Simulation: What if digital WMDs attack America?

Simulation: What if digital WMDs attack America?

Summary: What would happen if terrorists or an enemy nation got their hands on digital weapons of mass disruption -- like Stuxnet, Flame, or the newly reported Gauss -- and used them to attack America?


What would happen if terrorists or an enemy nation got their hands on digital weapons of mass disruption -- like Stuxnet, Flame, or the newly reported Gauss -- and used them to attack America? How would it impact our economy, our banking system, our transportation system? How would IT organizations respond? Could we, in fact, defend ourselves?

Those were questions I recently set out to answer. Over the course of three months, working with The Economist, I put together a comprehensive simulation of such an attack.

This project seems particularly timely, because the Russian-owned anti-malware firm Kapersky yesterday released a report detailing a new cyberespionage toolkit they've dubbed "Gauss". According to Kapersky, Gauss builds on the previous weaponized cyberattack toolkits known as Flame and Stuxnet.

To create the simulation for The Economist, I recruited an all-star team consisting of Roger Cressey, (former Director for Trans-national Threats on the National Security Council and Chief of Staff to the President's Critical Infrastructure Protection Board), Richard Clarke (former Special Advisor to the President on cybersecurity), Robert Rodriguez (former U.S. Secret Service Presidential protection supervisor and Homeland Security advisor), crisis PR expert Brenda Christensen, and leading virus-threat expert Phil Owens.

Many of you know Phil because he and I have done a bunch of cybersecurity webcasts together here on ZDNet, including our 2012 Guide to Security Strategies (recorded last week and available on-demand) and Cloud-managed security vs. on-premise security: How to choose, coming up next Wednesday.

Because Stuxnet destroyed its intended target, and then wound up in "the wild," our working group explored possible scenarios of how such a dangerous weapon could be repurposed by our enemies and aimed at us. The simulation recognized that many recently installed systems are generally well-hardened, but older systems are much more vulnerable.

The simulation began with three isolated events, three breakdowns in our transportation system. It then went deeper, looking at what would happen if an enemy could disrupt our overall transportation systems (specifically targeting older hardware and software), and how that could undermine trust and citizen confidence. The simulation then layered on additional threats. Next came a distributed denial of service attack against transportation Web sites and banks. Then came a coordinated cyberespionage attack, exploring what would happen if a worm could tunnel into our banking clearinghouse systems.

On June 6, Roger, Robert, Brenda, and Phil flew out to the Idea Economy: Information 2012 Summit in San Francisco to demonstrate the events of the simulation from the perspective of the White House cybersecurity coordinator in front of some of America's leading thinkers, corporate execs and government leaders.

Richard Clarke and I connected into the summit by remote video feed. I played the role of Director, US-CERT, United States Computer Emergency Readiness Team. Dick wrapped up the simulation with some important thoughts and warnings for America, America's leaders, and IT managers everywhere.

In light of yesterday's news about the new national-level malware, Gauss, I thought it would be prudent to share with you the full simulation. You can watch the full demonstration in the following video. Keep your ears open -- the fateful words you're listening for are "an economic extinction-level event".

Also available via

Topics: Security, Banking, Government, Government US


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • We won't know until it happens

    When you consider most people knew nothing about Flame, Stuxnet or others until they were in the wild or months after they infected their targets. One has to wonder if something like this is already on many of our servers and PC's? The argument that we can somehow prevent it is ridiculous.
    • Nothing will happen

      At least not to my Linux machine :-)
      • We also have Loverock Davidsons expertise to fall back on

        if all else fails.................
        Over and Out
      • If the Large Hadron Collider's server farm got hacked,

        what makes you think your one puny PC can't be infiltrated?

        Yes, the LHC is ran on a Linux server farm.

        Heck, use an iPhone if you want to feel more secure... but if an unjailbroken phone's database can be hacked in 20 seconds or a simple point'n'click website could be used to jailbreak a phone, then I wouldn't rely on it either... ooga-booga, y'all...
  • China

    *News Flash*

    China already has spyware in major corporate computer systems.
    Jeffrey James
    • RE: China


      But I think that this simulation is looking more at disruptive or destructive malware that actually damages information systems or critical embedded systems that are used for infrastructure.
    • Spyware?

      China is just keep an eye on its investments.
      Keep going in the current direction and they will OWN this country. We're playing right into their hands, most-favored trading partner, indeed. Khrushcev couldn't do it, but China will bury us, and we gave them the shovel.
      • Oh, I can fathom a couple of trump cards

        But that's another argument for another time. :)
  • Problematic

    The question to ask is whether "simulation" is the way to think through these problems or is there an alternative - "emulation"? Simulation is so very limited when conducting studies and analyses like these. I have done similar projects and while they are interesting etc., they are also quite far removed from the "real world". Oh...and the big names and organizations are kind of irrelevant - usually, they know very little about the matter on hand.
    • Was thinking the same thing, especially when some of those "experts"

      are experts about the "big picture", but not at the detail or attack level, which is where the real experts would be needed, meaning, the designers and coders of the attack software.
      • We Need People who Can do Both

        There needs to be more people who can see both the big picture politics and international relations as well as the technical IT and computer security side.
        • I was getting at something different

          In the most recent mil-strategic set-up there is a move away from "simulations" towards "emulations" because the former is always conducted within a co-called closed system and is guided by a set of "game-rules", which are moderated as per doctrine etc. This makes simulations far removed from the Real World where things never go according to plan. And as for the "larger picture" (International Relations specialists etc.), the so-called specialists are not very competent. Usually, they voice their opinions and nothing more which, in the cynical words of "Callahan (aka Dirty Harry)", are like ars*holes...everybody has one!
  • How do you know that it isn't already happening?

    You don't.
    • In fact, it has happened.

      Malware, viruses and worms know no borders, and these are no different in that respect. Although Stuxnet specifically targets Siemens equipment, it and the others have already spread to Windows systems in the US. Although the others are more generally a problem for US citizens, as we've seen in the past, these types of invasive software can make their way into legitimate distributions and spread far and wide.
  • I believe US DoD taked measures when they developed this programs

    I mean, when you make a weapon you should always design a way to disable it if it's used against you.

    (Surprise!! everybody knows that this malware was founded by the US)
    • Measures cannot be taken to prevent such weapons from finding their way

      into the private sector web sites and economy.

      The people who designed and wrote the malware, might not always continue working for the government, and, if they do leave their government job or government contract, who is to say that, they couldn't replicate the same type of malware, or sell their skills to the highest bidder who doesn't have our best interests in mind?
      • Who said they started at government?

        Once your private industry code is shared around the world...

        Government merely adds a hurdle to get over...
    • Everybody knows that this malware was founded by the US

      Is was? I heard is wasn't. Need proof before I'll attach it to any nation/person
      William Farrel
      • Proof? Depends on who you trust.

        White House didn't deny this when published by New York Times.

        "Obama Order Sped Up Wave of Cyberattacks Against Iran"

        "How a Secret Cyberwar Program Worked"
        • By the NYT... isn't dat one of dem librul instimatutions?