Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Cyber Shockwave - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Shockwave

At 8 pm EST (0100 UTC) on February 20th and 21st CNN will air a program called "Cyber Shockwave" which was filmed last Tuesday in Washington, D.C.  I was invited to be in the studio audience during the taping of the program.  I am frankly disappointed with the way it turned out.  First, the scenario used as a backdrop is not realistic.  The presumption is that a smartphone application is used to crash large portions of the nation's cellular phone system, which then leads to outages in the POTS (plain old telephone system) networks, which leads to loss of air traffic control, disruptions at the New York Stock Exchange, and massive power outages.  As most of our readers know, such a cascading effect across multiple networks and systems is not likely.  Not saying it's impossible, just not likely.  The second issue is the fact that the people playing the role of National Security Council members failed to recognize the role of the private sector until well into the second hour.  The government does not own or operate the communications infrastructure in the United States.  To leave the private sector out of the conversation is a massive oversight.  To be fair, the panel does recognize that the private sector has a role, but it comes after a long deliberation about how helpful the government should be.

My fear is that the average viewer will come away from this program convinced that the scenario is real (after all, why would CNN show something that is not real?) and that only the government can help lead us into a world of peaceful coexistence in cyberspace.  As most (hopefully all) of our readers know, cyberspace is very complex and security comes not from just the private sector or just the government but jointly, with each party playing a very important role.

I invite you to watch the program then post your comments or thoughts below using the COMMENT feature.

ps - watch the two maps, the one of the cell phone outages and the one of the electric grid failures.  The cell phone maps show "green" where there is 100% operation, including areas of the country where there is no coverage at all.  The electric power map is actually a map of the highway system.  Watch the highways go dark later in the simulation.  I've never seen highways go dark during a power failure (unless it's at night.)

Marcus Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler
This is absolutely nuts! They are talking about nationalizing power companies, completely federalizing the national guard despot protests from state governments, rationing fuel supplies...

The person that is "playing" the attorney general is saying, "Hey! We can't throw the constitution out the window because of a national emergency! We cannot just seize private sector assets at a whim of the president!" The person playing the secretary of energy basically says "Well why not?!" And the National Security Adviser wants to take actions to make sure that the government has absolute power to do what ever it deems necessary in any situation no matter what!!


Are you kidding me?!


Wake up America! The people in the government are going to install themselves into a position where the citizens will have NO RIGHTS AT ALL in any type of emergency!

Anonymous
Watching this was so disturbing I have to post again. Make sure you get everyone you know to watch this. This is the most scary thing I have seen since the actual 9/11 attacks. And its an exercise!

People in the public sector had better get their rear ends in gear and prepare to defend themselves from a hostile government take over in an emergency...

These "Officials" are talking about forcing ISP's to be responsible for making sure that anyone connecting to the internet has anti virus and anti malware! This will jack the price of internet services through the roof! I don't even want to imagine what that would take to enforce!

I love all the talk about the immediate need for legislation out of everyone involved in this. They are saying the legal issues are "murky"... what is murky about the constitution?!
Anonymous
Watching this was so disturbing I have to post again. Make sure you get everyone you know to watch this. This is the most scary thing I have seen since the actual 9/11 attacks. And its an exercise!

People in the public sector had better get their rear ends in gear and prepare to defend themselves from a hostile government take over in an emergency...

These "Officials" are talking about forcing ISP's to be responsible for making sure that anyone connecting to the internet has anti virus and anti malware! This will jack the price of internet services through the roof! I don't even want to imagine what that would take to enforce!

I love all the talk about the immediate need for legislation out of everyone involved in this. They are saying the legal issues are "murky"... what is murky about the constitution?!
Anonymous
these people are way too far up in the gov't to really understand the issue. terrorists don't have the resources to assert a coordinated attack on this vector, and have far more to gain from driving planes into buildings. other entities need the internet highly available so they can continue to perform data ex-filtration of classified and unclassified intellectual property at a loss of billions of dollars to US citizens and corporations. then there are the organizations which make very large profits from their pornography and gambling operations. hell, they'd pull out a can of whoop ass on anyone if they did anything to disrupt their operations. this is fud (fear, uncertainty and doubt) being advocated at the federal level because the general public "gets it" at this level. try explaining the complexities of a data ex-filtration exercise and how it impacts jobs and innovation in the US and watch everyone's eyes glaze over. as the general public stands in awe, pondering the lights going out the floodgates remain open while the very last shred of american ingenuity is flotsam to be skimmed by business persons worldwide.
Anonymous
After watching this, I do have to admit that it seems that the people in this simulation are out of touch with reality. Joe Lockhart especially. He wanted to send troops into another country and national some of the energy sector. Mr. Joe Lockhart, please stay away from my freedoms. I would say that the simulation was ridiculous, highly unlikely, and seemed more of a great way to scare people into hugging their government. I am just grateful that Jamie Gorelick was there to keep some of these participants in line. In the end, I would almost say that it would have been better that the simulation not have been done. These leaders, not all of them, are embarrassing.
Anonymous
The issue of patches, updates and using anti-malware products: the government and private sector are the major entities using outdated browsers, older operating systems in order to keep using legacy applications and delaying implementation of patches because it might break other applications on their network. Also, the idea that the private sector would be able to guarantee their software is 'hack proof' is unrealistic.
Anonymous
Don't forget that in 1918 the government DID take over the national telegraph system by declaration of the President and vocal approval by the Congress. The lasted for the duration of World War I. The government has a precedent.
Anonymous
I think they should be congratulated for even attempting to try to work this scenario out. Instead of slamming them for their chosen scenario, lets acknowledge their attempt.

If there was a catastrophic failure, people would be demanding their government to assist and rebuild -- sorta like the financial crisis. I'm sure American citizens recognize that the military performs 'exercises' for certain scenarios and we never get to see or witness these. I think it took some pretty big balls to demonstrate what a response to this threat might be.

Just my thoughts.
Anonymous
So they get worked up over a private sector occurence enough to want to put boots in russia over a server, nationalize utilities, and federalize the national guard against the wishes of the govenors, and shut down all phone communication demanding justification of case by case reactivation. to be clear a fictional e-fone app crashes all cell service of bt&t and it affects the internet and pots? then the power grid? this show was high on buzzword content and little else. this demonstrated that not only do our top brass have no idea what they're doin, they don't know what they're even talking about. this scenario was a bad die hard 4 rip off.
Anonymous
If you look at the organization responsible for actually putting on this "production" on :
http://www.bipartisanpolicy.org/events/cyber2010

they claim Bi-Partisanship. Not sure I completely believe that, because MOST of the big names were recent Bush Administration folks. Review the source of the information, and I think you might find that while the basis for the exercise might seem to be good, there are probably ulterior motives (it seems we may be getting back to Fear, Uncertainty, and Doubt). Although this is CNN, it almost smells of Cheney/Carl Rove and the "GOP is the only ones who can keep the country safe" sort of thing.
Anonymous
> monkeylord: So they get worked up over a
> private sector occurence enough to want to put
> boots in russia over a server, nationalize
> utilities, and federalize the national guard
> against the wishes of the govenors, and shut
> down all phone communication demanding
> justification of case by case reactivation. to
> be clear a fictional e-fone app crashes all
> cell service of bt&t and it affects the
> internet and pots? then the power grid? this
> show was high on buzzword content and little
> else. this demonstrated that not only do our
> top brass have no idea what they're doin, they
> don't know what they're even talking about.
> this scenario was a bad die hard 4 rip off.

Best comment I've seen. Hilarious and, unfortunately, true. The creators of this are desperately trying to have their voices heard, so much so that they are using the usual fear tactics and flashy headlines to get attention. Their main focus is: If we have an emergency, bureaucracy and lack of established communications paths make the USA poorly prepared for a targeted attack of large magnitude. It's really sad these people felt the need to put on a TV show presentation to get their voices heard. Unfortunately the presentation is plagued with inaccuracies and scripted show boating. Combine that with a very sensationalist approach to the media (I believe one of their headlines was "Cyber ShockWave Hits Washington") and you get more controversy and questions than answers.


Daniel.Hoffman

2 Posts
Now wait a minute, and let's not get so political for this discussion. The former head of the NSA and CIA, Gen. Michael Hayden, was involved in the creation of this exercise.

Say what you want about how unrealistic this scenario might seem, but this guy has unique information that most of us can only guess at. Not only does he know what's possible, he's likely seen it in action.

What if he's right??
Daniel.Hoffman
3 Posts
The head of the CIA and the head of the NSA are political appointments. The fact that the unrealistic scenario was created by politicians and not info-sec experts makes the results more of a political statement than a true risk assessment.
Daniel.Hoffman
1 Posts
Can anyone say "political agenda"? This is a move by government to bring "cyber threats" to the attention of the mainstream media, congress, and the average Joe, with the importance of establishing formal cyber initiatives and policy across the nation. Having said that, the problem is that most people do not understand the cyber threats we face as a nation. Some can say this was unrealistic, some can say that it is very likely to happen, but I think that is irrelevant. I think it was effective with what it was design to do....to give the policy makers something to talk about, as well as gather the nation's attention (and future legislative backing) to the issue. SECDEF moved to establish USCYBERCOM last summer...I can only see this as an avenue to help push it's official stand-up.
Daniel.Hoffman
1 Posts
Honestly, I am disappointed in most of the comments thus far. I was present in the Shockwave audience also. I tend to agree portions of the scenario were a bit far reaching. I also agree the direction of the discussion were, and should be, alarming to many. And I agree any solution(s) must include industry, and be international in nature. That said, let's review the facts.

The scenario was created by Fmr. CIA Director, General Michael Hayden (ret.) as well as the co-chairs of the 9/11 Commission, Fmr. Rep. Lee Hamilton (D-IN) and Fmr. Gov. Thomas Kean (R-NJ).

Industry participants included General Dynamics Advanced Information Systems, PayPal, Symantec, SMobile Systems, Georgetown University and Southern Co.

Participants: Michael Hayden (Bush – Director of CIA, Clinton – Director of NSA), Fmr. U.S. Secretary of Homeland Security Michael Chertoff (Bush), Fmr. Director of National Intelligence John Negroponte (Bush), Fmr. White House Homeland Security Advisor and CNN contributor Fran Townsend (Bush), Fmr. Director of Central Intelligence John McLaughlin (Clinton and Bush), Fmr. U.S. Senator Bennett Johnston, Jr. (D-LA), Fmr. National Economic Council Director Stephen Friedman (Bush), Fmr. U.S. Deputy Attorney General Jamie Gorelick (Clinton), Fmr. White House Press Secretary Joe Lockhart (Clinton), Fmr. National Security Agency General Counsel Stewart Baker (Clinton), and Gen. Charles Wald, USAF (Ret.), former Deputy Commander of the United States European Command (Clinton and Bush).

I would guess the experience of this group – specifically the intel folks – has provided a perspective on the cyber threat that is worth considering. I doubt there are many that have access to the info they have access to. Maybe the overall scenario is more real than any of us know or appreciate? I would not expect them to know the technicalities of the scenario (e.g. can a malware app spread from cell phone net to terrestrial net to power grid). Even if the specifics of the scenario are suspect, my guess is the effects are reasonable – it is not difficult to imagine how the effects could be achieved. How likely it is to happen is a different question and was not the intent of this exercise. These were national decision makers who were handed a situation and were discussing how to get the nation through it…not unlike post 9/11. And prior to 9/11, very few thought it was a realistic scenario – so we did not do a much planning for it either.

I personally believe the BPC did a good job from the bipartisan perspective…plenty of representation from both sides of the aisle. I also applaud their effort to draw some attention to cyber security. While I don't subscribe to "the sky is falling", I think the facts speak for themselves regarding the impact of cyberspace on almost every aspect of our daily lives, and the increasing cyber threat and vulnerabilities. The big picture outcomes of Cyber Shockwave are legitimate – U.S. cyber policy and law is not mature enough to adequately respond to a national cyber crisis. If we do not want the government "taking over" if / when something like this plays out, I'd encourage everyone to pitch in now to get the policy / laws in place before a crisis forces some really tough decisions. That was my take-away from the event. If you think industry needs to play a more active role, contact the BPC and let them know that. I'm fairly sure there will be some follow-on events. But they needed to start somewhere, and I think this was a good first start. Reasonable critique will make future events better – but the criticism ought to be paired with a suggestion on how to make it better; not just a shot across the bow.
Daniel.Hoffman
1 Posts
Have we all forgotten our history????

In World War I the US Government took over and nationalized the transportation networks in the United States. In 1917, the largest publicly traded railroads were taken over and run as a single organized system under the Federal Possession and Control Act of 1917 to better aid the war effort. http://www.history.com/this-day-in-history.do?action=Article&id=25

In World War II the US Government didn't exactly take over the automotive industry, but required that all civilian manufacting plants stop producing automobiles and retool and start producing jeeps, trucks, and plane parts for the war. If you were worried about fuel rationing, in WWII as a civilian you couldn't buy a new car or even a tire for your old one...

Eventually the companies were returned to the private sector, and compensated by the US Government for the excess ware and tare.

It is only safe to expect, that in our next war of significant proportions, that the US Government will take over the "Information Superhighway". To guarantee its routing and core dependencies, I would expect that takeover to include the Internet, Cell Phone Systems, Cable Systems, FIOS, etc etc. And like in the past, I would expect them to return to public control after the need was gone. Especially if its a "Cyber War".

If we look to past, we can indeed see the future.
Daniel.Hoffman
1 Posts
Hello, I have been tracking this story. I downloaded the programme and edited it to its bare bones. Might make it easier to pass along if you can show the quotes in 3-minute soundbytes instead of the rather boring 2-hour version. I haven't had the chance to analyze in depth their talking points, but Stewart Baker in particular is quite vicious towards the constitution (bad cop) while Jerry Lockhart is equally constitutionally corrupt, but he plays. The constitution is not 'current law' as Gorelick implies it is: it is the bedrock of the legal authority of the national government.

http://axiomtoday.wordpress.com/2010/03/01/4-videos-of-cyber-shockwave-talking-points/
Daniel.Hoffman
1 Posts

Sign Up for Free or Log In to start participating in the conversation!