Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- In the event that a massive cyber attack on the U.S. takes out large swaths of critical infrastructure, such as telecommunications and power systems, government and military officials will be forced to make a litany of decisions that could have sweeping implications on individual privacy and private-sector control over targeted networks.
A panel of former senior officials explored that scenario Tuesday morning in a war-game simulation that imagined an emergency meeting of the National Security Council called to craft the administration's response to a cyber attack. According to the scenario, the attack originated as a mobile app that contained self-replicating malware that initially overwhelmed wireless networks before knocking out large portions of the Internet and wireline networks and disrupting the electrical supply and threatening to disable oil and gas pipelines.
Some of the choices that an administration could be pressed to make in such an event would be deeply unpopular and profoundly troubling to certain Internet policy advocates, and many would rest on nebulous legal authority.
"We can't ask. We're going to have to tell," said Michael Chertoff, the former secretary of homeland security who Tuesday play-acted in the role of national security advisor. "The bigger danger is not that we're going to offend people, but that we're going to be seen as ineffective."
The hypothetical attack that was the subject of Tuesday's simulation emerged in the form of a smartphone app called March Madness, purporting to offer an interactive game relating to the annual college basketball tournament. Once downloaded, the app transmitted itself to all of the contacts in a user's address book, flooding wireless networks and freezing cellular communications for much of the country. Before long, the app began spreading across social networks, eventually cascading to the wider Internet and wreaking havoc on IP-enabled components of U.S. infrastructure.
In the imagined scenario, researchers had developed a patch for the March Madness worm, but many mobile phone users didn't heed the warning because they hadn't downloaded the app, so the malware continued to spread through people's contacts lists. So what could the government do?
"We don't have the authority in this nation as a government to quarantine people's cell phones," said Jamie Gorelick, the deputy attorney general in the Clinton administration who stood in as attorney general in this morning's simulation. In a meeting of the National Security Council, the attorney general's role is to advise the administration's officials of their legal authority to respond to an event, such as the simulated cyber attack, which is undercut by private ownership of the networks and a scant body of precedent.
"We are operating in a bit of uncharted territory," Gorelick said. "[The President] has almost no statutory authority in any of these areas."
Gorelick's warning came as unwelcome news for officials urging a quick and decisive response.
"I am actually shocked to find that we don't have the authority. If this was someone with smallpox wandering through the Super Bowl we would have the authority to quarantine," said Stewart Baker, the former general counsel at the National Security Agency who played the role of cyber coordinator, a new position Obama established to harmonize federal cybersecurity efforts.
At the heart of the dilemma administration officials would face in the event of a major cyber attack is the extent of government authority to intervene in the private sector, which owns roughly 85 percent of the nation's digital infrastructure. In the simulation, Baker and others advocated an aggressive government approach that would lean on ISPs to shut down or quarantine the affected parts of their networks.
"This is a regulated industry," Baker said, referring to the authority of the Federal Communications Commission (FCC). "We can take these authorities and tell them what they need to do to get this worm out of our system."
Following the simulation, which was hosted by the Bipartisan Policy Center think tank, several of the former officials stepped out of their roles and voiced concern that Congress hasn't produced legislation outlining executive authority in the face of a cyber attack.
It's not for lack of trying. Last April, Sens. John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) introduced a bill that aimed to address many of the legal uncertainties highlighted by Tuesday's exercise, including a provision that would give the President sweeping authority over private networks in the event of a so-called "cyber emergency."
The bill quickly became a magnet for controversy, both for the cyber-emergency language and provisions that would authorize the Department of Commerce to supersede existing privacy laws to collect network-transmission data related to an attack.
Tuesday's cyber war game laid bare the friction between national security and privacy that flared up in dramatic fashion when AT&T (NYSE: T) and other providers cooperated with the National Security Agency in its domestic surveillance program. Civil liberties groups including the Electronic Frontier Foundation leapt on the issue, orchestrating litigation against the government and AT&T in a public relations fiasco that network operators would not likely be eager to repeat by undertaking a secret partnership with the government in the name of cybersecurity.
"The structure of our laws today is that unless you can show that the action you're taking is properly authorized by the government, you're open to lawsuits," Gorelick said. "They're going to want, as a practical matter, a certification from the highest levels of government."
As another practical matter, she recommended that the President send a clear message to the public that privacy could be a casualty of a major cyber attack, such as the one described Tuesday.
"I am suggesting that we tell people preemptively that their expectation of privacy is not what it was," Gorelick said during the simulation.
Obama has elevated cybersecurity to a high policy priority from the early days of his administration, commissioning a thorough review of the government's approach to the issue, which culminated in a White House address last May laying out the findings and announcing plans to create the cyber coordinator position, a role that was finally filled in December. But in that speech, Obama vowed that the defense of security and economic vitality in the face of cyber threats would not come at the expense of individual privacy or civil liberties. He also reiterated his support for network neutrality, another sacred cow that the officials at Tuesday's simulation said might be at risk when ISPs need to scrutinize data at the packet level to filter malicious traffic.
"This is a time when net neutrality is not your friend," said Fran Townsend, who had served as the homeland security advisor to President George W. Bush and who played the role of secretary of homeland security in Tuesday's practice run. "To the extent that there's net neutrality, that should be lifted."
The government's response mechanisms to a cyber attack are further complicated when the threat emanates from a foreign nation, as so many do. In the case of the simulated March Madness attack, the malicious activity was traced to servers in the Russian city of Irkutsk, but then a later intelligence report identified the individual perpetrating the attack as based in Sudan.
Foreign-based attacks, such as the recent assault on Google (NASDAQ: GOOG) and, reportedly, more than two dozen other companies by hackers allegedly based in China, raise the diplomatic stakes in U.S. cybersecurity policy. It is often impossible to determine whether the perpetrator of an attack is a lone-wolf hacker, an organization with an axe to grind, a state-sponsored group or a government operation. For instance, the connections between the hackers who disabled much of Georgia's digital infrastructure in the summer of 2008 and the Russian government, though extensive, remain unclear.
"Attribution is one of the hardest issues to deal with," said John Negroponte, who most recently served as deputy secretary of state under Bush, and played the role of secretary of state in the simulation. "We have to find a way of elevating the issues of cybersecurity and cyber attacks into our international discourse."