The aim of this simulation was to understand the impacts of a cyber attack and assess infrastructure capability during such an incident. There are many articles explaining the motive and results of this simulation, and post mortem is still coming as we speak.
So, what did the simulation entail? It depicted a war game taking place in 2011 – basically an application installed on smart phones during ‘March Madness’ that turned out to be a malware. This hypothetical malware affected telecom and IT infrastructure throughout the country, with the result actually bringing down the nation’s cellular network...but there is more. According to an article from ‘The Atlantic Wire’:
“Later, two bombs disabled the country's electricity network and destroyed gas pipelines... Soon 60 million cellphones were dead. The Internet crashed, finance and commerce collapsed, and most of the nation's electric grid went dark. White House aides discussed putting the Army in American cities.”
Also, according to an article from DarkReading:
“During the exercise, a server hosting the attack appeared to be based in Russia," said one report. "However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event."
One must be thinking, it’s a pretty scary picture. Well yes, but again, it’s a simulation. What is more important is to understand how we would tackle such a scenario.
Many critics argue that this simulation showed a clear inability to identify the source of this attack and therefore, inability to take immediate action. Cyber attacks are not new; they have existed from the advent of the Internet. And there is plenty of evidence to show that attacks are being launched continuously from internal and external sources. What's new here is this wave of making our critical infrastructure like utilities, healthcare, government services, education, and transportation more IT enabled or ‘Smart’. Smart infrastructure poses new risks and threats, the majority of which are not even identified yet.
This simulation serves as a wakeup call and it serves to enlighten our government officials that cyber security needs to be taken seriously. We need a better risk assessment approach as a proactive measure but we also need architecture that mitigates these attacks when they happen. To drive this, multiple constituencies must come to the drawing board in early phases of smart infrastructure deployments.
There are many folks that need to get involved in this ecosystem, including government officials and CIOs of infrastructure companies (utilities, telecom, etc.). The private sector faces these types of security concerns regularly. There is lot to be learned from financial, manufacturing, and retail environments. To a large extent, they also have sophisticated security and risk management techniques and technologies, with components ranging from physical hardware, software, and communication infrastructure.
We’re still at an early phase of figuring this out…however, there is strong momentum at the White House as well as in security communities at large to acknowledge the importance of cyber security and collaborate to address it.
One last thing: be careful installing applications during March Madness on your smart phone J ...
As always, I’ll love to hear your thoughts about this and any insight you have.
Posted by Usman Sindhu