Last night I saw something I never thought I’d see, a televised war game. Last week a DC think tank, The Bipartisan Policy Center, staged a war game with former members of government simulating the President’s staff dealing with a massive cyber attack against the United States. CNN taped it and is televising it this weekend. Critics are screaming “propaganda” and saying the scenario is unrealistic. Even CNN published something they called, “Fact Check: Cyberattack threat”, which concluded: “While many experts agree that the risk of a cyberattack against the United States is real, there is no consensus as to how likely that attack might be”. The fact is the United States is under cyberattack and has been for some time which is why as reported in my blog last week, the Director of National Intelligence made it his first topic in his annual threat assessment report to Congress.
Before I go on, I’d like to address the critics who are screaming “propaganda” by giving a little background on the purpose of war gaming. War games are widely used in government circles to examine national security threats. The purpose is to identify what threats are out there and determine if plans, policies, and procedures you develop can counter it. Generally speaking they are usually highly classified which is why many in the public are not aware of it. I’ve noticed since 9/11, both the government and the military have been much more forthcoming about these efforts.
To illustrate, I’ll give a couple of examples. Prominently displayed in the hall of the war gaming center at the Naval War College is a letter by Admiral Chester Nimitz, commander of U.S. Naval Forces during World War II. Basically, the letter states that a major reason the U.S. was able to prevail against overwhelming odds and beat the Japanese was because they had conducted extensive war games during the 1930’s simulating a war with Japan. Nimitz said nothing the Japanese military did was a surprise except the Kamikaze attacks.
For a more recent example, I’ll turn to United States Central Command (Centcom), currently in charge of the wars in Iraq and Afghanistan. As found in their official command history, in 1988, General Norman Schwarzkopf became commander. Typically in a military command, the purpose of a war game is to test out your existing or proposed war plans. When General Schwarzkopf got to Centcom the existing war plan involved a war against Soviet Union forces trying to seize oil fields in Iran. The General believed this scenario was unrealistic and instead “began to plan for what he thought was a far more likely situation: Iraq, emerging from eight years of war against Iran with the world’s fourth-largest and most battle-hardened army, moving south to capture the rich oil fields”.
General Schwarzkopf tested this strategy out in July – August 1990 in the war game Internal Look. Centcom’s official history goes on to state: “As the exercise unfolded, he noticed that the real-world movements of Iraq’s air and ground forces eerily paralleled the scripted scenario of the war game”. For most war games the intelligence staffs of an organization’s command are responsible for both developing the game scenario and simulating control of enemy forces. I mention this because many critics site Iraq’s invasion of Kuwait when listing intelligence failures. Apparently some parts of the intelligence community predicted it, maybe not the exact timing but as a likely scenario in the region.
That said back to the Cybershock War Game. I thought the participants did an excellent job and raised many issues that need to be solved if we are going to win the cyber war. First issue that jumped out at me is what constitutes an act of war in cyberspace? Prof. Pauline Reich, of Waseda University in Tokyo has written an excellent article in the most recent edition of International Affairs Forum on the 2007 cyberattack against Estonia. According to the article that nation was the first in history “to experience cyber attacks that shut down its critical infrastructure”. The attacks were suspected to have been instigated by Russia. Since Estonia is a member of NATO with its “an attack on one of us is an attack on all” mentality, this incident caused much head scratching and “say what?” responses in defense circles. As highlighted in Cybershock, just because an incident seems to be originating from one location doesn’t mean that’s really the place its coming from. You also will have a hard time determining if its state sponsored or not. It could be cyber criminals or terrorists.
The second issue that grabbed me was the challenge of coordinating a cyber response against an incident that effects the government and the public and private sectors. Apparently existing plans are not up to the task. This isn’t something the participants made up. Presidential administrations going back at least to President Clinton have been working the issue. The current administration has established the position of “Cyber Czar” and a couple of weeks ago the House passed a bill aimed at improving the nation’s cyber defense. Cyber experts both within and outside of government circles still say these efforts fall short of what’s needed.
The last thing that jumped out at me was the need to have laws in place to deal with cyber threats. Existing laws can tie the government hands in a fast moving cyber event. In my opinion there needs to be an emergency plan agreed upon by government and the public and private sectors that in certain situations, certain actions will be taken. I for one would rather have the government temporally shut down my cell phone and/or internet access while they isolate and solve a problem than have my bank account be drained or have my entire computer data base trashed.
One more example and I’ll get back to laying on my couch watching the Olympic Games. In 2000, the “I Love You” virus hit and affected millions of computers. At the time my job was developing the intelligence architecture for cyber warfare. In layman’s parlance that meant working with the Department of Defense and intelligence community to put in place policies and procedures of how the intelligence community would support this new form of warfare.
As the virus was doing its thing, my Boss called me in. Apparently the President had called the senior military intelligence guy and asked if military computers had been affected by the virus. He was not happy. I think it’s reasonable for the Commander-in-Chief to want to know if his military has been disabled. As I recall my Boss told me the President had been put on hold for 30 minutes and still did not get an answer. There was no plan in place to get a quick answer to his question. Some poor soul was stuck with calling up every government and DoD organization to get an answer. Very time consuming. I was told to fly overnight to Washington DC and fix the problem. I was lucky because as part of work on intelligence architecture the DoD and intelligence community had a working group in place that was working on these and other reporting issues. We were able to come up with a solution accepted by all in just a day.
Well that’s it for now. As promised in last week’s blog, I will finish covering highlights of the Annual Intelligence Threat Estimate and will also comment on the latest reports on Iran’s nuclear efforts in future blogs….just not today. The Olympics are calling me. As always my thoughts are my own.
