Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

Cyber War Game Shows How Federal Agencies Disagree on Incident Response

Former officials at DHS, DOJ, and DOD diverge on issues of attribution and defining what constitutes an act of cyber war.

RSA CONFERENCE 2018 - San Francisco - Good-natured bickering between participants of a cyber war game exercise here Tuesday showed how federal agencies both collaborate with and differ from one another when responding to incidents. The areas where opinions diverge most: how much attribution is enough to act upon, when it's appropriate to use "kinetic" military action as part of a cyber incident response, and when a cyberattack becomes an act of war.

The discussion took place in a session called "Cyber War Game — Behind Closed Doors with the National Security Council," mediated by CrowdStrike CTO Dmitri Alperovitch and Columbia University research scholar Jason Healey. Representing the members of the National Security Council were former high-ranking officials of US federal agencies that are regular attendees of the council.

Playing the role of Department of Homeland Security was Suzanne Spaulding, former under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, and currently senior adviser for the Center for Strategic and International Studies. Playing the role of Department of Justice was John Carlin, former assistant attorney general for the DOJ's National Security Division and currently a partner at Morrison Foerster LLP, where he chairs its global risk and crisis management team. Playing the role of Department of Defense was Eric Rosenbach, former chief of staff to the secretary of defense, and currently co-director of the Belfer Center for Science and International Affairs at Harvard University.

The exercise proposed a scenario in which the US had uncovered military dimensions of the Iranian nuclear program and discovered that Iran's pursuit of a nuclear weapons program posed a threat. In addition, a series of cyber campaigns began, including a leak of documents from previous intrusions into Congress and wiper malware destroying those networks.

Later in the exercise, attribution for the first cyberattacks is confirmed to be from Iran. New attacks begin, including in other countries (critical infrastructure in Israel), and a compromise of a subway control system in Los Angeles that forced one train crash that caused fatalities.

As Carlin (DOJ) explained, there are two primary objectives in this exercise: "Stop the cyberattacks. And stop the nuclear development." All participants agreed that the cyberattacks are the more immediate threat to be contained.

However, they differed somewhat on how to contain the threat.

Spaulding spoke about reaching out to more potential victims, gathering forensic data and sharing threat intelligence with state transportation authorities. Carlin spoke about determining attribution, setting up surveillance, and determining what legal response and sanction actions are available to the government depending upon what "red lines" had been crossed — for example, what kind of response had the US government already stated it would take if a cyberattack had caused bodily harm to a US citizen, as this had. 

Rosenbach took it further: "This is an armed attack against the United States," he said, noting that if a train had crashed because of an explosive device instead of a cyberattack, nobody would question that it was anything else. Loss of life or significant economic consequences will change the nature of the response, he said.

The participants also diverged on the topic of attribution, with Rosenbach stating that we've been in the habit of delaying response because we require too much confirmation of attribution.  

Spaulding said, "The conversation about attribution will be happening not just in the United States," noting that other nations may also have a vested interest, either politically or as potential victims. 

Rosenbach added that other nations, particularly those that have already suffered from attacks by Iran, may be "champing at the bit" to respond in kind.

Spaulding said, "There will be this instinct that we need to charge forward, and that might be the right answer ... but we need to consider the potential impact on private entities."

In terms of this war-gaming exercise, Rosenbach said that "the nuclear threat should shape response," but participants should aim to meet "cyberattacks with cyber solutions." However, he added that "adversaries need to know when you're serious about taking action."  

Carlin told Rosenbach that regardless of what response the US decided to make to Iran's maneuvers, "I would want the secretary of defense to tell the president that the first message should not come through Twitter."


Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.


Related Content:


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...