You Can`t Script a Cyberwar
This week, the federal government will launch Cyber Storm II, a simulated massive Internet-based attack against the nation’s critical infrastructure. The goal is to test the readiness, resiliency and responsiveness of the country’s Internet security.
The last exercise, held in February 2006, revealed—as designed—numerous deficiencies, including a lack of adequate resources at various levels of government to respond to coordinated cyberattacks and weaknesses in the defensive layers that protect everything from privately owned communications and transportation systems to the Department of Defense’s network.
“As designed” are the key words here. In carefully crafted language following Cyber Storm I, the government reported that its operators did not respond 100 percent correctly to each scenario and numerous mistakes were made. Planners at the departments of Homeland Security, Defense and Justice used the results to modify and improve security at critical junctions of the national cyber infrastructure.
At least, that’s what they say they did.
As the date approaches for the simulated unleashing of the digital dogs of war, the Pentagon is admitting that a security breach discovered last summer resulted in significantly more data being compromised than initially reported. It turns out that the June incident was the result of an exploit of aMicrosoft Windows vulnerability. Hackers—believed to be based in China—were able to steal network credentials, access servers and, most significantly, stealthily transmit the pilfered data in encrypted streams back to their home site.
In reading the reports leading up to Cyber Storm II, I started thinking about the key words: scenario, exercise and proper response. The problem with government exercises—be they natural disasters, war games or cyberattacks—is they’re usually scripted with an intended result. And whenever you script anything, you’re caught looking for just the possible and not the impossible.
Case in point: During Cyber Storm I, the servers used for simulating the networks and attacks were themselves attacked. Referees discovered the attacks were coming from their own participants who became “overzealous.” They were quickly told to cease and desist before they disrupted the simulated attacks. Was that really the right course of action?
The entire thing reminds me of Clint Eastwood’s movie “Heartbreak Ridge,” in which Marines in one unit are told precisely what to do during exercises so another unit could hone their superior skills by continuously winning. Eastwood’s character, Gunny Sgt. Highway, justifies ignoring his orders to lose the battle by stating, “We’re Marines. We adapt and overcome.” In other words, you can’t always anticipate what your adversary is going to do, and you must be flexible enough to adapt to changing circumstances.
It was somewhat the same advice I was given recently while drafting a security survey. Rather than just measuring security priorities, incidents and spending, I decided to look at how security executives and enterprises perceive threats and then measure how well they respond to them. The list of threats included all the usual suspects: viruses, identity theft, e-mail attacks, user misuse and abuse, organized hacker groups and so on. One of my reviewers, a security veteran who works for a large government contractor, responded simply: “You need to think about the things you haven’t seen.”
A few years ago, I wrote a feature on crypto-viruses, malware that uses encryption to penetrate, steal and conceal data. At the time, people said it was possible and very scary, but not something that was seen in use, and likely wasn’t practical for hackers because of the required level of expertise and computational overhead. Guess what? It looks as though the Chinese hackers that hit the Pentagon last summer resolved both issues.
Five years ago, who would have thought that organized crime groups would construct vast networks of distributed experts and resources to conduct cybercrime? Even in the wake of 9/11, few in the security world took the threat of nation-state attacks and cyberterrorists seriously, saying that the impact wouldn’t be as significant or as shocking as a physical attack on a major building, such as the World Trade Center and Pentagon. And no one saw phishing evolving into the serious threat to commerce and e-mail usage that it has become. Innovative threats have a way of festering in the background because they’re dismissed until either someone gets whacked or someone figures out a way to make money by protecting against these threats.
To the planners of Cyber Storm II and every corporate security officer, my advice is to adopt Adidas’ new slogan: “Impossible is nothing.” Your adversaries already have this saying hanging over their PCs. If we fail to be open to the possibility of the impossible attack, we’ve already lost the war.
Lawrence M. Walsh is editor of Baseline Magazine. Share your thoughts on simulating attacks and penetration testing at firstname.lastname@example.org.