Cyber Shockwave Test

There was a big U.S. cyberattack exercise this week. We didn't do so well:

In a press release issued today, the Bipartisan Policy Center (BPC) -- which organized "Cyber Shockwave" using a group of former government officials and computer simulations -- concluded the U.S is "unprepared for cyber threats."

[...]

...the U.S. defenders had difficulty identifying the source of the simulated attack, which in turn made it difficult to take action.

"During the exercise, a server hosting the attack appeared to be based in Russia," said one report. "However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event."

The simulation envisioned an attack that unfolds during a single day in July 2011. When the council convenes to face this crisis, 20 million of the nation's smartphones have already stopped working. The attack -- the result of a malware program that had been planted in phones months earlier through a popular "March Madness" basketball bracket application -- disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.

This is, I think, an eyewitness report.

Posted on February 19, 2010 at 1:33 PM • 27 Comments

Comments

MatFebruary 19, 2010 1:55 PM

Seems like a half-baked exercise that uses a slippery slope to suggest that minor problems will lead to terrible disasters. Their worst case scenario is used as reasoning to cede power to agencies that this think tank wants.

BobFebruary 19, 2010 1:56 PM

There isn't enough information in that article to judge how realistic a simulation it was. The people named in the report all seemed to be former political appointees; I didn't see names of anybody who was recognizable as having technical security expertise.

The most interesting remark came from John Negroponte, who realized that it's hard to attribute things on the Internet. If policy makers can realize that about network attacks, maybe they will take the time to find the real source of them rather than aiming at random targets who have nothing to do with the attacks.

ChrisFebruary 19, 2010 1:58 PM

I really wonder about these exercises. How do they assume these attacks achieve the ends they suspect? I get the feeling whenever I read these that the scenario is drawn up from a hollywood script, with "l33t haxors" "hacking" and "counter-hacking" each other in some Matrix-ish battle.

I'd like to see the details of one of these exercises posted so that we can see what assumptions they worked from, the specific attacks involved, and how they reached their conclusions. I get the impression they'd make for interesting reading, at the very least.

Jeff PettorinoFebruary 19, 2010 1:59 PM

@Bob and Mat
My thoughts exactly...it makes for a decent news story (according to some editor), but how realistic was the exercise insofar as measuring actual impact on critical infrastructure? Sounds more like a mouthpiece at work to me.

PhillipFebruary 19, 2010 2:14 PM

"With the electronic trading system offline, a mere 8 hours could cost the US around $9 million."

Wait -- what's the annual Federal Government Expenditure? I bet it's more than the 1.125 million per hour this would cost. Maybe that's how we reduce the Federal Deficit!

Trichinosis USAFebruary 19, 2010 2:40 PM

One of the best arguments for moving to solar power ASAP is to remove our dependency on an over-centralized carbon-based power grid infrastructure that is vulnerable to both natural disaster and attack.

But the entrenched military/industrial complex is still owned by big oil, who are not quite done exploiting the nation and the world with extortionate prices for their dead dinosaur products.

So this isn't happening as fast as it would if there was any sincerity behind the much touted concerns to protect our infrastructure. Only a fool would not become cynical in the face of what is said versus what is actually done.

Franky B.February 19, 2010 3:05 PM

I think several of you are missing the point of these types of exercises.

It's not about measuring the impact of a specific attack, it's about simulating a crisis in order to see if different agencies, caught unwarned and unprepared, will be able to work together to get a clear picture of what's going on and how best to quickly address it. It's kind of like giving a pop quiz or an unscheduled testing of a disaster recovery plan. It tends to show kinks where a prepared test didn't.

In that regard, it seems the U.S. fails, as I suspect most government would.

ShaneFebruary 19, 2010 3:41 PM

I'm with Mat. Furthermore, any type of war game intended to bolster our comsec that doesn't have Bruce on the panel (at least in the pre-game) just sounds like a political budgeting circle-jerk to me, haha.

Brandioch ConnerFebruary 19, 2010 4:20 PM

@Franky B.
"It's not about measuring the impact of a specific attack, it's about simulating a crisis in order to see if different agencies, caught unwarned and unprepared, will be able to work together to get a clear picture of what's going on and how best to quickly address it."

Except that that is not possible without a specific attack. And the attack must be reasonable in order to judge their responses.

From TFA:
"The war game was set in 2011, with the US coming off a series of natural disasters. ... Later in the exercise, portions of the power grid are taken down through IED attacks."

Wow, IED's. Now why would a "cyber attack" need IED's?

And why IED's? Don't the terrorists have time to build non-improvised ED's?

This is just sensationalistic crap. It's worthless.

ShaneFebruary 19, 2010 4:46 PM

@Brandioch

"This is just sensationalistic crap. It's worthless."

Haha! I'd challenge you to find a press release out of DC in the last 10 years that wasn't! :-P

jacobFebruary 19, 2010 4:55 PM

ok.

In a press release issued today, the Bipartisan Policy Center (BPC) -- which organized "Cyber Shockwave" using a group of former government officials and computer simulations -- concluded the U.S is "unprepared for cyber threats."

standby, policy left to burrocrats is going to steer off course faster than a unicycle ridden by a one legged clown on meth. (borrowed from others, no attribute). Let's not let a crysis (pun) go to waste.

;D

n3td3vFebruary 19, 2010 5:20 PM

"CNN will air a two-hour production, based upon exclusive television access to a national security cyber “war game” scenario. The simulated event was developed by The Bipartisan Policy Center and will debut Saturday, Feb. 20 and Sunday, Feb. 21 at 8pm, 11pm and 2am ET on CNN." Source: newsonnews.net

mharterFebruary 19, 2010 5:26 PM

What I find incredulous was the statement by Ms. Gorelick, "....questions regarding personal privacy versus national security." Huh? I don't see the two at odds, and there are existing laws that already place national security above an individual's right to privacy.

AlbatrossFebruary 19, 2010 5:52 PM

@Shane: Bruce is a bit of a stick-in-the-mud on such panels. "This is silly." and "This is pointless." and "This security theater is not going to actually help anything." is kind of a buzzkill.

CowbertFebruary 19, 2010 6:26 PM

The infrastructure tie-ins are interesting. Although we know hard targets like power grids are difficult to penetrate because those control systems and networks are almost always isolated and running difficult-to-penetrate software (i.e. hardcoded honeywell asics), the interesting note is the meta-dependency on the public energy trading network which appears in this exercise to be vastly more vulnerable.

ISO rules stipulate that balancing generation and supply variances should primarily occur with over-the-market intervention before escalating to "hard" solutions (like onlining or offlining hot-standby generators or load shedding and voltage reduction), which means that vulnerabilities in the infrastructure of the energy trading market *can* be used to affect the security of the grid.

bFebruary 20, 2010 10:44 AM

- Company X wants big government contract to do cybersecurity.

- Company X gives generously to the "Bipartisan Policy Center" (which is neither bipartisan nor does if to policy - it is a political frontshop).

- BPC makes a scary game with lots of non-experts and determined outcome.

- CNN markets BPC "result"

- Congressman (accidentally company X is in his district) demands that the government hires that "very knowledgeable" company X to consult on cybersecurity.

...

anomylousFebruary 20, 2010 7:22 PM

i'm watching the footage on cnn now and so far it seems to have been less a 'wargame' and more a hollywood script with politicians responding. it's all well and good to see if agencies can come together, but if the threat is complete bunk and we're going to base pro-active responses off of that then we're in trouble.

kFebruary 20, 2010 9:25 PM

watching this on CNN, thoughts come to mind:

this seems like more of a policy debate than a simulation of a crisis... who cares what the policy wonk's think? we should simulate what the operation centers will actually do. their conversation was over focused on appearances, blame, and international policy implications.

I find it fascinating that folks in private industry were not involved. I know folks at my company that annually run similar what-if simulations, but actually engage a few front line folks on the specific topic to ensure realism.

So often we place so much emphasis on centralized control.. the group discussed federal management of diesel supplies to support hospital needs for example, and the federalization of the nat. Guard... to try and co-ordinate response to such a wide spread issue in a centralized way, when communications are failing is frankly dead-wrong, in my opinion. you need to have local folks you trust co-ordinating and reacting to each local situation.

after watching this, I would be less inclined to support federal hooks into private infrastructure... they seem to be several steps behind the private sector. for example, for many years industrial energy suppliers have maintained strong relationships with local utilities, and in the past have negotiated their way out of "mandatory" rolling brownouts, for good reasons... this exercise seems to suggest the NSA isn't doing that?

in summary it seems they're exercising that all too human response to uncertainty of seeking control, whether warranted or not.

Northern SkepticFebruary 21, 2010 11:53 AM

How is disabling half of the nations smarttphones considered a problem? In all likelihood it would increase productivity as more people actually started to pay atention in meetings rather than texting or playing games, the rate of accidents caused by inattentive drivers would decreasem people would stop reacting instantly to things that shouldn't be reacted to...

If anything, this should be regarded as an exercise in how to improe productivity...

sidelobeFebruary 21, 2010 1:50 PM

Despite all the hype, these attacks aren't all that easy to perpetrate. Though, to be sure, it's still too easy. I don't see how it matters whether you know the source of the malware when recovering from the attack, though.

A coordinated attack by placing trojan horse software on cell phones seems technically plausible, though not particularly easy. The iPhone only runs one program at a time, and the Apple review process makes sure that professionals at least look at everything that can be installed on a mass basis. That's not perfect, but it's better than nothing. The Blackberry and Android platforms can leave a program running long-term to act on behalf of the attacker. Not sure about other platforms. If I were doing this, I'd add the trojan software to more than one application, improving penetration. Or, I'd release it in an application that is likely to be used often or started for a specific event, like a news reader, baseball application, etc. The Facebook app would be a good one.

ChenFebruary 22, 2010 1:51 AM

I think the third paragraph of this article kinda sets the stage for the entire thing..

"(...) Cyberterrorism is "more complicated by the fact that it involves every individual," Chertoff says. "Anybody who has a smartphone, who downloads an app, or gets on their PC is engaged in this process." "

Michael Chertoff is Former Secretary of Homeland Security.

So basically; anyone who's on a computer, or smartphone or just downloads an app (to their watch?) is engaged in cyberterrorism?
I know you can take over someone's machine for all kinds of shady purposes these days, but it sounds like he's got some sort of "Computer, bad." mentality there...

tOM TrottierFebruary 22, 2010 3:04 AM

It's a good exercise even if the scenarios are wonky. How do the bureaucrats react? What powers do they have or conceive?

How do you communicate with the nation if the power is out?

In Canada in 1970, martial law was declared because of two kidnappings in Quebec by the FLQ. Overreaction? Some thought so, but the period was shortlived.

The wonkier the scenarios, the better. Why? Because the solutions (or reactions) work much better if they are worked out ahead of time, practiced, with stores and preparation made.

Cheap insurance.

tOM

averrosFebruary 22, 2010 3:23 AM

"We didn't do so well:"

_We_ are doing fine. It's the bunch of people who can't (or won't) make a honest living by making something others would want to buy who is screwed up.

I think that people being able to hack into gunverment computers is a good thing. The guys who hacked the Climate Research Unit definitely did a great public service.

Now, just imagine what kinds of skeletons one can drag out of CIA, DoD, or Treasury's closets if able to gain access...

Mark RFebruary 22, 2010 7:52 AM

Marcus Sachs over at the SANS ISC posts a fairly critical eyewitness account.

"ps - watch the two maps, the one of the cell phone outages and the one of the electric grid failures. The cell phone maps show "green" where there is 100% operation, including areas of the country where there is no coverage at all. The electric power map is actually a map of the highway system. Watch the highways go dark later in the simulation. I've never seen highways go dark during a power failure (unless it's at night.)"

http://isc.sans.org/diary.html?storyid=8272

cbFebruary 23, 2010 7:05 AM

1) no bureaucrats and almost no one with technical credentials or knowledge were involved in this exercise, 2) the reactions of the multitude of Bush era political appointees (largely the same ones who ignored or mismanaged federal cyber security while in power for 8 years) were fashioned to generate headlines promoting more government control and intrusion- as tho it were a solution. Bah, Humbug.

SnyderJuly 30, 2013 10:30 AM

Despite all the limitations of Shockwave and similar simulations pointed out by comments here, as an educator I know that students remember things they do more than they remember things I say to them. So, I am trying to do a simulation in a graduate school level course on cyber security law and policy. Can anyone recommend how to improve what was done in Shockwave or where to find scripted scenarios for other simulations that will raise the issues of attribution, technical abilities, legal problems of when an intrusion into a network is an armed attack for purposes of the law of war, coordination between agencies and governments and private sector, response options available to governments or private actors like banks, etc.? Thanks.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..