Simulated Assymetric Cyberwarfare

The first question that occured to me when I read this story, “CIA Overseeing Three-Day War Game To Mimic Response To Crippling Internet Attack” By Ted Bridis May 26, 2005, was why wasn’t Homeland Security doing this, instead of the CIA?

Then I remembered the Homeland Security Partnering Conference of last month, in which I was reminded that a bit more than one percent of DHS’s funding goes to Cyber Security, and about the same amount to Critical Infrastructure Protection; if you rummage about on DHS’s web pages, you’ll find pie charts about this. The conference attendance reflected DHS’s real priorities. The attendees were heavily from national laboratories and large research universities. The talks were mostly about nuclear, chemical, and biological threats. All real concerns, and ones DHS should be dealing with.

Still, I was troubled by a question from a law enforcement attendee at lunch, which was more or less why is there anything here at all about the Internet; you can’t do terrorism through the Internet!

It’s true it’s hard to kill people directly through the Internet, and I’m glad of that. However, it’s not so hard to disrupt systems through the Internet, as phishers are demonstrating. A well-timed pharming attack on financial services DNS servers could create quite a bit of disruption.

Plus increasing amounts of the electrical power grid’s SCADA (Supervisory Control and Data Acquisition) system runs on top of the Internet, and from what I’ve heard with minimal security. We saw only a couple of years ago the kind of cascade failure a single accidental malfunction caused in the Northeast power outage.

Sceptics will note that few people died in the northeast power outage, and indeed we were fortunate. But terrorism isn’t really about killing: it is about achieving political ends. It’s worth reading what John Robb has been writing about petroleum pipeline and electrical outages related to the Chechen situation. If Robb is right, a few carefully placed explosions that killed nobody are near accomplishing what many years of bloody warfare did not.

Back to the the article about war games:

“"Livewire," an earlier cyberterrorism exercise for the Homeland Security Department and other federal agencies, concluded there were serious questions about government’s role during a cyberattack, depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

“It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.”

Private companies are already having to deal with systems disruption such as phishing and pharming and spam and DDoS attacks. More robust and diverse private methods and players dealing with such problems would make government’s job a lot easier, by doing a lot of it already.

One could well argue that government will never be able to do the job alone, because of the worldwide, distributed, open source nature of the perpetrators. Only a similar array of worldwide, distributed, and diverse countermeasures can succeed. Private industry is already having to produce such countermeasures for problems such as phishing, where law enforcement, much less homeland security or intelligence agencies or military, have not yet become engaged.

The catch is that nobody wants to pay for such a large set of projects. Government can play a role by seed funding innovation; after all, that’s how the Internet got started. Then the trick is to make the new projects pay for themselves. Private industry is already working on that, too.