10:11 PM

Will Cyber Shockwave Make Some Waves?

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.Cyber Shockwave assembled a group that was tasked to play top-level government officials in a National Security Council meeting. The eye-catching thing about the exercise, hosted by the Bipartisan Policy Center, was that the panel members were all prominent former holders of top-level government jobs. Stewart Baker, who worked on cybersecurity at the DHS through last year, played Cyber Coordinator. Deputy Commander of the U.S. European Command Charles F. Wald played Secretary of Defense. Director of National Intelligence John Negroponte played Secretary of State. And so on for a cast of 10.

For me, and I think everyone else in the room, a couple of things became very clear very quickly. First, if the lights are going to go out in North America (as they were in Eastern cities during the second hour of the exercise), then they will be out long before anyone in the White House has any idea what they want to do about it. The president will be urging calm, which I'll bet will just work like magic.

Second, in any situation where serious harm was being done to electronic and electrical infrastructures, the only effective response would be to declare it an act of war or, failing that, for the president to make a significant grab for additional executive powers under Article 2 of the Constitution. Calling it an act of war is likely to be impossible in any normal sense, because attributing a cyberattack to a specific nation state would be next to impossible in the short term. Consider recent events: Was the Chinese state behind the Aurora attacks? If so, then it's arguably an act of war, a state-sponsored incursion on our domestic territory.

As for the executive power grab, well, there won't really be any good alternative. Something definitive will have to be done, it will involve the private companies that own the digital infrastructure, and it will involve compelling them to do what they won't do voluntarily for fear of subsequent legal liability for their actions.

Those two things came across loud and clear and, while I'm not sure the scenario of smartphones bringing down the cell phone system was all that horrifying, the idea of executive rule by fiat was indeed a bit creepy. I should add, too, that the overall scenario had a lot of intellectual weight behind it because the several sponsors -- which included General Dynamics (and specifically involved some of the forensics heavy hitters in their Advanced Information Systems division), Georgetown University (and experts from their Institute for Law, Science and Global Security, SMobile, Symantec, Paypal -- helped build aspects of the scenario and keep it within the realm of the credible.

For me, though, there was a third realization. The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed -- and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. And it just is never going to be the head of the DHS. And nobody seems to have had Howard Schmidt's cell phone number when the attacks on Google were announced.

Anyway, a lot of what was in play at Cyber Shockwave were policy concerns. Should the government lay out a declarative policy on the circumstances in which it would retaliate against an attacking nation or terrorist organization? That sort of knotty concern. Not necessarily things that you or I are likely to get much say about. But how we improve attribution of attacks to their perpetrators and the question of how easily subverted (or, as in this scenario, Trojan Horse) software is kept off the networks are two areas that the security community can potentially address. I doubt, frankly, that we can do much about either without some degree of government regulation -- vendors don't have much incentive to do things that improve the overall security of the Internet, a point made quite convincingly by former Secretary of Homeland Security Michael Chertoff, who played National Security Adviser in the simulation. How do we get regulation that works well? It just might be time to send an email or two to our representatives.

In the meanwhile, CNN taped the event and will air it Saturday and Sunday, so you can check it out for yourself.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.