What would happen if terrorists or an enemy nation got their hands on digital weapons of mass disruption -- like Stuxnet, Flame, or the newly reported Gauss -- and used them to attack America? How would it impact our economy, our banking system, our transportation system? How would IT organizations respond? Could we, in fact, defend ourselves?
Those were questions I recently set out to answer. Over the course of three months, working with The Economist, I put together a comprehensive simulation of such an attack.
This project seems particularly timely, because the Russian-owned anti-malware firm Kapersky yesterday released a report detailing a new cyberespionage toolkit they've dubbed "Gauss". According to Kapersky, Gauss builds on the previous weaponized cyberattack toolkits known as Flame and Stuxnet.
To create the simulation for The Economist, I recruited an all-star team consisting of Roger Cressey, (former Director for Trans-national Threats on the National Security Council and Chief of Staff to the President's Critical Infrastructure Protection Board), Richard Clarke (former Special Advisor to the President on cybersecurity), Robert Rodriguez (former U.S. Secret Service Presidential protection supervisor and Homeland Security advisor), crisis PR expert Brenda Christensen, and leading virus-threat expert Phil Owens.
Because Stuxnet destroyed its intended target, and then wound up in "the wild," our working group explored possible scenarios of how such a dangerous weapon could be repurposed by our enemies and aimed at us. The simulation recognized that many recently installed systems are generally well-hardened, but older systems are much more vulnerable.
The simulation began with three isolated events, three breakdowns in our transportation system. It then went deeper, looking at what would happen if an enemy could disrupt our overall transportation systems (specifically targeting older hardware and software), and how that could undermine trust and citizen confidence. The simulation then layered on additional threats. Next came a distributed denial of service attack against transportation Web sites and banks. Then came a coordinated cyberespionage attack, exploring what would happen if a worm could tunnel into our banking clearinghouse systems.
On June 6, Roger, Robert, Brenda, and Phil flew out to the Idea Economy: Information 2012 Summit in San Francisco to demonstrate the events of the simulation from the perspective of the White House cybersecurity coordinator in front of some of America's leading thinkers, corporate execs and government leaders.
Richard Clarke and I connected into the summit by remote video feed. I played the role of Director, US-CERT, United States Computer Emergency Readiness Team. Dick wrapped up the simulation with some important thoughts and warnings for America, America's leaders, and IT managers everywhere.
In light of yesterday's news about the new national-level malware, Gauss, I thought it would be prudent to share with you the full simulation. You can watch the full demonstration in the following video. Keep your ears open -- the fateful words you're listening for are "an economic extinction-level event".