What if a Cyberattack Ignited a War?

Cyber 9/12 contest participants present policy options to contain crisis

A cyberattack has brought nuclear-armed rivals India and Pakistan to the brink of war. An unknown adversary has hacked into a US defense contractor’s computer systems, stolen highly sensitive data, and potentially taken over Global Positioning System satellites. Fighter jets and military radios, along with commercial airlines and mobile phones, are all at risk.

As tensions escalate, non-state actors falsely claim responsibility for the cyberattack. Meanwhile, India and Pakistan inch toward full-scale war as a Pakistani missile shoots down an Indian commercial airliner that has mistakenly strayed into the airspace over the contested Kashmir region.

This was the fictional scenario laid out in a simulation at the fourth annual Cyber 9/12 Student Challenge held at American University on March 11-12. Who carried out the data breach? Were civilian GPS systems affected? Did Pakistan purposely fire the missile? These were among the many questions with which the participants from universities across the United States grappled.

Participants prepared responses to a simulated cyberattack. These policies were presented to a panel of judges, which played the role of the National Security Council seeking information to brief the President of the United States. The judges included high-level current and former government officials, private sector experts, and award-winning journalists, including: Maj. Gen. (Ret.) John Davis, Vice President and Federal Chief Security Officer at Palo Alto Networks; Christopher Painter, Coordinator for Cyber Issues at the Department of State; and David Sanger, chief Washington correspondent for the New York Times.

The Cyber 9/12 Student Challenge, facilitated by the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security, provides university students with a deeper understanding of the policy challenges associated with cyber crisis and conflict. Part interactive learning experience and part competitive scenario exercise, it challenges teams to respond to a realistic, evolving cyberattack, and to analyze the threat such an attack poses to national, international, and private sector interests.

Participants have a unique opportunity to interact with expert mentors and high-level cyber professionals while developing valuable skills in policy analysis and presentation. By bringing together policy practitioners and students in a fun, yet demanding, environment, the Student Challenge not only hopes to improve today’s cyber policies, but also to prepare tomorrow’s cyber policymakers.

Overall, teams thought strategically and formulated holistic policies, resulting in interesting and creative recommendations. Among the recommendations were:

Putting out the fire: Several students recommended immediately carrying out computer incident response plans that identify, contain, mitigate, and recover from the data breach to eliminate the adversary’s continued ability to steal data or tamper with systems. Students often used these incident response plans as a foundation, adding more recommendations on top of them.

Pulling levers of national power: Some students proposed imposing economic sanctions, increasing intelligence collection efforts, and preparing kinetic and cyber military operations. Though attribution for the cyberattack remained ambiguous throughout the simulation, a few students boldly identified an adversary that has targeted one or both of the states mentioned in the simulation.

Engaging allies and the international community: Other students sought a more measured approach, seeking to open diplomatic communication channels, establish new alliances, gain consensus on the importance of GPS satellites, and solidify cyberspace norms against attacking critical civilian infrastructure. For instance, students often recommended declaring GPS a critical civilian infrastructure in hopes of gaining diplomatic protection against state actors disrupting the system.

Involving the public and private sector: Teams proposing responses that included both the public and private sector earned high scores from the judges. Several judges repeatedly emphasized the private sector’s stakeholder role in policy responses to cyber crises such as the one in the simulation. Quite a lot of civilian infrastructure has a critical dependence on GPS technology for navigation as well as keeping time-critical operations in sync.

My fellow Americans: Although not often considered by students, a few teams crafted public communication strategies for informing the American public, the private sector, the military community, and international allies. How to frame the data breach and what information to reveal were important questions to answer, especially when the public could be significantly affected by the degradation or shutdown of GPS services.

Team “Fightin’ Electrons” from the Air University’s Air Force Cyber College won first place, taking home a $2,000 prize as well as the Military Cyber Professional Association’s “Order of Thor” medal for best military team. In addition, Stanford University’s team won “Best Teamwork,” while Columbia University’s team won “Best Oral Brief.” “Cyber Jedi,” another team from Air University, won the “Most Creative Cyber Policy Solution Award,”

The Cyber 9/12 Student Challenge now moves to Europe, where its Geneva-based competition will take place on April 7-8.

Samuel Klein is an intern with the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security.

Image: Contestants from universities across the United States present their responses in the event of a cyberattack to a panel of judges at the fourth annual Cyber 9/12 Student Challenge at American University in Washington. The event, hosted by the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security, was held on March 11-12. (Atlantic Council)