This past weekend we held the annual Patterson School Crisis Simulation. This year’s topic was cyber-warfare; I have a long writeup at Information Dissemination, and a shorter writeup at the Diplomat:
Coincidentally, my institution (the Patterson School of Diplomacy and International Commerce) ran a simulation last week on a cyber attack against U.S. defense contractors. Although the simulation abstracted a great deal from reality, it nevertheless provided some policy lessons. The attackers in our simulation (representing a Russian criminal organization rather than the PLA) shied away from directly assaulting U.S. government institutions, instead focusing their efforts on a law firm associated with several contractors. The attackers hoped to gain access to intellectual property, including patent applications and trade secret information, as well as patterns of communication between the firm, the government, and the contractors.
In our simulation, the attackers substantially succeeded in most of their goals, although they did run into some difficulty selling the information. The most important lesson we learned is that poor communication between government and private organizations can doom cyber-defense efforts. In our case, the law firm only reluctantly relayed its concerns about a breach to the government and to its clients, leaving the attackers with ample time to conduct their theft. This reluctance was hardly irrational; the perception that secrets could be at risk would prove devastating to the firm’s business prospects. Although our simulation did not subdivide the U.S. government (by creating different teams for different departments), similar dynamics surely complicate interagency responses to cyber-attacks.