I caught a CNN broadcast this last March, while stranded at the Baltimore Airport by a blizzard -- it was their Cyber Shockwave war game simulation done in conjunction with the Bipartisan Policy Center.
The government officials were 'played' by fairly experience, but not current, government officials ... including:
Michael Chertoff, Former Secretary of Homeland Security
Fran Townsend, Former White House Homeland Security Advisor
John Negroponte, Former Director of National Intelligence
Jamie Gorelick, Former Deputy Attorney General
Joe Lockhart, Former White House Press Secretary
John McLaughlin, Former Acting Director of Central Intelligence
Stewart Baker, Former National Security Agency General Counsel
Charles Wald, Former Deputy Commander of U.S. European Command
In short, a fairly impressive community of experience.
The scenario included a massive attack on U.S. Smart Phones, overloading of the Internet infrastructure, and closing with attacks (cyber and physical) on the electric grid. (The event was called "March Madness")
Many issues surfaced, including the reality that the US Government does not have defined emergency response powers that might be needed to deal with an attack of this nature. Also, that the window of vulnerability, even after the attack (if it were real) until the U.S. instituted the elements of protection would be years. Elements mentioned include:
- Policies to encourage/ require ISP's to reject unsafe clients
(don't allow connection, or terminate connection when needed, of systems that do not pass a "clean" test - virus protection, firewall, etc.)
- Some ability to 'direct' priorities for power distribution/ recovery
- International agreements on collaboration to control and/ or track down attack vectors
(exacerbated by the spoofing of sources, and control of 'bot net'/ zombies that facilitate such attacks)
- Need to educate the public on the nature of the problems, and their responsibilities to practice safe computing
Overall the challenge faced by the government in this case was compared to "Skating on stilts" by one of the participants.
Subsequently I attended the East West Institute's CyberSecurity conference
. Here we had a chance to discuss real world examples with folks from very high levels of government around the world. It is clear billions of dollars of damage is being done by industrial espionage and criminal activities. Also nation-states are being attacked, and cyberwarfare is a component of national defense. Cyber attacks lack the "above the fold" pictures of carnage that terrorists seek, but no doubt there are threats there as well. Where known attack vectors exist, for example in parts of the US power grid, limited corrective action has been taken. I was surprised at the response from one expert indicating "that attack was mis-using the equipment" -- and they expected bad guys to play by their rules?
Why does the IEEE Computer Society care? This is an area where we have academic and practitioner expertise. Obviously between the Computer Society, Communications Society and Power and Energy Society, as well as a number of other parts of IEEE, there is significant brain power and insight that could be of use to many of the stakeholders affected by such threats and attacks. Well considered recommendations could be of benefit for all interested countries, corporations, and the computer using public at large. We need to have the internal dialog among professionals on how to facilitate better security practices at all levels, where to educate policy makers, where to educate the public ... and most critically, how to educate the broad range of professionals in our field who may not recognize they have a need to know. Security is not something for version 2 of the product, or 'wait till we have a problem'. Moreover, suppliers of "security" products want you to buy their products, even if they are not targeted at the most critical or likely problems you face.
So what can we do? We need a few volunteers to help create and build an online community where we can coordinate activities beyond our traditional publications and conferences. Our instant communities are well suited for this. Ideally we would have folks with ties into key CS resources such as our Security and Privacy Magizine, Techincal Committee and conferences. But helping to deal with the educational, policy and public issues in this area goes well beyond our traditional techincal activities. There are some concepts and discussions that need to remain trade or governmental secrets ... and the CS is not the forum for these discussions. But there is real need to help professionals world wide expand their understanding, and to address these real world threats. Engineers without borders helps respond to crisis situations and needs by going "on site" to rebuild or establish essential infrastructure. The need here is similar, even if it does not require leaving your office.