A simulation of a widespread cyberattack against the nation's critical infrastructure on Tuesday demonstrated the cascading effects an attack can have on networks and the difficulty the government would have in quickly responding, including dealing with civil liberties and how to work with corporations.
The Bipartisan Policy Center, a nonprofit group founded in 2007 by former senate majority leaders, staged Cyber Shockwave, a fictional cyberattack that first targeted wireless telecommunications networks.
According to the scenario, an unknown individual or group sent a virus embedded in an NCAA March Madness Basketball bracket application to smart phones. When downloaded, the application installed spyware on the device, which logged the users' typed keystrokes, and intercepted e-mail and text messages.
Infected devices were then used as zombie computers in a botnet attack, circulating a video clip of Russia's Red Army to all individuals in their directories. As bandwidth was overwhelmed, millions of infected cell phones were shut down, the Internet slowed to a crawl and portions of the electric grid shut down as cyberattackers targeted a fictitious Web application electric utilities use to exchange bulk power service according to demand. Transportation systems, the Stock Exchange and financial institutions also were affected as networks failed.
During the exercise, former federal officials were assigned key positions in the executive branch of government to discuss policies and how to respond. The panel included John Negroponte, President George W. Bush's former director of national intelligence, who acted as secretary of State; former White House homeland security adviser Fran Townsend acting as the secretary of the Homeland Security Department; former DHS Secretary Michael Chertoff who played the role of national security adviser and the moderator of the discussion. The exercise highlighted the government's lack of policies to guide a response to a widespread cyberattack.
"A lot of our attention ought to be focused on the ability to quarantine this problem before it spreads," which often requires regulation of the private sector because it controls as much as 85 percent of the computer networks, said Stephen Friedman, Bush's former director of the National Economic Council, who played the role of Treasury Department secretary.
Among the questions panelists discussed was whether the federal government could declare a crippling cyberattack as an act of war if it could not determine who was behind the attack. Even if it could attribute the cause, the panel discussed whether the administration had the authority to initiate extraordinary measures such as demanding telecommunications companies and Internet service providers shut down service to customers, dictating how power companies should prioritize electricity in case of regional outages, and demanding other nations to cooperate in investigations.
"The risk of second-guessing is not that [people will say] you did too much," but that the federal government did not address the crisis, said Stewart Baker, general counsel of the National Security Agency during the Clinton administration, who acted as cyber coordinator for the exercise. He said the government needs authorities that are not as aggressive as imposing martial law.
Currently, the government has few authorities to respond to a cyberattack that takes down portions of the critical infrastructure, the panel noted.
"The president has no statutory authority in any of these situations, [and would have] to assert authority and make orders [and] ask retroactively for those authorities to be ratified," said Jamie Gorelick, Clinton's former deputy attorney general who acted as attorney general during the exercise. "[But] we don't just abandon the Constitution."