Subscribe via RSS Feed

Crisis Simulation

[ 8 ] February 27, 2013 |

This past weekend we held the annual Patterson School Crisis Simulation. This year’s topic was cyber-warfare; I have a long writeup at Information Dissemination, and a shorter writeup at the Diplomat:

Coincidentally, my institution (the Patterson School of Diplomacy and International Commerce) ran a simulation last week on a cyber attack against U.S. defense contractors.  Although the simulation abstracted a great deal from reality, it nevertheless provided some policy lessons.  The attackers in our simulation (representing a Russian criminal organization rather than the PLA) shied away from directly assaulting U.S. government institutions, instead focusing their efforts on a law firm associated with several contractors.  The attackers hoped to gain access to intellectual property, including patent applications and trade secret information, as well as patterns of communication between the firm, the government, and the contractors.

In our simulation, the attackers substantially succeeded in most of their goals, although they did run into some difficulty selling the information. The most important lesson we learned is that poor communication between government and private organizations can doom cyber-defense efforts.  In our case, the law firm only reluctantly relayed its concerns about a breach to the government and to its clients, leaving the attackers with ample time to conduct their theft. This reluctance was hardly irrational; the perception that secrets could be at risk would prove devastating to the firm’s business prospects. Although our simulation did not subdivide the U.S. government (by creating different teams for different departments), similar dynamics surely complicate interagency responses to cyber-attacks.

 

 

Share with Sociable

Comments (8)

Trackback URL | Comments RSS Feed

  1. Shakezula says:

    Very interesting. I wonder if denial and embarrassment also factor into the reluctance to report. This happens when health care orgs suffer a breach.

  2. Murc says:

    You know, I work for a company that controls information that, while proprietary, is nowhere close to the level of ‘military secrets.’

    Know where we keep it? In a locked room full of filing cabinets with a single computer that isn’t on a network. There are two backup locations where such information is duplicated.

    Getting access to it requires actually breaching the building. This could probably be easily done by a small determined group of people with guns, crowbars, and a jury-rigged ram, but there’d have been no doubt such a theft OCCURRED.

    • Robert Farley says:

      Murc,

      A pretty casual glance at pretty much any of the cyber-security literature suggests that this level of security is not enjoyed/employed by all/most firms with valuable intellectual property.

      • njorl says:

        Indeed. It would be safer still to simply destroy all of the documents.

        • njorl says:

          OT (but, surprisingly, only slightly), I always thought the thief in “The Purloined Letter” should have destroyed the letter. Once it became known that he had the letter, and that he could use it to blackmail its owner, he no longer needed to risk having it be found.

      • Murc says:

        Oh, I’m well aware.

        It still constantly surprises me. Cyber-security is neither particularly difficult (compared to other forms of security, at least) nor is it necessarily all that expensive. It CAN dramatically impact ease of use in an era when people are increasingly accustomed to being able to get any document or piece of information they want emailed to them or dumped onto a network drive, but, you know. Tradeoffs.

  3. njorl says:

    …they did run into some difficulty selling the information.

    I’m curious about how this came about.

    I have always thought, for black market situations where there are very few buyers, you can create many more “narcs” than legitimate dealers. It’s easy to buy drugs because there are a lot more drug dealers than narcs. The same is not true for things like fissile material or state secrets. We can create a whole lot of fake buyers.

    However, for specific information like this, for counter intelligence to create fake buyers, they’d have to know what information was compromised.

  4. Lunatic says:

    A cyber attack is an act of war that should be countered as such. Prepare the ICBMs

Leave a Reply

You must be logged in to post a comment.