Cyber Attacks on Critical Infrastructure: Insights from War Gaming
An April 2017 issue of The Economist headlined with the dire warning: “Computers will never be safe.” The headline seems especially prescient given the last few months, as reports of major cyber attacks have flooded international media. From Wannacry, Petya, and attacks on Ukrainian infrastructure to reports of Russian hacking attempts on U.S. nuclear reactors and electoral hacking, cyber vulnerabilities are outpacing our ability to defend against malicious cyber threats.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team says it has never seen so many successful exploitation attempts on the control system layer of industrial systems. That means hackers are increasingly infiltrating the networks of major industrial operations all the way down to the sensors and systems that manage our digitized worlds. Major U.S. infrastructures — electric grids, dams, wastewater, and critical manufacturing — are vulnerable to physical damage from cyber attack.
This has created a unique national security problem for the United States. For the first time in modern American history, a prolific set of adversaries can target the homeland with little warning and at low cost. This creates a soft-underbelly target for state and non-state actors motivated by greed, opportunism, radical beliefs, or good old-fashioned state coercion.
To make the problem more complicated (and more dangerous), many of these critical infrastructure industries support — directly or indirectly — U.S. military operations. Civilian energy sources often supply military bases and ports. Service members’ livelihoods reside in private banking institutions, and food is sourced from private-sector companies. These dual-use critical infrastructure sectors could be opportune first-strike targets for conventionally asymmetric adversaries looking to increase their chances of victory against U.S. conventional military forces in a crisis. How should the U.S. government use its limited resources to combat this novel threat to national security?
Introduction to the Game
Over the last eight years, the United States has made significant strides towards tackling these cyber threats to civilian critical infrastructure by creating policies and capabilities that seek to deter and protect against cyber attacks. However, none of these attempts at safeguarding the civilian critical infrastructure sectors can succeed without understanding the role and preferences of civilian industry.
To better understand the private sector’s appetite for U.S. government resources against cyber attacks, earlier this month the U.S. Naval War College conducted the Navy-Private Sector Critical Infrastructure Wargame. The unclassified wargame included approximately 125 participants, including senior leaders from 15 critical infrastructure sectors, representatives from local emergency management and government, state governance, federal government, and subject matter experts from industry, academia, and government.
We designed this game to answer a primary research question: When do attacks against U.S. critical infrastructure rise to the level of national security threats? Secondarily, when do these national security threats warrant action by the Department of Defense and in what capacity?
We hypothesized that three variables would drive participants’ answers to our questions: the effect of the attack (virtual, physical damage, physical damage with loss of life, nuclear), the target of the attack (various critical infrastructure sectors), and the actor conducting the attack (state actor or non-state actor).
To test these hypotheses, we crafted two iterations of the wargame using a quasi-experimental method. The first, a state actor scenario, included 33 cyber attacks ranging in effect from virtual to nuclear across the 14 critical infrastructure sectors. We randomized the order of attacks to minimize the chance of bias towards escalation and submitted the attacks to players. The second day followed the same design but with a notional non-state actor.
Initial Game Analysis Takeaways
Our initial analysis of player surveys, wargame actions, and plenary discussions reveals a series of preliminary takeaways.
The Role of the Department of Defense. The primary role the private sector sought for the Department of Defense was to counter adversaries’ offensive cyber capabilities, not to augment private-sector network operations. This meant that, in general, there was little appetite for the Department of Defense to perform cyber defense or recovery operations on private-sector networks. In fact, of the almost 50 requests for government aid across both days, only seven were for support from the Department of Defense. Of those seven requests, four were for information sharing and the remaining three were for retaliation after a major cyber attack against the electric and nuclear sectors. While National Guard still played a significant role in conducting crisis management and cyber network defense at the local and state level, players from the private sector wanted to see the Department of Defense operate most proactively before major cyber attacks (deterrence and counter-cyber missions) and in retaliation across military domains after major attacks.
Thresholds for Action. The game introduced a spectrum of cyber attack effects, from loss of data and productivity to coordinated ransomware, major physical damage of infrastructure systems, loss of life, and nuclear fallout. We were interested in understanding when the players viewed cyber attacks as national security incidents—the threshold used in previous presidential orders for government action and potential retribution.
While players agreed that the monetary cost of many of these attacks was extraordinarily high (for example, the effect of the stock markets being closed), we could find no point at which economic effects triggered a perception of armed conflict or of a significant national security incident. We spent some time debating when the economic effect of cyber attacks might create a national security incident, but there was no similar debate about how much life needed to be lost to meet that threshold. The answer from all players — across private sector and government — was that cyber attacks that led to any loss of life were automatically national security incidents. While this may seem intuitive, it has significant ramifications for the prioritization of government resources for safeguarding, defending, and deterring attacks against critical infrastructure.
Importance of First Responders and Local/State Governance. A lot of work has been done to increase information sharing within the federal government and between federal agencies with specific sectors (see, for example, Presidential Policy Directive 41 and the Information Sharing and Analysis Centers). However, for any cyber attack that created physical effects, local responders were generally the first (and quite often the only) government aid requested to remediate the effects of these cyber attacks. This put an enormous onus of responsibility on local responders to not only remediate the effects of the attack, but also to provide information to national-level agencies for greater coordination. Additionally, dependence on emergency management at the local and state level as the first lines in cyber attack response means any attacks on police, fire, health, or environmental management will be especially dangerous and may make a routine cyber attack escalate quickly to a national security incident.
Stovepipes of Excellence + Complexity and Interdependence. Our wargame suggested that the most dangerous cyber attacks were those that caused cascading effects across sectors. Cross-sector dependencies on electricity, transportation, and wastewater systems made significant attacks on these sectors exponentially more deleterious than attacks on stand-alone sectors such as commercial facilities or the defense industrial base. Unfortunately, the complex interdependence of sectors makes these attacks not only the most likely to create catastrophic consequences, but also the least conducive to current information-sharing and crisis management techniques. While sector-specific Information Sharing and Analysis Centers may facilitate information sharing within a single sector, they may have the unintended consequence of creating stovepipes that impede our understanding of the effects of attacks across sectors. Our industry players called for more informal means of communicating across sectors and levels of government in order to solve these problems. This could include working groups of executives across industry sectors, advisory boards, and routine gatherings between government officials and the private sector about cyber vulnerabilities and dependencies.
Private Sector Hack Backs and Government Regulations. This game highlighted the comparative advantages of the private sector, local and state governance, and the federal government in responding to cyber attacks. Local and state players were the front line for response and crisis management, but were also probably the least resourced participants. Meanwhile, at the federal level, players were often unaware of how adversary attacks and government policies impacted private-sector operating procedures. They were, however, much more equipped to deal with adversary intentions and punishments. The federal players understood — or were at least equipped and prepared to deal with — the national security implications of all the other players’ actions.
In contrast, the private sector was keenly aware of how federal actions (for example, pushing a patch down to private sector systems to combat a known attack vector) impacted their systems, but was largely unaware of or agnostic about the potential national security implications of some of their own tactical-level decisions (i.e. hacking into adversary networks to cut off their ability to continue a cyber attack). This led to two serious debates — one about whether the private sector should have “hack back” authority and another about how much regulation and top-down prescriptions should come from the federal government to the private sector. We were unable to solve these major debates in our short time, but we recommend that further study examine these provocative, important issues.
One wargame cannot solve the complex problem of safeguarding critical infrastructure against cyber attacks, and our game may have created more questions than it did solutions. Over the next 60 days we plan to look more closely at these issues and proffer concrete recommendations for further research and policy development. However, in the meantime, this wargame highlights that the U.S. government — and in particular the Department of Defense — may need to think more about what it can do before attacks and to punish adversaries after attacks (and, therefore, less about defending or conducting recovery operations on industry networks).
Under both the Obama and Trump administrations, executive orders have called for more “deterrence” of cyber attacks on critical infrastructure. However, it is difficult to gauge how effective U.S. efforts at cyber deterrence have been so far. The success of deterrence depends on adversaries’ perceptions of how the United States will respond to cyber attacks, but current U.S. policies ambiguously threaten unspecified action for “significant” attacks on the various critical infrastructure sectors. That list of sectors (which does not include the electoral system) is so expansive that it becomes difficult to credibly threaten punishment. If everything matters, then adversaries may believe that nothing matters. Over the next few years, the Trump administration should think about making cyber deterrence policies more declaratory with a much more limited list of critical infrastructure sectors. Being clear about what we care about may enhance the credibility of punishment across domains and therefore bolster deterrence.
Additionally, the United States may be able to exercise counter-cyber actions to stem the tide of other cyber attacks not explicitly deterred through punishment policies. This could include offensive cyber operations against adversary cyber infrastructure, as well as economic sanctions, cross-domain military operations against cyber nodes (cutting cables?), diplomatic activities, or Department of Justice/FBI prosecutions. The Obama administration appeared to successfully employ these capabilities to reduce Chinese intellectual property theft. Similar campaigns that pair threats with counter-cyber activities could stymie significant cyber attacks (especially against known and sophisticated state actors). Our wargame indicated there is a greater appetite within the private sector for these type of actions that degrade adversary cyber capabilities prior to attack. During the Obama administration, policymakers seemed reluctant to use these kinds of operations because of concerns about escalation. However, the exponential rise in cyber attacks and exploitations on critical infrastructure vulnerabilities—along with the anecdotal evidence from our wargame—suggests that the risk of waiting to respond until after a major attack may be as dangerous to U.S. national security interests as the hypothetical risk of escalation. Future policymakers contemplating the use of cyber operations need to do a better job of understanding both sides of this risk equation to build more effective cyber policies.
Dr. Jacquelyn Schneider is an Assistant Professor at the U.S. Naval War College. Her work on national security, technology, and political psychology has appeared in Journal of Conflict Resolution, Strategic Studies Quarterly, Washington Post, Bulletin of Atomic Scientists, and War on the Rocks. The views presented here are hers alone and do not represent those of the Naval War College, the U.S. Navy, or the Department of Defense.
Image: Department of Energy