Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/17/2010
10:11 PM
50%
50%

Will Cyber Shockwave Make Some Waves?

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.Cyber Shockwave assembled a group that was tasked to play top-level government officials in a National Security Council meeting. The eye-catching thing about the exercise, hosted by the Bipartisan Policy Center, was that the panel members were all prominent former holders of top-level government jobs. Stewart Baker, who worked on cybersecurity at the DHS through last year, played Cyber Coordinator. Deputy Commander of the U.S. European Command Charles F. Wald played Secretary of Defense. Director of National Intelligence John Negroponte played Secretary of State. And so on for a cast of 10.

For me, and I think everyone else in the room, a couple of things became very clear very quickly. First, if the lights are going to go out in North America (as they were in Eastern cities during the second hour of the exercise), then they will be out long before anyone in the White House has any idea what they want to do about it. The president will be urging calm, which I'll bet will just work like magic.

Second, in any situation where serious harm was being done to electronic and electrical infrastructures, the only effective response would be to declare it an act of war or, failing that, for the president to make a significant grab for additional executive powers under Article 2 of the Constitution. Calling it an act of war is likely to be impossible in any normal sense, because attributing a cyberattack to a specific nation state would be next to impossible in the short term. Consider recent events: Was the Chinese state behind the Aurora attacks? If so, then it's arguably an act of war, a state-sponsored incursion on our domestic territory.

As for the executive power grab, well, there won't really be any good alternative. Something definitive will have to be done, it will involve the private companies that own the digital infrastructure, and it will involve compelling them to do what they won't do voluntarily for fear of subsequent legal liability for their actions.

Those two things came across loud and clear and, while I'm not sure the scenario of smartphones bringing down the cell phone system was all that horrifying, the idea of executive rule by fiat was indeed a bit creepy. I should add, too, that the overall scenario had a lot of intellectual weight behind it because the several sponsors -- which included General Dynamics (and specifically involved some of the forensics heavy hitters in their Advanced Information Systems division), Georgetown University (and experts from their Institute for Law, Science and Global Security, SMobile, Symantec, Paypal -- helped build aspects of the scenario and keep it within the realm of the credible.

For me, though, there was a third realization. The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed -- and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. And it just is never going to be the head of the DHS. And nobody seems to have had Howard Schmidt's cell phone number when the attacks on Google were announced.

Anyway, a lot of what was in play at Cyber Shockwave were policy concerns. Should the government lay out a declarative policy on the circumstances in which it would retaliate against an attacking nation or terrorist organization? That sort of knotty concern. Not necessarily things that you or I are likely to get much say about. But how we improve attribution of attacks to their perpetrators and the question of how easily subverted (or, as in this scenario, Trojan Horse) software is kept off the networks are two areas that the security community can potentially address. I doubt, frankly, that we can do much about either without some degree of government regulation -- vendors don't have much incentive to do things that improve the overall security of the Internet, a point made quite convincingly by former Secretary of Homeland Security Michael Chertoff, who played National Security Adviser in the simulation. How do we get regulation that works well? It just might be time to send an email or two to our representatives.

In the meanwhile, CNN taped the event and will air it Saturday and Sunday, so you can check it out for yourself.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.