Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/18/2018
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber War Game Shows How Federal Agencies Disagree on Incident Response

Former officials at DHS, DOJ, and DOD diverge on issues of attribution and defining what constitutes an act of cyber war.

RSA CONFERENCE 2018 - San Francisco - Good-natured bickering between participants of a cyber war game exercise here Tuesday showed how federal agencies both collaborate with and differ from one another when responding to incidents. The areas where opinions diverge most: how much attribution is enough to act upon, when it's appropriate to use "kinetic" military action as part of a cyber incident response, and when a cyberattack becomes an act of war.

The discussion took place in a session called "Cyber War Game — Behind Closed Doors with the National Security Council," mediated by CrowdStrike CTO Dmitri Alperovitch and Columbia University research scholar Jason Healey. Representing the members of the National Security Council were former high-ranking officials of US federal agencies that are regular attendees of the council.

Playing the role of Department of Homeland Security was Suzanne Spaulding, former under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, and currently senior adviser for the Center for Strategic and International Studies. Playing the role of Department of Justice was John Carlin, former assistant attorney general for the DOJ's National Security Division and currently a partner at Morrison Foerster LLP, where he chairs its global risk and crisis management team. Playing the role of Department of Defense was Eric Rosenbach, former chief of staff to the secretary of defense, and currently co-director of the Belfer Center for Science and International Affairs at Harvard University.

The exercise proposed a scenario in which the US had uncovered military dimensions of the Iranian nuclear program and discovered that Iran's pursuit of a nuclear weapons program posed a threat. In addition, a series of cyber campaigns began, including a leak of documents from previous intrusions into Congress and wiper malware destroying those networks.

Later in the exercise, attribution for the first cyberattacks is confirmed to be from Iran. New attacks begin, including in other countries (critical infrastructure in Israel), and a compromise of a subway control system in Los Angeles that forced one train crash that caused fatalities.

As Carlin (DOJ) explained, there are two primary objectives in this exercise: "Stop the cyberattacks. And stop the nuclear development." All participants agreed that the cyberattacks are the more immediate threat to be contained.

However, they differed somewhat on how to contain the threat.

Spaulding spoke about reaching out to more potential victims, gathering forensic data and sharing threat intelligence with state transportation authorities. Carlin spoke about determining attribution, setting up surveillance, and determining what legal response and sanction actions are available to the government depending upon what "red lines" had been crossed — for example, what kind of response had the US government already stated it would take if a cyberattack had caused bodily harm to a US citizen, as this had. 

Rosenbach took it further: "This is an armed attack against the United States," he said, noting that if a train had crashed because of an explosive device instead of a cyberattack, nobody would question that it was anything else. Loss of life or significant economic consequences will change the nature of the response, he said.

The participants also diverged on the topic of attribution, with Rosenbach stating that we've been in the habit of delaying response because we require too much confirmation of attribution.  

Spaulding said, "The conversation about attribution will be happening not just in the United States," noting that other nations may also have a vested interest, either politically or as potential victims. 

Rosenbach added that other nations, particularly those that have already suffered from attacks by Iran, may be "champing at the bit" to respond in kind.

Spaulding said, "There will be this instinct that we need to charge forward, and that might be the right answer ... but we need to consider the potential impact on private entities."

In terms of this war-gaming exercise, Rosenbach said that "the nuclear threat should shape response," but participants should aim to meet "cyberattacks with cyber solutions." However, he added that "adversaries need to know when you're serious about taking action."  

Carlin told Rosenbach that regardless of what response the US decided to make to Iran's maneuvers, "I would want the secretary of defense to tell the president that the first message should not come through Twitter."

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...