Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

Cyber War Game Shows How Federal Agencies Disagree on Incident Response

Former officials at DHS, DOJ, and DOD diverge on issues of attribution and defining what constitutes an act of cyber war.

RSA CONFERENCE 2018 - San Francisco - Good-natured bickering between participants of a cyber war game exercise here Tuesday showed how federal agencies both collaborate with and differ from one another when responding to incidents. The areas where opinions diverge most: how much attribution is enough to act upon, when it's appropriate to use "kinetic" military action as part of a cyber incident response, and when a cyberattack becomes an act of war.

The discussion took place in a session called "Cyber War Game — Behind Closed Doors with the National Security Council," mediated by CrowdStrike CTO Dmitri Alperovitch and Columbia University research scholar Jason Healey. Representing the members of the National Security Council were former high-ranking officials of US federal agencies that are regular attendees of the council.

Playing the role of Department of Homeland Security was Suzanne Spaulding, former under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, and currently senior adviser for the Center for Strategic and International Studies. Playing the role of Department of Justice was John Carlin, former assistant attorney general for the DOJ's National Security Division and currently a partner at Morrison Foerster LLP, where he chairs its global risk and crisis management team. Playing the role of Department of Defense was Eric Rosenbach, former chief of staff to the secretary of defense, and currently co-director of the Belfer Center for Science and International Affairs at Harvard University.

The exercise proposed a scenario in which the US had uncovered military dimensions of the Iranian nuclear program and discovered that Iran's pursuit of a nuclear weapons program posed a threat. In addition, a series of cyber campaigns began, including a leak of documents from previous intrusions into Congress and wiper malware destroying those networks.

Later in the exercise, attribution for the first cyberattacks is confirmed to be from Iran. New attacks begin, including in other countries (critical infrastructure in Israel), and a compromise of a subway control system in Los Angeles that forced one train crash that caused fatalities.

As Carlin (DOJ) explained, there are two primary objectives in this exercise: "Stop the cyberattacks. And stop the nuclear development." All participants agreed that the cyberattacks are the more immediate threat to be contained.

However, they differed somewhat on how to contain the threat.

Spaulding spoke about reaching out to more potential victims, gathering forensic data and sharing threat intelligence with state transportation authorities. Carlin spoke about determining attribution, setting up surveillance, and determining what legal response and sanction actions are available to the government depending upon what "red lines" had been crossed — for example, what kind of response had the US government already stated it would take if a cyberattack had caused bodily harm to a US citizen, as this had. 

Rosenbach took it further: "This is an armed attack against the United States," he said, noting that if a train had crashed because of an explosive device instead of a cyberattack, nobody would question that it was anything else. Loss of life or significant economic consequences will change the nature of the response, he said.

The participants also diverged on the topic of attribution, with Rosenbach stating that we've been in the habit of delaying response because we require too much confirmation of attribution.  

Spaulding said, "The conversation about attribution will be happening not just in the United States," noting that other nations may also have a vested interest, either politically or as potential victims. 

Rosenbach added that other nations, particularly those that have already suffered from attacks by Iran, may be "champing at the bit" to respond in kind.

Spaulding said, "There will be this instinct that we need to charge forward, and that might be the right answer ... but we need to consider the potential impact on private entities."

In terms of this war-gaming exercise, Rosenbach said that "the nuclear threat should shape response," but participants should aim to meet "cyberattacks with cyber solutions." However, he added that "adversaries need to know when you're serious about taking action."  

Carlin told Rosenbach that regardless of what response the US decided to make to Iran's maneuvers, "I would want the secretary of defense to tell the president that the first message should not come through Twitter."


Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.


Related Content:


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-25
In Xpdf 4.01.01, a buffer over-read could be triggered in FoFiType1C::convertToType1 in fofi/FoFiType1C.cc when the index number is larger than the charset array bounds. It can, for example, be triggered by sending a crafted PDF document to the pdftops tool. It allows an attacker to use a crafted pd...
PUBLISHED: 2019-06-25
In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in FoFiType1C::convertToType0 in fofi/FoFiType1C.cc when it is trying to access the second privateDicts array element, because the privateDicts array has only one element allocated.
PUBLISHED: 2019-06-24
An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
PUBLISHED: 2019-06-24
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.