Mock cyberwar fails to end mock civilization

Not for lack of trying

A mock cyberwar enacted by faculty of the US Naval War College and analysts from Gartner does not appear to have fulfilled the Clancyesque predictions of mass devastation envisioned by the leading security paranoiacs of the Clinton and Bush Administrations.

The exercise, named "Digital Pearl Harbor," apparently in tribute to US CyberSecurity Czar and Chief Alarmist Richard Clarke, brought together a team of experts in several areas related to critical infrastructure for a three-day hackfest.

The red teams were divided into telecomms, Internet, electric power and finance sub-groups. To make the exercise as realistic as possible, the popular Hollywood and National Security Council cliches of brilliant geek-misfits wreaking mass mayhem from some deluxe hobbyist dungeon was abandoned. Instead, the attackers came from the upper levels of the tech world: engineers, programmers, mathematicians, many with PhD degrees and decades of practical experience to their credit.

It was assumed that the operators would be bankrolled with at least $200 million, would have access to state-level intelligence, and take five years to plan their attacks. The goal would be to create not mass destruction, but crisis in public confidence sufficient to shift the balance of power (presumably as an accessory to a real war).

Now this I can accept as a plausible scenario. Technically speaking, a dream team like the one described with the money and time assumed can definitely do some damage. On the other hand, I doubt they'd be able to keep an operation that size secret for five years, especially as they'll need to recruit inside help. Someone's going to do something stupid, say something stupid, or approach the wrong person for assistance. And indeed, one of the team leaders, David Fraley in the telecomms group, made a similar observation.

Another assumption I would challenge is the belief that disruptions, even coordinated disruptions, in these areas would in fact result in a major crisis of public confidence. We've seen cities immobilized for days by natural events like blizzards, the severest of which are often accompanied by power and communications breakdowns, financial inconveniences and failures of emergency response teams to function, and yet life goes on. Human beings simply aren't as fragile and narcotically-dependent on state authority as the government desperately desires them to be. We shift for ourselves rather well for moderate periods of time when the infrastructure of state paternalism lets us down and the life-giving commercial heartbeat flatlines. People are remarkably good at solving problems, both individually and in small ad-hoc groups. Thus we survive earthquakes, floods, blizzards, depressions, epidemics, hurricaines, foreign occupations, famines, plagues, slavery, volcanic eruptions, sustained V-1 and V-2 bombing campaigns, and the like.

If we couldn't, we wouldn't be here now.

With that said, it's nevertheless clear that a fair amount of mischief can be brought about by a large, well-funded technical dream-team. Telecomms group member Fraley reported that it's possible to cause SS-7 (Common Channel Signaling System #7) and PSTN (Public Switched Telephone Network) capacity to collapse for a brief period. However, it would take a very large investment in both personnel and money (bribes, presumably) to accomplish even that much. Perhaps 200 people would be needed, he reckoned. A satchel bomb thrown down a manhole in Manhattan would be far easier, far cheaper, and still fairly destructive, he remarked.

As for the power grid, it's national, and controlled by large, complex SCADA (Supervisory Control and Data Acquisition) systems. Still, it's only feasible to target a large metropolitan area, team member John Dubiel noted. Attacking the entire grid would be quite impractical. The best approach would be physical attacks on major transmission corridors, all of which are well-known, followed by the malicious use of owned control systems to to create a pattern of cascading failures throughout the target region. "At this point the system is attacking itself," he observed. Finally, one would attack and damage the SCADA systems themselves to hamper recovery efforts.

It's possible to launch remote attacks against some SCADA systems connected to public infrastructure, but insiders would have to be recruited to attack others, he added. Furthermore, this would have to be coordinated brilliantly and carried out in hours, not days, to thwart the counterbalance of ongoing recovery efforts. We can assume that with a $200 million war chest, the attackers will have little trouble buying the needed cooperative insiders. But there again, the more people involved, the greater the chance that some dumb bastard is going to slip up in a big way and blow the whole operation.

In the finance area, group member Annie Earley recommended attacking markets and disrupting cash flow and credit availability in the consumer, corporate and institutional realms simultaneously to undermine public confidence. To get the most long-term damage from the smallest investment, she advised attacking the ACH (Automated Clearing House) payments system.

According to the Federal Reserve, in 2000 ACH handled 4.8 billion items valued at $12 trillion, including salary deposits, consumer and corporate bill payments, stock dividends, Social Security and other entitlement payments by the US Treasury, insurance premiums, and stock purchases.

Earley says it's painfully easy to replicate the ACH format and simulate a valid transmission while substituting bogus transactions. I was rather impressed with her diabolical imagination. Imagine starting the attack on Friday, 26 November 2004, the start of the Thanksgiving holiday weekend. Social Security benefits will be paid during the weekend, creating a flood of activity within which to conceal numerous other malicious efforts involving salary deposits and scores of other transactions handled via ACH. All the bogus payments would be fomatted legitimately and be small enough not to attract attention (under $10,000 each). Short-staffing on the holiday weekend reduces the chance that oddities will be noticed. Earley expects 30-45 days' lag in the public's discovery of the monkey business, but once people begin to reconcile their monthly statements, call centers will begin going berserk, bank branches will be flooded with confused, demanding patrons, and it will be impossible to answer everyone's questions. Staff capacity will simply be exceeded and all Hell will break loose.

Obviously, Earley has forgotten the carefully-groomed and fully-tamed American media which will dutifully promulgate whatever improbably-cheerful message the government and Wall Street see fit to feed it. You may not be able to reach your bank's call center, but the major papers and networks will be far ahead of the curve, offering the populace whatever soothing platitudes the nation's financial-sector flacks have prepared for just such an eventuality. Unless this attack can be coordinated with an effective communications infrastructure attack which would knock out national TV, I don't see it sowing panic. Earley's vagueness about the discovery time-line makes such tight coordination impractical at best.

Now we come to the magical, mysterious Internet, the very nexus of mass cyber-terror superstition. In this case the team assumes only $50 million to spend, four cells, and six months in which to plan.

Team member John Mazur recommended establishing a covert control network to undermine confidence in the Internet. This would make use of P2P applications, compromised VPNs and hijacked machines in enterprise networks. High-value targets might include media outlets through which malicious hackers could spread disinformation (or at least entertainment). Other handy targets would include NSPs, financial, power and enterprise networks, and corporate and government networks entrusted with sensitive information.

Member Paul Schmitz imagined four cells: a recon and intelligence cell (probing, mapping, scanning, enumerating); an architecture cell (owning remote machines), a disruption cell (playing Hell with data and DoS'ing), and a destruction cell (finally switching off the lights). It should be easy to turn insiders -- today, thanks to the incomprehensible greed and irresponsibility of the upper brass in several key companies like KPNQwest and WorldCom, there are now thousands of disgruntled and 'downsized' workers with the necessary skills, and motivation, to be of assistance.

Strategic targets would have to be chosen carefully. If all went well for the h4x0r dream-team, it might be possible to create cascading failures extending for a few days' time. This would involve router OS poisoning, ruining tables; system corruptions involving widespread Windoze blue screens, and finally disablling DNS servers so that what remains of the Internet would be difficult for ordinary users to exploit. To some extent this could be sustained by rapidly-changing attack methods; thus multiple-day attacks are feasible, if not probable.

To sum up, the Naval War College's Craig Koerner pointed to the need for "synergies" in making the attacks interoperable, hence feasible. For example, the group would likely attack the Internet last to preserve it for other, continuing attacks. He pointed out that while local attacks are possible, it's virtually impossible to bring off any lasting, nationwide horror. The stereotypical scenario of a crew of hackers bringing down the national infrastructure is quite ludicrous, despite the apparently perjured testimony before numerous Congressional Committees of Michael Vatis, Louis Freeh, Richard Clarke, John Tritak, Ron Dick, Scott Charney, and Mudge.

But you already knew that. ®

Sponsored: 5 critical considerations for enterprise cloud backup