One of the new features at the RSA conference this year is a series of Interactive Learning Sessions, where participants role play dealing with major security crises. I signed up for the very first one, National Cyber Crisis – Live Exercise Scenario, in which we spent two hours dealing with the threat of a nation state adversary about to attack our vital industries. We were divided into groups to represent the US Government, the cybersecurity industry, NATO Europe, and the two industries under attack, Energy and Finance. It did not take long for the government and cybersecurity players to be at odds over the appropriate level of data sharing, and for a real life government employee playing on the side of the cybersecurity industry to be expressing extreme skepticism over the accuracy of government intelligence.
The scenario that we were given was that in a time of increasing tensions between the US, Russia, and China, US intelligence had detected a command and control server communicating with malware infecting many of the computers vital to the Energy and Financial sectors in the US. However, the government was not prepared to issue more than a generic warning because they did not want make the malicious actor aware that they had been detected or how the detection had taken place. The malware was currently merely monitoring the infected machines but there was a strong possibility that there was a destructive component that could be activated on demand. We had ten minutes to come up with a recommendation for the President on what do to next.
At the cybersecurity industry table, we were desperate for more information. With a sample of the malware we could produce antivirus signatures to detect it, and possibly a removal tool. We could see if there were alternative command and control channels if we found a way to interdict the main C2 server that the government had identified. We did not particularly care if this was Russia or China, or indeed some other malicious actor. When our spokesman reported back to the President, (played with great panache by Major General John Davis, Acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense) our main request was more data from the government. The government table, on the other hand, recommended that no further data be released, for fear of intelligence leaks. Happily President Davis ruled that as much information as possible would be shared with all the concerned parties. (Did I mention what a great job he did?)
Just after this presidential directive we were hit with a further piece of intelligence. A spy in Russia had reported that the malware was indeed controlled by the Russian government, and that activation of the malicious and destructive component was imminent. The Department of Defense employee seated next to me at the cybersecurity table was immediately suspicious. “I don’t trust it. They might be a double agent,” she speculated, “Or a false flag operation by the Chinese.”. Where were you when we were hearing about Saddam Hussein’s weapons of mass destruction, I didn’t say. We were assured by the moderators that the source was reliable, and went on to make our plans to try and circumvent the disaster. That was easier for us than the Energy and Finance sectors, who had to make contingency plans for the collapse of their infrastructure.
Thanks to Major General Davis as well as the other facilitators, Dmitri Alperovitch and Jason Healey. It was a most entertaining and interesting way to spend two hours. We should all be thinking about this sort of scenario. Cyberwarefare is no longer science fiction and the Internet may be just another front in the wars and skirmishes of the 21st Century. The only thing I found unlikely about the scenario was the premise that the threat would be detected first by the government, and shared with the cybersecurity industry. Every other advanced threat from a nation state actor has been detected first by the cybersecurity industry. If the government is detecting these threats, they are keeping very quiet about them.