August 1, 2008  

Playing for keeps

Computers have permeated everyday life, making even the smallest task quicker and more efficient. The problem is that the efficiencies created by computers are costing us our resilience to rebound from technological disturbances. To counter this, the U.S. military needs to lead more war-game cyber security exercises, not only across the services, but also together with the federal civilian government, critical infrastructure industry sectors and allies.

Just as the Internet is a network of networks, the world has become a system of systems, in which computers have made everyone interconnected and dependent on each other. We see it in the air when a plane is handed off from control tower to tower; on land, where electricity comes at the flip of a switch; and in the water, where fiber-optic cables on the sea floor deliver communications access from one country to another. Our adversaries see these same capabilities, but they see them as our vulnerabilities. The military is the offensive team for cyber warfare, and it’s important to have both a good offense and defense.

One of the most unsettling aspects of cyber warfare lies in the ability it affords perpetrators to conduct operations from anywhere a computer can be linked to a network. Thus, the battlefield is constantly shifting, and attacks can be launched from virtually anywhere. And as efforts to defend against cyber attacks have expanded in scope and effectiveness, hackers have broadened their efforts.

An unsuccessful cyber attack recently was highlighted in a Business Week article, “The New E-spionage Threat.” The article discussed an e-mail message sent to my employer, defense contractor Booz Allen Hamilton. Although the cyber attack was a failure, what made the e-mail communication unique lies in the fact that the perpetrator used publicly available documents to uncover names of military officials and contractors who would or could have working relationships. The hacker went so far as to ensure that the Booz Allen vice president and the Pentagon employee whose e-mail account was spoofed, worked in similar lines of business, increasing the likelihood that a malware message would be opened and an attack would be successful.

Specifically, the Booz Allen vice president whose name was lifted by hackers is a defense acquisition specialist who provides consultation to the Defense Department on requests from foreign governments to purchase U.S.-made weaponry. The spoof e-mail, which outlined a list of military equipment that India supposedly wanted to buy, did not seem out of the ordinary. However, had my colleague clicked on embedded links within the e-mail, it could have potentially placed sensitive information in jeopardy. Fortunately, the ploy didn’t work and Booz Allen’s networks were not breached. The e-mails were traced to a small Chinese server host. The Chinese government has denied knowledge of the e-mails.

Booz Allen and the Defense Department are not the only targets of cyber attacks. Nearly all major defense contractors, including Boeing, Lockheed Martin and Northrop Grumman, as well as many foreign governments, have noticed increased attacks against their networks.

And the attacks do not target just U.S. interests. One of the largest and most publicized cyber wars we’ve seen to date was waged against Estonia. For more than two weeks, distributed denial of service (DDoS) attacks were targeted against the country’s government, police, financial and other critical Web sites, with dramatic results. The attacks were so successful that Estonia’s network infrastructure was near collapse and the targeted sites had to be shut down for extended periods of time to stem the attacks, affecting communications across all of Estonia’s industries. Estonia, like many other countries, built its network infrastructure on a small base of computers, making an attack of this kind all the more damaging.

Although the effect of the attacks was clear, their source was not. Suspicions that the Russian government was involved arose almost immediately. In the weeks leading up to the cyber attacks, an old Soviet-era war monument had been moved from Estonia’s capital to an outlying military cemetery — apparently the cause of considerable offense within the former USSR. Using electronic fingerprinting, Estonia was able to trace the attacks to a series of computers, including some within the Russian government. Although the attacks were mitigated, experts were not able to verify their origin, whether they were indeed caused by the Russian government, if they were simply attacks originating from Russia, or if they were computers infected with a virus that was programmed to execute DDoS attacks against the Web sites. The Russian government has denied involvement with the incident. Even so, the facts are simple: the world community, including governments and the military, will continue to depend on computers and the intertwined network infrastructure that connects them. As a result, the military, together with the greater community, must plan and prepare for cyber warfare.


Today, it can seem as if every time a computer is turned on, yet another update or new patch needs to be installed. It’s a tedious task, but these updates are good preparation for a variety of cyber attacks. However, the trouble with depending solely on technology updates is that many come too late. Instead, a two-pronged approach is needed to plan and prepare for a cyber attack — one focused on technology and one on war-gaming. Planning for a cyber attack and likely outcomes using war-gaming, as is done for military engagements, offers new levels of protection and represents a critical step forward in preparedness. Yes, the concept of war-gaming a cyber attack may seem strange to those who’ve sat around a table war-gaming for a battle scenario, a tangible fight with a tangible location. Nonetheless, a war game is not just an exercise for the physical fight — it’s an opportunity to improve preparedness, whatever the parameters.

War-gaming is a form of cognitive warfare that is focused on a plausible scenario that, in turn, allows people to explore the implications of complex issues based on models of behavior. In cyber warfare, just as in combat, the adversary chooses which battleground to target, and it’s up to commanders to decide how to address the assault. To truly explore all potential outcomes and to get the best results with war-gaming, teams of people with varying skill sets need to be in the room together.

Cyber warfare should not only include those well-versed in information technology, but also a diverse range of involved parties, regardless of technical knowledge.

Bob White, a war-gaming expert at Booz Allen, said, “War-gaming is a good way to get at things that you don’t understand and can’t quantify. The key data that comes out of war-gaming is qualitative. It depends on the intelligence, skill and quick thinking of people. Technology can be modeled, but people’s reactions, perceptions and creativity under stress cannot.”

War games need to be conducted by people. Computers are great, but they cannot mimic the ingenuity of the human mind. An essential element of war-gaming is competition: One side predominates and one side does not. People’s competitiveness can inspire them to new heights. Computers are good for efficiencies such as visualizing material and doing complex calculations, but they are not effective war-gamers.

In the attacks on Estonia, some of the heavily targeted Web sites were government, financial, media and police sites. From a military perspective, these targets were textbook because they hit at the country’s core command and control, communications and morale. At the time, these sectors were seen as linked, but it was not fully appreciated how linked they truly were until the attacks occurred. Computers would not have been able to piece together the strategy behind these attacks; they would have been able only to execute them. This underlying connectedness is why, during military and government war-gaming scenarios, private industry needs to be considered, if not included, in the exercises. An attack as crippling as this one would be more difficult to execute in the U.S., but it could also be more damaging.


There has been a slew of movies that have involved terrorists taking over both government and industry networks. Perhaps the most memorable celluloid cyber attack was depicted in “Live Free or Die Hard,” in which coordinated cyber attacks are used by terrorists to hijack the nation’s power grid, with chaos ensuing. As implausible as the scenario may seem, Government Accountability Office statistics reveal that 85 percent of the U.S. critical infrastructure is controlled by the private sector.

Although privatization has its merits, we also must recognize that if these critical assets are not properly protected and safeguarded against cyber attacks, we have a big problem. The Department of Homeland Security (DHS) recognizes the large-scale effects of cyber warfare on the U.S. and has conducted two comprehensive cyber security exercises, aptly named Cyber Storm. In March, DHS conducted its second Cyber Storm II National Cyber Exercise. According to DHS, the exercise, which simulated a large-scale cyber attack, was conducted to assess the communications, coordination and partnerships across critical infrastructure sectors including chemical, IT, communications and transportation. Participants came from five countries, nine states and 11 Cabinet-level agencies, including the Defense Department and more than 40 private-sector companies.

Private-sector involvement in government and military exercises is not unusual but, traditionally, participation has been limited to those within the government, or to those within the same agency. Fortunately, key government officials have begun to realize that to plan and prepare for an attack necessitates both cross-agency and cross-industry participation. In Cyber Storm, planners worked with each organization and sector to refine objectives for the exercise.

In the end, the main objectives included the examination of the capabilities of organizations to prepare for, protect from and respond to cyber attacks; strategic decision-making and interagency coordination of incident response; the validation of information-sharing among agencies and organizations for response and recovery; and finally, an examination of the processes to share sensitive information without compromising national security. Although the hot wash is still underway, several lessons emerged immediately during and after the exercise:

å Hands-down, the participants agreed upon the importance of having established relationships within the cyber-security, emergency-response and homeland-security communities.

å They realized that cyber events affected more than just the Web and Internet. Participants found that not only were networks affected, there also were implications for physical operations.

å By war-gaming a diverse range of possibilities, the participating organizations saw not only what could happen, but also what was needed to blunt cyber warfare assaults. Such large-scale cyber exercises also would be greatly beneficial to the military.

å DHS and the U.S. military have different missions, different capabilities and different sensitivities. Participating in this exercise is a must for the military, but a military-led exercise that addresses its unique needs is essential. Cyber attacks are not going to stop. If anything, they are becoming more insidious by the day.

In its annual report to Congress on China’s military power, the Defense Department highlighted the increased number of cyber attacks from China, with or without the knowledge or consent of the government. Interestingly, the attacks have been consistent with the People’s Liberation Army’s doctrine describing technology attacks: “[The] application of non-nuclear high technologies can bring about strategic effects similar to that of nuclear weapons, and at the same time, it can avoid the great political risk possibly caused by transgressing the nuclear threshold.”

“I think that we should start to consider that regret factors associated with a cyber attack could, in fact, be in the magnitude of a weapon of mass destruction,” said Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff. His comment in the 2007 Report to Congress of the U.S.-China Economic and Security Review Commission sheds light on the magnitude of the damage cyber attacks could cause.

To underscore Gen. Cartwright’s point, since the beginning of 2008, two little-reported, highly important cyber incidents have occurred. In January, the Central Intelligence Agency reported that cyber attacks had caused power outages in multiple regions outside the U.S. Although the CIA did not specifically mention which countries were affected, the point is that hackers were able to launch effective attacks at nations’ power grids.

As an example of the effect of a power outage in the U.S., consider the outage along the Northeastern seaboard into New York, Ohio and Michigan in 2003. More than 1 million people were without power. Water supplies were affected because of the states’ use of electric pumps to filter water. Subways in New York were stopped, stranding hundreds of thousands of people. Cyber attacks were ruled out for this outage and it was discovered that a few small problems expanded into a significantly damaging event. The power grids have become so interconnected that a transmission problem caused an extensive power outage.

Cyber warfare against our critical infrastructure could cause these same effects, only on a broader and more damaging basis. Critical infrastructure is controlled by a system called supervisory control and data acquisition (SCADA) and usually refers to a centralized system that monitors and controls entire sites, or in the case of the example used earlier, complexes of systems spread across large areas. The devices controlled by SCADA can include power generators, water treatment and traffic signals. The site control of SCADA systems is performed automatically by remote terminal units; however, the system can be overridden by human intervention.

A second cyber incident was of the United States’ own doing. DHS researchers at the Energy Department’s Idaho lab tested a facility generator by launching a cyber attack across the system. Researchers hacked into a replica of the power plant’s control system and changed the operating system. The attack caused the generator to self-destruct.

Changes are being made to the computer software and hardware of the system, but adding to the vulnerability is the fact that many of the systems are manufactured and used around the world. Schematics of the control system may be easily obtained by people at manufacturing plants, making the securing of these types of control systems even more critical.

It is crucial that the U.S. military plan and prepare for the growing threat of cyber warfare. A recent Air Force Cyber Command Joint Expeditionary Force Experiment that tested network warfare was a step in the right direction, but war-gaming provides the military with a way to both plan for what may happen and also to consider what actions might be taken and how to execute on them.

By leading a war game for cyber warfare and by including all of the relevant agencies and industries, the military will gain a better understanding and a more comprehensive understanding of its capabilities and adversarial capabilities.

Mike McConnell, the Director of National Intelligence said: “As government, private sector and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture and service of information technology has moved overseas, our vulnerabilities will continue to grow.”

There is no time like the present for the military to capitalize on the information gained from war-gaming. MARK HERMAN is a vice president at Booz Allen Hamilton, where he leads its modeling, simulation and war-gaming work, and a lecturer at the Naval War College.