How Would the U.S. Respond to a Nightmare Cyber Attack?
The danger of overreaction is very real.
It’s been a busy summer for computer security mavens. The U.S. and China locked horns on cyber espionage, Edward Snowden allegedly leaked classified intelligence about National Security Agency (NSA) monitoring programs that target communication networks, and the Cobalt malware took 13 U.S. oil refineries offline. If you missed that last one, that’s because it was fictional—a scenario created for a student cyber attack challenge held on June 15 at American University in Washington, D.C.
The event was a sort of a hybrid Model U.N. hackathon cyber war games exercise, involving 65 college and graduate students (including myself) who are training for careers as future cyber warriors and policy makers. In many ways the Cyber 9/12 Student Challenge mirrors the U.S. government’s own Cyber Storm exercises, with the important exception that the student exercise isn’t mandated by Congress to strengthen cyber preparedness in the public and private sectors.
The Cobalt malware—an invention of the Atlantic Council, which hosted the event—was fake, but its target was a real-life vulnerability: the U.S. energy infrastructure, specifically the oil refineries and pipelines that produce and transport gasoline and other refined fuel products all across the country. Almost any discussion or description of a doomsday cyber scenario involves an attack on U.S. critical infrastructure. You can see this play out in the Cyber Storm exercises hosted every few years by the Department of Homeland Security for government and industry organizations to practice cyber threat responses. In three simulations that took place in 2006, 2008 and 2010, catastrophic cyber attacks caused clear and serious physical damage. A computer virus that turns off the lights, shuts down the telephone system and halts military operations could cost lives.
To date, intentional computer-based attacks that have direct physical impacts have been few and far between, so far as we know. That doesn’t mean these scenarios couldn’t happen in real life, or that there aren’t real and serious vulnerabilities in the country’s critical infrastructure networks. There is a perception that we haven’t yet experienced such a catastrophe because of a combination of luck and the reluctance on the part of nations, militias and other entities capable of launching a cyber attack to set a dangerous precedent. In 2011, for instance, news outlets reported that the Obama administration decided against infiltrating the computer systems of the Libyan government to interfere with their military communications and air-defense system due to concerns about whether other nations might follow suit as well as uncertainty surrounding whether such measures required Congressional approval. The Stuxnet worm that in 2010 struck Iranian nuclear facilities, causing centrifuges to speed up, thereby interrupting the uranium enrichment process essential for the development of nuclear technology, is the exception, judging by unclassified knowledge.
At the Atlantic Council’s event, there was a strong sense that a successful cyber attack on U.S. critical infrastructure is inevitable. There’s also a pervasive fear that when (or if) such an attack occurs, the U.S. is primed to overreact. Department of Defense announcements that they intend to view cyber attacks as “acts of war” suggest a military force nearly itching to flex its muscle in response to a serious computer network–based disruption, if only as a means of deterrence. Cybersecurity professionals—not to mention students hoping to work in the field someday—can also have an incentive to trumpet the threat of cyber attack that at times may heighten the risk of overreaction. At least five times over the course of the daylong cyber challenge, we were reminded by presiding officials how crucially important the work we’re doing is, and how desperately the country needs people like us.
Concerns about overreaction and the use of military force in response to digital intrusions often lead to discussions about the difficulty surrounding definitive attribution of these types of attack. If you want to retaliate, how do you know whom to hit? In our exercise intelligence pointed to Russia, but the evidence wasn’t clear-cut.
Most teams urged against retaliating in kind with a comparable cyber attack or to exercising traditional military power. Cobalt was not devastating, and Russia was not clearly the culprit. Several groups advocated diplomatic engagement, echoing the approach taken by the actual U.S. government just one week earlier during the informal summit between President Obama and Chinese leader Xi Jinping in Rancho Mirage, Calif., where cyber espionage was among the topics discussed.
But, again, espionage is not the nightmare scenario—nor is the shutdown of 13 oil refineries. Still, halfway through the student competition in Washington, D.C., when the scenario was updated with new (fake) intelligence indicating a severe escalation of the Cobalt situation, policy recommendations began to veer more toward displays of cyber and physical force by the U.S. military.
The update was alarming: three oil pipelines in the Gulf coast region had been shut down, following malfunctions, and several other pipelines in the region were taken off-line to search for Cobalt infections. Meanwhile, supervisory control and data acquisition system vendors in the U.S. and Germany were experiencing a distributed denial-of-service (DDoS) attack, and several terminals and servers in Russia had been identified as responsible for both the DDoS attacks and activation of the Cobalt malware. The stock market was dropping like a rock, and several private sector firms appeared poised to carry out their own form of vigilante retaliation against Russia by trying to identify and penetrate or cut off the responsible parties’ servers and networks.
The teams had to come up with a response to this escalation within hours. The time pressure was intense, and as the situation grew more serious, the consensus for diplomatic engagement dissolved. The 19 groups suddenly diverged considerably about what the proper response should be. The 65 students, all in their mid- to late 20s, wearing business suits and military uniforms, filled every open classroom in the American University’s School of International Service, whispering feverishly about whether the U.S. should launch a DDoS attack of its own, bomb the Kremlin, invoke Article 5 of NATO to set in motion a collective defense by U.S. allies, or to authorize the members of the private sector to exact their own revenge by working among themselves to shut off connectivity to pieces of the network carrying malicious traffic or to infiltrate or flood the responsible servers.
What does this say about how the U.S. government would respond to such a situation? The recent cases of high-volume espionage of China, which are considerably less intrusive than the fictional Cobalt attacks, don’t give us much to go on. Would the U.S. stick to diplomacy or turn bellicose?
The more important question is how well prepared will the U.S. be if and when an attack comes? Considering how a cyber attack would play out in the heat of the moment may be more exciting than the reality, because by the time an attack occurs many of the options may be practically preordained by the security controls we have in place. Preparation determines the quality, agility and sophistication of answers to mundane but important questions: What kinds of security standards are in place for critical infrastructure networks? Who sets them? Who enforces them? What threat information do companies and government agencies share with one another? How do they share this data—and how quickly? The ability to answer these questions will ultimately determine the impact of a large-scale, sophisticated computer network breach. And because the Pentagon has asserted that its response will be commensurate to the impact of an attack, rather than the means, how effectively we prepare will play a major role in influencing what our response ultimately looks like.
We may soon know what the U.S. government would do. Many people in the field are expecting to see a major breach soon. As former CIA and NSA director Michael Hayden predicted in his keynote remarks to the students at the cyber challenge, “By the time you do this next year, you won’t have to be so imaginative in creating the scenario.”