Report: The Cyber ShockWave event and its aftermathby Steve Ragan - Feb 17 2010, 02:38
The Cyber ShockWave and its aftermath. (IMG: S. Ragan)
When it comes to the protection of the nation’s infrastructure, the government is lacking in several areas. While it has the ability to act offensively, if it knows who the enemy is, the trick is to collect enough information and retaliate without violating domestic and foreign policy and law.
The Tech Herald was in Washington D.C. on Tuesday to witness the mock Cyber ShockWave event. Here’s what we walked away with:
Cyber ShockWave started with a vulnerability in the operating systems used by various smartphones. Thanks to a malicious application, celebrating the NCAA’s March Madness, Spyware was loaded onto smartphones that included a keylogger and data intercept component. The application was then used to funnel millions of dollars to banks overseas. From there, the data and money-snatching application morphs, and the malicious application turns the infected devices into bots and adds them to a telecommunications botnet.
The bots start to download videos showing 'The Red Army'. The downloads and resulting spread of the video subsequently flood the data networks of major carriers, and slow them to a crawl before crippling them altogether. After that, the Malware on the smartphones starts to replicate, thanks to sync programs linking information from the phone to a computer. Once the computers are infected, the ISPs face the same issue the telecoms faced. In the end, both communications systems are crippled.
If this wasn’t enough, weather patterns resulting in a heat wave and hurricanes stress the electrical system. This is where things go south, on a major scale. A hurricane wrecks the petroleum refining and natural gas processing centers, and a stressed electrical grid is hurt more by Improvised Explosive Devices (IEDs) and what is assumed to be a Malware attack on the Secure Trade power trading platform.
Both incidents are deemed critical, and the former top U.S. officials debated how to respond for most of the event. The problem is that by the end of the debates, during both sessions, there were no real answers.
Behold the confusion that is Cyber ShockWave
Can we nationalize the U.S. power system? Should the National Guard be called out? The FBI reports that it has traced the services used in the March Madness application to Russia -- is retaliation called for? Two IEDs were detonated in two different power facilities, is it terrorism? According to GNN (the news source for media information during the event), there was a cyber component to the electrical outage, later assumed to be related to patches on the Secure Trade software. Was this the work of an insider? These were the topics of note, and the confusion only led to more questions and few answers.
The downside to the ShockWave, as it were, is that there were just too many levels of attack at the same time. The Cyber ShockWave exercise was to create a possible attack scenario, but not one that is total chaos. However, by adding the botnet side to the telecom attack, and throwing in natural disasters as well as potential terrorism on and offline, they added too much to the 'Perfect Storm' they kept referring to it as.
The malicious application causing harm to telecom and ISP networks is one scenario that is highly likely, as more and more applications make it to market and more and more people switch to smartphones. The odds of this happening at the same time that the power grid is attacked, and a hurricane kills off oil and gas production, is simply too high to compute.
The point of it all
The main point to take away from Cyber ShockWave, at least how we see it, is that there needs to be a solid level of cooperation inside the government first, and then also between the government and the private sector. There is no 'I' in team and, when it comes to protecting the assets within the backbone of the Internet, both private and government entities have a lot to look after.
One interesting point came up when debating the Russian server -- the one the FBI said was linked to the telecom attacks. Why doesn’t the government simply shut it down? The reason is that doing so could be considered an act of war. No one knows, because there is no policy or precedence regarding such an action.
The mirror side to this would be the question, what if the Russian server was a jumping point to a server in the U.S.? If so, can we then shut it down? What would be the reasoning? While killing a server in a foreign country could be perceived as an act of aggression, doing so on our own soil could be a violation of various laws, unless a state of emergency is ordered. Once that happens, according to the panel, the U.S. President has a good deal of leeway.
There are few limits to what the government can do in response to a threat to national security. Those limits that do exist are enforced by policy and U.S. law. What this means is that, while there were several ideas passed around, many of them were without precedence, so couldn’t be acted on.
For example there was a patch for the smartphones, one that would fix the Malware issue. Yet, only 50 percent of consumers applied it. To prevent further attacks to the telecommunications system, you can ask the people to stop using phones, or simply force them to stop using them by turning them off remotely. If the issue was forced, and the government did something to turn the phones off, then there would be serious consequences to deal with later.
In the end, the Bipartisan Policy Center, which put Cyber ShockWave together, had hoped the gaps existing within the law and government policy relating to cybercrime and cyberattacks would be exposed. It got its wish, as gaps in both areas were exposed; but when it comes to balance between the private and government sectors and security, it takes more than policy to make it work.
It would have added a ton of weight to the exercise if there was some sort of consultation with energy companies or telecom representatives. They were absent during the mock attacks, and their absence was felt when you consider that by the time the President was 'briefed', there was no solid plan of action as to how to deal with and recover from the incidents.
There were some smart and skilled people on the panel. Yet, the scripting made the panel come over as clueless when considering the reach, intelligence, and overall capabilities of foreign attackers. The current cyber capacities of the various international terrorist groups were left completely off the table.
Overall, the Cyber ShockWave event was more media hype than actual intelligence and insight. We had hoped to see some of the political heavyweights on the panel act with their full capacity and experience, but they either couldn’t or opted not to. If anything, the federal employees who attended learned that managing IT in the public world, and dealing with threats there, is nothing like attempting the same feat within the federal government.