Former Homeland Security Secretary Michael Chertoff was one of the participants in a Feb. 16 cybersecurity war game in Washington. Former Bush and Clinton administration officials say the war game showed that the government is not prepared to deal with a widespread cyber attack. (File / Agence France-Presse)
The federal government isn't prepared to cope with a widespread cyber attack, former top Bush and Clinton administration officials said Tuesday.
The officials participated in a public cybersecurity war game, where they simulated how the government would respond to a widespread cyber attack. The scenario started with malware spread through an iPhone app; the attack eventually crippled cell phone networks and Internet service, and it ended with much of the East Coast without power due to a failing electrical grid.
The simulation illuminated areas where the government appears not to be prepared:
• Federal agencies don't have the legal authority to turn off people's cell phones and terminate Internet and cell phone service to stop an attack.
• Private companies may be reluctant to cooperate with federal actions to cease Internet or cell phone services. Companies must be brought in on cybersecurity planning to coordinate responses before an attack happens.
• Citizens would be hard-pressed to know what to do during an attack if major news organizations are inaccessible.
• Federal agencies do not adequately restrict federal employees from accessing social networking sites at work, as those sites may be used to spread malware and viruses during an attack.
• Governors may be reluctant to surrender power to the federal government, forcing the president to nationalize the National Guard.
One problem, said one of the role-playing participants — Joe Lockhart, former press secretary for President Clinton — is that the government is too busy with other issues to focus on developing an effective cybersecurity response before it's too late.
"Without a full-blown crisis, [cybersecurity] doesn't rise high enough that people in the government take it seriously, that people in the private sector take it seriously, and the public takes it seriously," Lockhart said. "We don't want panic, but we want [the public] scared enough so that when their member of Congress comes home they say, ‘Hey, what about this cyber thing?' When a member of Congress hears something three or four times, that's when it becomes an issue."
Government officials do participate in cybersecurity drills and war games, but Tuesday's event — sponsored by the Bipartisan Policy Group, a Washington, D.C., think tank — was the first one conducted in front of the public and media. The event will be broadcast at 8 p.m. Eastern time Saturday and Sunday on CNN.
The event turned a ballroom at Washington's Mandarin Oriental Hotel into the White House Situation Room with former officials, led by former Homeland Security Secretary Michael Chertoff playing the national security adviser, responding as NSC members would in real-time to a developing cyberattack.
During the simulation, officials such as Chertoff discussed in calm, measured tones how to respond to an attack that was immobilizing the nation's cell phones, Internet and power grid.
Such peaceful debate wouldn't be the case during a real crisis, Lockhart said.
The scenario, created by former CIA Director Michael Hayden, started with an iPhone March Madness application which was contaminated with malware. Once the culprits activated the malware, the destruction spread, bringing down the nation's wireless networks.
The malware began forwarding itself through people's e-mail as well, crippling the Internet and landlines as the attack consumed bandwidth. The computer problems eventually spread to the computers operating the East Coast's power grid, resulting in brownouts and burnouts across much of the east.
Officials, led by former deputy attorney general Jamie Gorelick playing the role of attorney general, debated what to tell the American people. "Defense Secretary" Charles Wald, a retired Air Force general, advocated the government shutting down people's cell phones to stop the malware's spread, but Gorelick said the nation's laws don't permit that.
Gorelick said new legislation must be passed to give the government broad, short-term powers to contain a cyberattack.
"I don't believe our national construction is amendable to the kinds of actions that need to be taken," Gorelick said. "What do you do when the nation's computers become a weapon to their own country? How would you as a citizen feel about me coming into your computer and redirecting it from being a weapon against the U.S. to a weapon against someone else?"