Cyber Storm Details

Recently the Associated Press obtained hundreds of pages of documents related to the 2006 "Cyber Storm" exercise. Most interesting is the part where the participants attacked the game computers and pissed the referees off:

However, the government's files hint at a tantalizing mystery: In the middle of the war game, someone quietly attacked the very computers used to conduct the exercise. Perplexed organizers traced the incident to overzealous players and sent everyone an urgent e-mail marked "IMPORTANT!" reminding them not to probe or attack the game computers.

"Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'" said George Foresman, a former senior Homeland Security official who oversaw Cyber Storm. "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players."

See also this. CyberStorm report here.

Posted on February 7, 2008 at 2:30 PM • 33 Comments

Comments

Rick AuricchioFebruary 7, 2008 3:13 PM

And I question the validity of a "game" format for the whole business.

Just because their game simulates stuff like elevators stopping, BART trains stalling, power plants shutting down does not mean these things would ACTUALLY happen in real life.

They would be just as effective using a deck of cards. "Red jack means the Diablo Canyon (San Luis Obispo, CA) nuke plant shuts down. Three of clubs means the lighted-text signs on the Los Angeles freeways shut off."

But it sounds good, and it's a way to convince Mr. and Mrs. Middle America that our tax dollars are being wasted in a highly technical way...

jdegeFebruary 7, 2008 3:16 PM

In exercises of this sort that I've participated in, the "game" isn't meant to simulate reality, but simply to act as a source of message traffic to the leadership team that's being exercised.

sehlatFebruary 7, 2008 3:38 PM

Obviously the organizers of the exercise never heard of theKobyashi Maru.

Spock: "He broke into the lab and reprogrammed the simulator."

Saavik: "You cheated!"

Kirk: "Changed the conditions of the test."

Spock: "It did have the virtue of never having been tried before."

darkuncleFebruary 7, 2008 3:54 PM

sounds like the feds should have hired somebody with some experience at running Root Wars (or else properly hardened/isolated the controlling systems) ...

Sean O'HaraFebruary 7, 2008 5:21 PM

When the Matrix sequels came out, a marketing firm put together an alternate reality game that involved hacking -- for example, go to a character's personal website and use the information there to guess her password to an FTP server, which has hidden files on it that you have to download. Of course, it took about ten minutes for people to just start brute forcing the server.

Participant XFebruary 7, 2008 5:31 PM

There were no real cyber attacks directed at exercise control systems. The concern was over agencies getting exercise events mixed up and treating as "real world" such as issuing alerts, messages, and escalating response activities.

Always fun to see perspectives of folks that were not there.

-Participant X

Christoph ZurniedenFebruary 7, 2008 5:49 PM

> "Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'"

Especially if that's exactly what they've been told to do, Mr Foresman.

> "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players."

Why do you think the attacker will follow any rules set by the defender? The only laws he will obey are the laws of physics and, in this case, the rules of modulo-2 arithmetic.

There was once an I/O filter, called "firewall" by some PR-men, that had a carefully chosen rules set, such that no packet will pass the filter without permission. The rules were even proven to be correct mathematically.
Some experts had been invited to test the system and try to break it and fail to break it and give praise to the ingenious inventors of the filter.
Right in the midst of the tests one of the experts found a teeny little buffer overflow in the filter that allowed that expert---who's name shall be forgotten forever!---to change the rules of the filter to let his dirty little packets pass.
"Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'" said the foreman, a former member of the King's Guard. "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players and if you look right to the northwest you can still see the last trails of smoke from where we burnt him."

CZ

billswiftFebruary 7, 2008 6:01 PM

"Other simulated reporters were duped into spreading "believable but misleading" information that confused the public "


How is this different from everything else the media broadcasts?

LeoFebruary 7, 2008 6:20 PM

Wouldn't attacking the game computers be more than a little like petitioning god? I'd hate to think that our government has gotten so clever that they rely on prayer as a fundamental strategy.

Uh, never mind.

ChrisFebruary 7, 2008 6:33 PM

"Just because their game simulates stuff like elevators stopping, BART trains stalling, power plants shutting down does not mean these things would ACTUALLY happen in real life."

I think you misunderstand the purpose of an exercise like this. The game isn't intended to simulate the vulnerability of BART trains or power stations, it's intended to test the responses of decision makers and organizations who will have to respond to such an event. Can they make decisions effectively? Do different agencies cooperate? Do we get a disjointed, ineffective Katrina-like response or an effective well coordinated, one?

Fred X. QuimbyFebruary 7, 2008 8:37 PM

"The concern was over agencies getting exercise events mixed up and treating as "real world" such as issuing alerts, messages, and escalating response activities."

Ah, they use the same control systems for the game _and_ real-world monitoring?

Heh. That's good to know.

MikeAFebruary 7, 2008 9:59 PM

@FredX: Ah, they use the same control systems for the game _and_ real-world monitoring?

Long ago in a Air Traffic Control Center not so far away, a friend of mine (no, really) set up a training exercise on the "live" system. That's the way it was done. When he entered one fake flight ID, the system crashed. He didn't think too much about it, as that was a by no means unusual occurrence. When the system came up he started over. Once again, it crashed when he entered that same ID (six letters, ending in "YYY"). He decided to stay away from such names in the future.
Aren't we all glad that the multi-gazillion-dollar effort to re-write the software from scratch was finished, oh, wait...

Nick LancasterFebruary 8, 2008 8:07 AM


Isn't this 'you can't do that' mentality the same thing that happened in the Millennium Challenge wargame? Colonel Paul von Riper chose to use bike messengers instead of cell phones, and then announced that he'd sunk most of the fleet and decapitated the Blue Team leadership.

Whereupon he was told, "You can't do that!" - the fleet was refloated, the casualties negated, and the exercise run without any pesky interference from 'reality'.

It sounds as if we're getting into a 'the magic box told me so' mentality, just like the kids who can't make change - they just hand you what the magic box tells them to.

SteveJFebruary 8, 2008 8:19 AM

"It sounds as if we're getting into a 'the magic box told me so' mentality"

So who won the first computer RoChamBo competition - Iochaine Powder (the most effective algorithm in the competition), or the team that jumped the sandbox, and looked at their all their opponents' plays in advance? I believe the latter got an honourable mention, but not the title.

Who was the rightful winner of the 1988 men's 100m gold medal? Carl Lewis, who "did what the magic box told him", or Ben Johnson, who "hacked the system" by taking steroids?

What are your thoughts on aimbots in online FPS's? How about hacking the game server to just declare you the winner?

It's all a question of what you're trying to test - for most competitions, "no holds barred" conditions are inappropriate.

NyhmFebruary 8, 2008 9:18 AM

In college I participated in some programming competitions. One team sidestepped the rules (only during warm-up, just to show off).

For the competition, teams write programs to solve several challenges, given only (text) input/output specifications. Actual input data was kept secret by the automated judging computer. The tricky part is developing code that operates perfectly according to spec without having the input data.

The fastest team to complete the challenges would win. Failed attempts incurred a time penalty, but programs could be re-submitted.

Another team gamed the system, creating two simple programs to solve all the challenges. The first program, when executed by the judging computer, opened a socket back to their workstation and fed them the secret input data.

Seeing the input, hand-crafting the correct output is an easy enough task for a human. They re-submitted a program that simply dumped the hand-crafted output.

Even with initial failure penalties, their technique was much faster than actually producing code to solve the problems.

They openly admitted (bragged) their approach, and socket libraries were removed for competition. They went on to crush everyone legitimately.

HarryFebruary 8, 2008 9:20 AM

Chris is right - some games are intended to test only parts of a system or only certain aspects of an emergency. Expanding the game would make hash of the intended test and waste a lot of money.

For example, a fake emergency may be intended to test only communications systems. The test designers have systems in place to track the results of the tests, and maybe to add additional problems as the test progresses.

Some of these factors might be: are they robust, where do they conflict, how will people react to communications problems, how dependent is the system on Windows/PC computers and what effect does that have, and so on. Then these results are incorporated into the next iteration and on the cycle goes.

Now lets say someone expands the test. The testers will not have set up a system to track the results of the expanded issues. Not only will those results go to waste, they're likely to interfere with the tracking and understanding of the actual subject.

So it's important for the participants to understand the parameters and goals. Sometimes they're there for a good reason (a communications test), sometimes they're not (not uncommon during war games).

HarryFebruary 8, 2008 9:20 AM

Chris is right - some games are intended to test only parts of a system or only certain aspects of an emergency. Expanding the game would make hash of the intended test and waste a lot of money.

For example, a fake emergency may be intended to test only communications systems. The test designers have systems in place to track the results of the tests, and maybe to add additional problems as the test progresses.

Some of these factors might be: are they robust, where do they conflict, how will people react to communications problems, how dependent is the system on Windows/PC computers and what effect does that have, and so on. Then these results are incorporated into the next iteration and on the cycle goes.

Now lets say someone expands the test. The testers will not have set up a system to track the results of the expanded issues. Not only will those results go to waste, they're likely to interfere with the tracking and understanding of the actual subject.

So it's important for the participants to understand the parameters and goals. Sometimes they're there for a good reason (a communications test), sometimes they're not (not uncommon during war games).

AnonymousFebruary 8, 2008 9:21 AM

"Who was the rightful winner of the 1988 men's 100m gold medal? Carl Lewis, who "did what the magic box told him", or Ben Johnson, who "hacked the system" by taking steroids?

There is a fundamental difference between a true game (chess, sport, whatever) where the point of the users is to work within the confines of the arbitrary rules. However war games are very different, because you are testing the ability to handle opponents who don't work within the rules.

jayhFebruary 8, 2008 9:21 AM

"Who was the rightful winner of the 1988 men's 100m gold medal? Carl Lewis, who "did what the magic box told him", or Ben Johnson, who "hacked the system" by taking steroids?

There is a fundamental difference between a true game (chess, sport, whatever) where the point of the users is to work within the confines of the arbitrary rules. However war games are very different, because you are testing the ability to handle opponents who don't work within the rules.

SteveJFebruary 8, 2008 9:41 AM

"However war games are very different, because you are testing the ability to handle opponents who don't work within the rules."

Right. So in a war game, is it legitimate to use additional personnel beyond those allocated in the game? On grounds that in a real war, your opponents might have more troops than you think?

Is it legitimate to steal secret aspects of the game scenario, on grounds that in a real war the enemy might have effective espionage, or just better local knowledge than you, and so the participants should be tested on their ability to account for that?

A war game isn't a war. Certain techniques are ruled out. Like live ammunition. And unless you want the game to be about the fine print, that means you can't assume that just because the rules forgot to mention something as banned, that means it's legal.

AirForceTeacherFebruary 8, 2008 10:36 AM

"A war game isn't a war. Certain techniques are ruled out. Like live ammunition. And unless you want the game to be about the fine print, that means you can't assume that just because the rules forgot to mention something as banned, that means it's legal."
Even so, if you do something that could legitimately happen in a real war, then it should be allowed. Maybe rewinding and replaying without the bike messengers was the best thign to do froma training perspective, but only if non-traditional communications are considered in future warplanning.

LyleFebruary 8, 2008 10:54 AM

There are rules, and there are "rules". The problem with wargames and other such competitions is that they often implicitly rely on a number of tacit assumptions that are never spelled out. I agree that contravening explicit rules is, cheating and contrary to the purpose. But exploiting your opponent's blinkered inability to see beyond their own closed-mindedness is, in my opinion, a fair technique to demonstrate true creativity.

SteveJFebruary 8, 2008 11:17 AM

"only if non-traditional communications are considered in future warplanning."

I'd say a message-runner is a rather *more* traditional medium than a cellphone ;-)

My point is just that a particular wargame has a purpose. It's usually not run to find out who's the best or cleverest solider/commander/unit/force, even if that's what some of the participants want it to be. If the real purpose is damaged by people trying to figure out how to change the intended parameters of the game in order to "win", then players shouldn't be doing that.

In particular, I'd say that you shouldn't be trying to exploit the limits of the simulation. Hypothetically, suppose that you're supposed to be learning (among other things) how to deal with poor communications, so your radios have been jiggered to make them unreliable, or else the enemy can listen in, or something. I have no idea whether that's a plausible wargame, but just suppose.

Now, suppose you decide to adapt to your comms problems by using couriers. Fair enough, you'd think, but if the people designing the game didn't think of that, then their wargame might well not account for snipers either. Then all you've achieved, other than "winning", is to show that couriers are great if your opponent can't do anything about them.

That doesn't prepare you for a real war - obviously modern forces do have snipers, and your couriers would have a great deal more difficulty operating in a warzone than they did in the simulation. You've made the scenario be about couriers and snipers, when it was designed to be about something else (strategies that are robust against broken communications, maybe).

I agree that couriers should be considered in future planning, but if the consideration is, "they wouldn't last five minutes out there", then there's not much point allowing them in the simulation.

Of course for the Millennium Wargame, one accusation was that the envisaged scenario was a sweeping Blue victory no matter what Red did, with no intention to discover anything about real war. But such a "politically motivated" ruling, if that's what it was, doesn't detract from the fact that in general, wargames might have a reasonable purpose, and might need to use "unrealistic" restrictions to achieve that purpose.

SteveJFebruary 8, 2008 11:20 AM

@Lyle: "exploiting your opponent's blinkered inability to see beyond their own closed-mindedness"

I guess my complaint is that players shouldn't be exploiting the *game designers'* blinkered inability to see beyond their own closed-mindedness.

HALFebruary 8, 2008 2:09 PM

Engadget has this "IBM plots global-scale shared computer to host entire internet as application" or OBT (one big target). It might be good for simulating the Internet for games or cyber storming. Hosting the Internet on one machine seems like a dumb idea.

AnonymousFebruary 11, 2008 4:34 AM

"There were no real cyber attacks directed at exercise control systems. The concern was over agencies getting exercise events mixed up and treating as "real world" such as issuing alerts, messages, and escalating response activities."

If that is possible (tricking an exercise to escalate to a real emergency), that's a vulnerability that is very important to know.

If someone directing an attack got his timing right, he could exploit this a a decoy.

EliFebruary 19, 2008 8:52 AM

To the people arguing this is a valid attack vector: How about I just forge a document declaring me the winner of the simulation. Is that fair? Did I "win"?

Of course not. Winning a game, and appearing to win a game are not the same thing.

Spy GuyMarch 29, 2008 12:43 PM

For about a year now the former Chief Strategist of Netscape has been warning everyone through his articles that this was a huge threat and actually identified several strategies and tactics that if used would compromise the information infrastructure in the U.S. and globally. Why is it our intelligence services are just waking up to this threat? Why is it throughout history we ignore or dismiss the experts until it is too late! I just did a Google search (Kevin Coleman Cyber Attack) and found over 13,000 references. With that much intelligence we should be much further along in protecting and defending against cyber attacks that we are today!

SushilJuly 26, 2008 2:55 AM

Dear,
I would like to join the course of syber law, so could any one pls tell me best institute for this perticular course.

Thanks & Regards

Sushil.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..