Former high-ranking federal officials staged a mock cyber attack exercise in which a computer virus of unknown origin cripples 40,000 computers and key business systems at a major U.S.-based oil company the day after Thanksgiving. (Saul Loeb / AFP via Getty Images)
In case of a major cyber attack on critical networks, experts warn that deep reluctance among the governmental and private-sector organizations to share vital information could blunt a swift response.
A number of former high-ranking federal officials staged a mock cyber attack exercise last week. The scenario: A computer virus of unknown origin cripples 40,000 computers and key business systems at a major U.S.-based oil company the day after Thanksgiving. The virus also infects backup systems and systems storing data on the pressure and safety parameters for drilling in the Gulf of Mexico. Computer systems that direct the company’s trading operations also are down.
As a precaution, the CEO shuts down drilling in the Gulf, bringing one-fifth of the nation’s daily oil production to a halt. His first priorities:
Estimate the extent of the damage and prevent further impact.
Get operations back online as soon as possible because it’s the start of the holiday season and there are demands from the transportation sector and customers who need to heat their homes during the winter.
Work with the company’s lawyers to respond to U.S. and foreign regulators.
Sharing details about the attack with the FBI, Department of Homeland Security or the National Security Agency is last on the list.
“[I’m] not going to rush into sharing,” said Dmitri Alperovitch, who played the oil company CEO at the Washington Post-sponsored event. Alperovitch is co-founder and chief technology officer at CrowdStrike, a security startup firm.
He said he first needed to understand the regulatory impact and legal liabilities before contacting the Energy Department, Environmental Protection Agency, Securities and Exchange Commission, Federal Energy Regulatory Commission and others. There might also be civil liabilities from customers and potential impact on oil and stock prices if details of the attack got out.
As CEO, Alperovitch said he would likely contact the director of the FBI and share the malicious code to help determine who was behind the attack, but he would share little, if any, information about the impact of the attack and wouldn’t give the government access to the company’s network.
“I don’t need other folks in the kitchen,” especially those the company has no control over, he said.
DHS Secretary Janet Napolitano, who spoke at the event but did not participate in the exercise, said the government needs to get better at sharing cyber information, at various classification levels, to assist companies. Real-time information sharing is key, Napolitano said. Without it, efforts to secure critical cyber networks will be delayed.
When DHS learns of an attack days or weeks later, it can’t help mitigate the damage or alert other critical sectors of the attack, she said. It also delays forensics work to determine the source and intentions of the attack.
Former FBI deputy assistant director Steven Chabinsky, who played the role of FBI director, said information sharing with the company about the source of the attack would be slight initially. Chabinsky said some company officials could get limited security clearances to learn details about the attack.
The FBI would also ask for the company’s incident log files to gather more details about the attack, Chabinsky said. When asked how hard the FBI would press to get those files, he said the aim is not to revictimize a victim. While there are forceful means of getting information, Chabinsky said the goal is for the company to voluntarily share the information.
Several cybersecurity bills in the Senate and House attempt to address the bureaucratic hurdles that prohibit intelligence agencies from sharing classified cybersecurity information with companies and that discourage companies from sharing information with each other or the government.
One of those, the Cyber Intelligence Sharing and Protection Act, which passed the House in April, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill’s provisions would be granted legal protections if they are subject to a cyber attack.
Many experts argue that absent incentives, such as tax breaks or liability protection, there are no benefits for some companies to share cyber threat information with the government, let alone their competitors.
Failed legislation introduced by Sen. Joseph Lieberman, I-Conn., in February would have provided liability protection for companies that met voluntary security standards yet still but fell victim to an attack. Jeffrey Ratner, a top aide on the Senate Homeland Security and Government Affairs Committee, which Lieberman chairs, said he expects Senate Majority Leader Harry Reid, D-Nev., will reintroduce the bill during the lame duck session after the Nov. 6 elections. Potential changes to the bill have not been ruled out.