A non-commissioned officer with the 627th Communications Squadron works on a computer system at Joint Base Lewis-McChord in Washington

A non-commissioned officer with the 627th Communications Squadron works on a computer system at Joint Base Lewis-McChord in Washington Ingrid Barrentine/JBLM PAO

We’re Saved! Experts Show How to Fix U.S. Cybersecurity

The four-hour experiment that showed how to fix our nation’s infrastructure from cyberattack. By Patrick Tucker

The date is April 4, 2015. A major cyberattack hits two generators in Florida, knocking out power in the cities of Coral Springs and St. Augustine, leading to multiple deaths and millions of dollars lost. One month later, Congress has to get a bill to the president to fix the vulnerability. But political gridlock, media histrionics and aggressive lobbying from industry makes passage of a bill far from certain. With this as their background, 350 members of the Truman National Security Project ran a massive simulation on Saturday to see if the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis.

In a few rooms at the Washington Plaza hotel, the simulation played out dramatically over the course of four hours. The feel was Washington, D.C., at hyper-speed. Five minutes into the experiment, a poll revealed the president’s approval rating falling to 35 percent, with the public trusting Republicans more than Democrats to handle cybersecurity. Rumors about the origin of the attack moved in whispers. Within ten minutes, business interests sought full liability protection for American utility companies and software providers. Players’ phones buzzed with push notifications from dueling press releases, news reports and polls, adding a realistic urgency to the action.

The exercise represented something of a first in size and scope for legislative simulations, with players drawn from Hill staff, the cybersecurity field, and the military. In theory, it showed that Congress and the White House are capable of passing a cybersecurity bill with mandatory standards for industry.

Matt Rhoades, director of the cyberspace and security program at Truman and the designer of the experiment, described it as an acid test to reveal the effectiveness of the White House’s recent Cybersecurity Framework, released in February. The framework is a set of practices and guidelines for utility companies, software designers and cybersecurity players to protect the nation’s critical infrastructure from attack.

When asked why cyber industry officials would voluntarily adopt security standards that might be costly to implement, a senior administration official, speaking to reporters at on a conference call in February, cited “enlightened self-interest,” and said, “It’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”

The White House framework received some praise for its contents, but the absence of any enforcement measure led experts such as Information Week’s Dave Frymier to dismiss it as “a relatively small step in the direction of improved security.”

On the other side, researchers such as Eli Dourado and Andrea Castillo of George Mason University, suggest in this recent white paper that the framework, voluntary provisions and all, will likely cause more harm than solve problems.

“In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they write.

Politically, the framework represented the best White House officials could have hoped for at the time. In recent years, efforts to pass cybersecurity legislation have stalled on issues such as whether standards should be mandatory and what sort of liabilities utility companies and other industry players should face in the event of a major incident.

After years of political infighting, little has changed to make the country safer from cyberattack, hence the necessity of the experiment in the eyes of Rhoades.

“I have felt for a long time… that it’s unlikely that we will get much policy movement in the cyber area without a crisis,” Rhoades told Defense One. “So that leads me to two questions. One is, what is our threshold in terms of what sort of crisis actually spurs that on? The second one is, if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions -- are we making decisions that we are better off making at a more sober time than at the time of a crisis?”

As to the timing for the experiment, set for May 2015, Rhoades explained, “We wanted to give the executive order framework about a year to kick in, get out of the election season… get to a time of year that makes policy more relevant.” he said. “This time next year there will be a whole new cast of characters,” he said, citing the retirement of House Intelligence Committee Chairman Mike Rogers, R-Mich., as emblematic of the changes that could influence cybersecurity policy in the coming months. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”

How did the game play out: a simulated House and Senate were barely able to pass a bill with mandatory provisions for industry to follow to improve cybersecurity. But this outcome was no liberal pipe dream. The White House had to carve out a role for industry via a public-private working group consisting of the Department of Homeland Security, a council of industry players and others. “Republicans were willing to accept the mandatory standards because they felt industry had more of a role… it was important to have industry at the table as part of a legislative process that was ongoing,” said Rhoades.

Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program, who played the part of the president in the simulation, told Defense One, "This weekend's cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation's current cybersecurity and legal framework before a real crisis occurs."

Though the simulation was staged, the problem it sought to address is very real. Recent research from Wired revealed as many as 25 security problems in the supervisory control and data acquisition, or SCADA, systems that connect to many of the nation’s water, power, and other critical infrastructure assets.