Cyber ShockWave CNN/BPC wargame: was it a failure?

Yesterday's CNN/BPC Internet hacking wargame, Cyber ShockWave, certainly raised some interesting questions. But did it offer any answers? In IT Blogwatch, bloggers keep score.

By Richi Jennings. February 17, 2010.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention Sleep Talkin' Man...     Chris Gaylord monitors the game:

Former government officials gathered Tuesday in Washington to participate in Cyber ShockWave ... a kind of high-level role playing game. As reports of the fake attack roll in, Washington veterans will imagine themselves as certain cabinet positions and collectively advise the president.


Role playing is common among the military and analyst groups – the Obama Administration has run through at least three ... – but the outcomes are rarely public.

Hilton Collins orders room service:

The Bipartisan Policy Center (BPC), a nonprofit that develops multiparty solutions in public policy, will host Cyber Shockwave. ... The public doesn't get to see what happens in the Pentagon or the White House situation, but the BPC will allow people the rare chance to see how something like this actually unfolds, according to ... Eileen McMenamin, the BPC's vice president of communications.


The BPC hosted a similar series of simulations in 2007, Oil ShockWave, which addressed the country's dependence on foreign oil as a major threat.

Jim Garrettson says more must be done:

The wargame was set in 2011, with the US coming off a series of natural disasters. An application used in smart phones turns out to have malware installed. ... Portions of the power grid are taken down through IED attacks. ... An electronic trading system is also eventually knocked offline, the Telecom sector shuts down and the Internet becomes virtually unusable. Also, power throughout much of the Eastern seaboard is also disrupted.


During the exercise, a server hosting the attack appeared to be based in Russia. However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event. ... in the several hours that the wargame lasted, the US was increasingly beset by attack with little knowledge of who perpetrated it. The exercise revealed the complexities that US policy makers would face in the event of an attack.

Bryce Baschuk doesn't pussyfoot around:

So how did America fare against a such a strike? Fail.


Participants indicated that a large challenge in reacting to a cyber attack is identifying who the attackers are and how to find them. This concern has dogged U.S. cybersecurity experts throughout the modern era. ... the U.S. government needs to do more work on the policy side and pass better legislation to protect American interests.

Jill R. Aitoro wages war (and rumors of war):

Among the questions ... was whether the federal government could declare a crippling cyberattack as an act of war if it could not determine who was behind the attack ... [and] whether the administration had the authority to initiate extraordinary measures such as demanding telecommunications companies and Internet service providers shut down service to customers, dictating how power companies should prioritize electricity in case of regional outages, and demanding other nations to cooperate.


Currently, the government has few authorities to respond to a cyberattack that takes down portions of the critical infrastructure, the panel noted.

Meanwhile, Marc Ambinder addresses 'cyber hygeine':

[It's] a weird-sounding and increasingly controversial topic. To put it simply: no one has any. Consumers approach cyberspace as an all-you-can-eat buffet. ... We download all the applications we can buy ... we don't update our anti-virus software. ... We confuse cyber hygeine with our basic need for privacy; we want control of our data ... but we eagerly give it away through Twitter, Facebook and Google.


At the same time, we eagerly accept credit cards with easily steal-able RFID chips and carry around cellphones that can be hacked into by amateurs. The most common password is still "password." ... The marketplace demands speed and convenience, not warnings and roadblocks. And government doesn't have the legal means or practical political force to persuade industry to spend the money on backend information security architecture that ... would, in the end, increase security.

So what's your take?
Get involved: leave a comment.

And finally...

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email:

Don't miss out on IT Blogwatch:

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon