We’re Saved! Experts Show How to Fix U.S. Cybersecurity

A non-commissioned officer with the 627th Communications Squadron works on a computer system at Joint Base Lewis-McChord in Washington

Ingrid Barrentine/JBLM PAO

AA Font size + Print

A non-commissioned officer with the 627th Communications Squadron works on a computer system at Joint Base Lewis-McChord in Washington

The four-hour experiment that showed how to fix our nation’s infrastructure from cyberattack. By Patrick Tucker

The date is April 4, 2015. A major cyberattack hits two generators in Florida, knocking out power in the cities of Coral Springs and St. Augustine, leading to multiple deaths and millions of dollars lost. One month later, Congress has to get a bill to the president to fix the vulnerability. But political gridlock, media histrionics and aggressive lobbying from industry makes passage of a bill far from certain. With this as their background, 350 members of the Truman National Security Project ran a massive simulation on Saturday to see if the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis.

In a few rooms at the Washington Plaza hotel, the simulation played out dramatically over the course of four hours. The feel was Washington, D.C., at hyper-speed. Five minutes into the experiment, a poll revealed the president’s approval rating falling to 35 percent, with the public trusting Republicans more than Democrats to handle cybersecurity. Rumors about the origin of the attack moved in whispers. Within ten minutes, business interests sought full liability protection for American utility companies and software providers. Players’ phones buzzed with push notifications from dueling press releases, news reports and polls, adding a realistic urgency to the action.

The exercise represented something of a first in size and scope for legislative simulations, with players drawn from Hill staff, the cybersecurity field, and the military. In theory, it showed that Congress and the White House are capable of passing a cybersecurity bill with mandatory standards for industry.

Matt Rhoades, director of the cyberspace and security program at Truman and the designer of the experiment, described it as an acid test to reveal the effectiveness of the White House’s recent Cybersecurity Framework, released in February. The framework is a set of practices and guidelines for utility companies, software designers and cybersecurity players to protect the nation’s critical infrastructure from attack.

When asked why cyber industry officials would voluntarily adopt security standards that might be costly to implement, a senior administration official, speaking to reporters at on a conference call in February, cited “enlightened self-interest,” and said, “It’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”

The White House framework received some praise for its contents, but the absence of any enforcement measure led experts such as Information Week’s Dave Frymier to dismiss it as “a relatively small step in the direction of improved security.”

On the other side, researchers such as Eli Dourado and Andrea Castillo of George Mason University, suggest in this recent white paper that the framework, voluntary provisions and all, will likely cause more harm than solve problems.

“In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they write.

Politically, the framework represented the best White House officials could have hoped for at the time. In recent years, efforts to pass cybersecurity legislation have stalled on issues such as whether standards should be mandatory and what sort of liabilities utility companies and other industry players should face in the event of a major incident.

After years of political infighting, little has changed to make the country safer from cyberattack, hence the necessity of the experiment in the eyes of Rhoades.

“I have felt for a long time… that it’s unlikely that we will get much policy movement in the cyber area without a crisis,” Rhoades told Defense One. “So that leads me to two questions. One is, what is our threshold in terms of what sort of crisis actually spurs that on? The second one is, if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions — are we making decisions that we are better off making at a more sober time than at the time of a crisis?”

As to the timing for the experiment, set for May 2015, Rhoades explained, “We wanted to give the executive order framework about a year to kick in, get out of the election season… get to a time of year that makes policy more relevant.” he said. “This time next year there will be a whole new cast of characters,” he said, citing the retirement of House Intelligence Committee Chairman Mike Rogers, R-Mich., as emblematic of the changes that could influence cybersecurity policy in the coming months. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”

How did the game play out: a simulated House and Senate were barely able to pass a bill with mandatory provisions for industry to follow to improve cybersecurity. But this outcome was no liberal pipe dream. The White House had to carve out a role for industry via a public-private working group consisting of the Department of Homeland Security, a council of industry players and others. “Republicans were willing to accept the mandatory standards because they felt industry had more of a role… it was important to have industry at the table as part of a legislative process that was ongoing,” said Rhoades.

Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program, who played the part of the president in the simulation, told Defense One, “This weekend’s cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation’s current cybersecurity and legal framework before a real crisis occurs.”

Though the simulation was staged, the problem it sought to address is very real. Recent research from Wired revealed as many as 25 security problems in the supervisory control and data acquisition, or SCADA, systems that connect to many of the nation’s water, power, and other critical infrastructure assets. 

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.