Amid the buzz in Washington about new North Korean nuclear threats, President Barack Obama late last week summoned 15 of America’s top financial leaders to the White House to discuss what his administration considers to be threats that are more pervasive, more persistent and less manageable ‑ cyber risks.
“The president scared the hell out of all of us, and we’re not easy to frighten,” said one member of the group, which included Goldman Sachs’s Lloyd C. Blankfein, JPMorgan Chase’s Jamie Dimon and Bank of America’s Brian T. Moynihan. “This isn’t like the nuclear threat, where it was really governments facing down governments. The American financial sector is a new battleground, and we’re going to have to invest millions of shareholders’ dollars to protect ourselves from what are essentially national actors.”
Unlike typical national security crises, the private sector controls most of the levers that can decisively resolve cyber conflicts. Government maintains overall responsibility for national cyber defense, yet it hasn’t haven’t developed doctrines of response. Officials remain too constrained by internal processes, competing interests and lack of experience in settling national security problems in collaboration with the private sector.
By coincidence, a few blocks down Pennsylvania Avenue from the White House meeting, a group of leading cyber strategists was engaged in a harrowing simulation that showed why Obama is so worried. It illustrated how quickly a cyber conflict could escalate in coming weeks were tensions with Iran over its nuclear weapons’ ambitions to heighten. The session, convened by the Atlantic Council (of which I am president) and the private company SAIC, demonstrated how government officials and the private sector often fail to communicate effectively or act collaboratively to address a national security threat they can only master together.
The simulation pivoted off the apparently Iranian “denial of service” cyber attacks on U.S. financial institutions earlier this year. Those followed attacks last summer by a group calling itself “The Cutting Sword of Justice,” again most likely of Iranian origin, that used malware to erase data on some 30,000 Saudi Aramco computers.
From there, the simulation escalated into fictitious, but plausible, territory, which media reports declared the “first, all-out cyber war.” These were set off by real-world incidents: a renewed wave of assassinations against Iranian nuclear scientists and Iranian officials toward the end of May 2013, and then an Iranian presidential election in June that produces a hard-line winner, a veteran of the Revolutionary Guard.
This new Iranian regime quickly declares before the United Nations that Iran will suffer no more humiliations at the hands of the Americans, Europeans and Israelis. It condemns sanctions, assassinations, the West’s Stuxnet cyber-attack on Iran’s nuclear centrifuges and other “outrages.” The Iranian Cyber Army (a patriotic hacker group that really does exist) announces a large-scale cyber operation to disrupt Western targets.
What follows, in the simulation, are greatly increased attacks on the U.S. finance sector, denial-of-service attacks and Web page defacement of government, commercial and critical infrastructure targets. Iranian groups rent massive “botnets,” widespread Internet-connected programs normally used by Russian organized crime, to join in the attacks. Pressured by extremist religious websites, hackers in many other countries participate, including groups associated with Hezbollah and Hamas.
War games are nothing new to Washington, but they are usually classified and conducted far from prying eyes. With a script written by former U.S. government officials involved in cybersecurity, and then acted out by former White House, Pentagon and intelligence officials, this filmed and on-record event was the stuff of Hollywood – and will be studied by government and business leaders alike.
One telling moment came when Dmitri Alperovitch, an information security specialist, complained that a White House official had threatened the fictitious company he was representing with criminal prosecution if it took the law into its own hands and conducted aggressive measures against the identified source of a cyber attack.
On the other hand, the government refused to take steps to help the company defend itself from the attacks. Purely defensive measures weren’t enough, as the attacker was always finding new targets and means. “We’ve been doing this for six months,” Alperovitch said, “and it’s really a whack-a-mole situation.”
The outcome of such U.S. restrictions on private-sector responses, said Alperovitch, was that some companies would turn to security providers outside the United States, which could act with impunity. The danger in all this is that lack of effective government response was resulting in the ceding of a government responsibility ‑ namely, to protect American citizens against foreign attack ‑ to individual companies.
All too often, government wants to solve cyber conflicts itself, as they do most other national security crises. But as this scenario showed, it is the private sector that holds most of the cards. Indeed, few cyber conflicts in the past 25 years have been decisively resolved by governments as Jason Healey, the director of the Atlantic Council’s Cyberstatecraft Initiative, writes in his forthcoming history of cyber conflict.
Healey, who moderated last week’s simulation, argued that the private sector has the agility and expertise to solve most cyber crises, and since it is elbow-deep in cyberspace, its also usually has access to the means to do so. The government lacks these strengths, though only it knows the overall context of the attack and has massive intelligence gathering resources and funding, and controls traditional economic, diplomatic and military power levers.
These past months have shown that such discussions are not theoretical. Obama’s message to the financial sector was clear: Before matters become even more serious, the government and private companies together must do more to prepare for the inevitable cyber conflicts to come.
Frederick Kempe is president and CEO of the Atlantic Council. This column was originally published by Reuters.