sure the scenario of smartphones bringing down the cell phone system was all that horrifying, the idea of executive rule by fiat was indeed a bit creepy. I should add, too, that the overall scenario had a lot of intellectual weight behind it because the several sponsors -- which included General Dynamics (and specifically involved some of the forensics heavy hitters in their Advanced Information Systems division), Georgetown University (and experts from their Institute for Law, Science and Global Security, SMobile, Symantec, Paypal -- helped build aspects of the scenario and keep it within the realm of the credible.

For me, though, there was a third realization. The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed -- and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. And it just is never going to be the head of the DHS. And nobody seems to have had Howard Schmidt's cell phone number when the attacks on Google were announced.

Anyway, a lot of what was in play at Cyber Shockwave were policy concerns. Should the government lay out a declarative policy on the circumstances in which it would retaliate against an attacking nation or terrorist organization? That sort of knotty concern. Not necessarily things that you or I are likely to get much say about. But how we improve attribution of attacks to their perpetrators and the question of how easily subverted (or, as in this scenario, Trojan Horse) software is kept off the networks are two areas that the security community can potentially address. I doubt, frankly, that we can do much about either without some degree of government regulation -- vendors don't have much incentive to do things that improve the overall security of the Internet, a point made quite convincingly by former Secretary of Homeland Security Michael Chertoff, who played National Security Adviser in the simulation. How do we get regulation that works well? It just might be time to send an email or two to our representatives.

In the meanwhile, CNN taped the event and will air it Saturday and Sunday, so you can check it out for yourself.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-1157
Published: 2015-05-27
CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2)...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?