Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/18/2018
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber War Game Shows How Federal Agencies Disagree on Incident Response

Former officials at DHS, DOJ, and DOD diverge on issues of attribution and defining what constitutes an act of cyber war.

RSA CONFERENCE 2018 - San Francisco - Good-natured bickering between participants of a cyber war game exercise here Tuesday showed how federal agencies both collaborate with and differ from one another when responding to incidents. The areas where opinions diverge most: how much attribution is enough to act upon, when it's appropriate to use "kinetic" military action as part of a cyber incident response, and when a cyberattack becomes an act of war.

The discussion took place in a session called "Cyber War Game — Behind Closed Doors with the National Security Council," mediated by CrowdStrike CTO Dmitri Alperovitch and Columbia University research scholar Jason Healey. Representing the members of the National Security Council were former high-ranking officials of US federal agencies that are regular attendees of the council.

Playing the role of Department of Homeland Security was Suzanne Spaulding, former under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, and currently senior adviser for the Center for Strategic and International Studies. Playing the role of Department of Justice was John Carlin, former assistant attorney general for the DOJ's National Security Division and currently a partner at Morrison Foerster LLP, where he chairs its global risk and crisis management team. Playing the role of Department of Defense was Eric Rosenbach, former chief of staff to the secretary of defense, and currently co-director of the Belfer Center for Science and International Affairs at Harvard University.

The exercise proposed a scenario in which the US had uncovered military dimensions of the Iranian nuclear program and discovered that Iran's pursuit of a nuclear weapons program posed a threat. In addition, a series of cyber campaigns began, including a leak of documents from previous intrusions into Congress and wiper malware destroying those networks.

Later in the exercise, attribution for the first cyberattacks is confirmed to be from Iran. New attacks begin, including in other countries (critical infrastructure in Israel), and a compromise of a subway control system in Los Angeles that forced one train crash that caused fatalities.

As Carlin (DOJ) explained, there are two primary objectives in this exercise: "Stop the cyberattacks. And stop the nuclear development." All participants agreed that the cyberattacks are the more immediate threat to be contained.

However, they differed somewhat on how to contain the threat.

Spaulding spoke about reaching out to more potential victims, gathering forensic data and sharing threat intelligence with state transportation authorities. Carlin spoke about determining attribution, setting up surveillance, and determining what legal response and sanction actions are available to the government depending upon what "red lines" had been crossed — for example, what kind of response had the US government already stated it would take if a cyberattack had caused bodily harm to a US citizen, as this had. 

Rosenbach took it further: "This is an armed attack against the United States," he said, noting that if a train had crashed because of an explosive device instead of a cyberattack, nobody would question that it was anything else. Loss of life or significant economic consequences will change the nature of the response, he said.

The participants also diverged on the topic of attribution, with Rosenbach stating that we've been in the habit of delaying response because we require too much confirmation of attribution.  

Spaulding said, "The conversation about attribution will be happening not just in the United States," noting that other nations may also have a vested interest, either politically or as potential victims. 

Rosenbach added that other nations, particularly those that have already suffered from attacks by Iran, may be "champing at the bit" to respond in kind.

Spaulding said, "There will be this instinct that we need to charge forward, and that might be the right answer ... but we need to consider the potential impact on private entities."

In terms of this war-gaming exercise, Rosenbach said that "the nuclear threat should shape response," but participants should aim to meet "cyberattacks with cyber solutions." However, he added that "adversaries need to know when you're serious about taking action."  

Carlin told Rosenbach that regardless of what response the US decided to make to Iran's maneuvers, "I would want the secretary of defense to tell the president that the first message should not come through Twitter."

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15224
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-15225
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
CVE-2019-15223
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVE-2019-15211
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVE-2019-15212
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.