LAB4-W12: Nation Under Attack: Live Cyber-

Exercise A sophisticated cyberattack is in progress against the United States. Multiple industries are impacted and things are about to get much worse. How will government and industry work together with international partners to face the challenge and respond to an adaptive and innovative adversary?

Facilitators:

Dmitri Alperovitch Co-Founder and Chief Technology Officer, Crowdstrike Non-Resident Senior Fellow, Atlantic Council

Jason Healey Senior Research Scholar, Columbia University SIPA Non-Resident Senior Fellow, Atlantic Council

With

Beau Woods Deputy Director, Cyber Statecraft Initiative, Atlantic Council

2

Overview For the third installment of the RSA Conference’s “Live Cyber Exercise: Responding to A National Crisis” wargame, four tables of participants representing different segments responded to a scenario exploring a disruption of the 2020 US elections by North Korea. The group included senior US government officials from the Department of State, Department of Defense, White House, and Department of Justice, as well as industry cybersecurity executives and experts.

The event was organized by Dmitri Alperovitch, Co-Founder and Chief Technology Officer (CTO) at CrowdStrike as well as a Nonresident Senior Fellow at the Atlantic Council think tank, and Jason Healey, also a Nonresident Senior Fellow at the Atlantic Council and a Senior Research Scholar at Columbia University. Beau Woods, the Deputy Director of the Atlantic Council’s Cyber Statecraft Initiative, helped to moderate the event.

Scenario Summary The live cyber-exercise explored the consequences of a repeat of the 2016 elections to give participants the chance to respond against a hypothetical attempt in 2020 by the North Koreans to impact US elections.

Four groups were involved in simulating responses during the wargame:

US government team of current and former officials

Private-sector team with executives from cybersecurity and critical infrastructure companies, vendors, and platform companies

Media team of prominent journalists

Adversary team made up of cybersecurity executives and former officials playing the role of the North Koreans to bring another level of interactivity to the wargame

During the simulation:

1. By 2020, there have been numerous election hacks around the world, not just in the United States, but also Germany, France, and South Korea. In response to North Korean nuclear weapons, the United States and South Korea re-introduce nuclear weapons to the peninsula.

2. The US political parties are again hacked with massive amounts of data and emails deleted. The Intelligence Community has a high degree of confidence that North Korea is responsible for the incidents.

3. A never-before-heard-from hacktivist group declares that they were the hackers behind the hacks and starts contacting media pitching them the hacked materials, though many look doctored.

4. The private sector identifies intrusions into voting-machine companies, both in the United States and other OECD nations. It is not known if the intruders have been able to affect production code.

5. Finally, the North Koreans confirm they were responsible.

3

Lessons Learned The teams representing the US government and the media drove the response to the scenario. Both demonstrated a keenness to demonstrate lessons learned from the 2016 elections.

The US government team was willing to rapidly escalate as the scenario progressed, as it was only a few months until the election, and the North Korean attempts at sabotage were growing increasingly brazen and the Intelligence Community had quite high confidence in their attribution.

The media team was exceedingly cautious in using any of the leaked document, since some were clearly doctored. This also helped prevent them being manipulated away from focusing on the main story of adversaries attempting to sabotage an election.

Through the exercise, it was clear there are robust, existing processes and organizations to respond to major attacks.

SESSION ID:SESSION ID:

#RSAC

Dmitri Alperovitch

Nation Under Attack: Live Cyber-Exercise

LAB4-W12

Co-Founder and CTO, CrowdStrikeSenior Fellow, Atlantic Council@DAlperovitch

Jason HealeySenior Fellow, Atlantic CouncilSenior Research Scholar, Columbia University@Jason_Helaey

1

#RSAC

Exercise-Based Learning

2

Cyber 9/12

Part conference, part exercise

Some play, some observe: all learn

Third lab at RSAC USA

Two labs at RSA Abu Dhabi

#RSAC

Part of “Cyber 9/12” Series

#RSAC

Four Teams – FIX TOMORROW

Government: You are playing the role of a policy committee reporting to the NSC. Key questions: What is the impact of the attacks? How should the nation use its levers of power to succeed in the cyber crisis forced upon it?

Cybersecurity: You are playing the role of volunteers and cybersecurity companies called in to help the affected organizations.

Key questions: What is the impact of the attacks and what steps can non-states take? What are the next steps to mitigate this attack and prepare for what might be next?

Media: You are playing the role of the mediaKey questions What is the impact on people’s opinions from the incident? How do the facts and analysis get reported accurately and convincingly? What is the media’s role?

Adversary: You are playing the role of the adversary nation or non-state group which is using cyber power against the United States

Key questions: What next step might an intelligent adversary pursue to advance its interests, in line with its traditional means and culture?

#RSAC

Role of Observers

Different than a normal RSAC session: listen, learn, think of questions

Moderators will collect questions to ask

Chatham House rule: “Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed”

#RSAC

Today’s Learning Lab

4pm: Group assembles

4:10pm: Welcome and introduction

4:15pm: First inject and discussion within groups

4:30pm: Brief recommendations

4:45pm: Second inject and discussion within groups

5pm: Brief recommendations

5:15pm: Third inject and discussion within groups

5:30pm: Brief recommendations

5:40pm: General discussion on the results of the simulation and concluding remarks

6pm: Conclude, commence socializing in earnest

#RSAC

SCENARIO - Inject Zero

It is now March 2019…

#RSAC

SCENARIO – Scenesetter (1)

North Korea successfully tested an ICBM clearly capable of reaching the west coast of the United States with a nuclear warhead.

Kim Jong Un boasts that California could be a sea of fire at his command. He also appears at tests of submarine-launched nuclear-tipped missiles.

US and South Korean governments respond by re-introducing tactical nuclear weapons to the US airbases in the peninsula, ramping up advanced missile defenses in the south, and instituting a naval blockade against the North. North Korean mouthpieces are clear this will lead to war.

A Japanese minister mentioned in passing that the country should consider its own nuclear force and there was little public outcry.

China has been growing in strength and constantly testing the United States, Japan, Australia and the smaller ASEAN nations through provocations in the South China Sea and elsewhere. The One Belt - One Road initiative has continued to gain strength.

Chinese cyber espionage is again at a very high tempo, though mostly focused on political and military (not significantly commercial) intelligence.

There has not been any major Sino-US falling out, though the US re-introduction of nuclear weapons to South Korea (and possible Japanese inventory) go against a specific “red line” of Xi Jinping.

Iran has returned to disruptive cyber attacks with a vengeance after the collapse of the JCPOA nuclear deal and US military campaigns to raid Iranian flagged vessels possibly carrying contraband and the apparently targeted killings of Revolutionary Guard leadership in Yemen.

In the aftermath, the Revolutionary Guard came away with significant new funding and standing as the new Supreme Leader has long been associated with their goals. Both Israel and the US administration have threatened to use nuclear weapons against the Islamic Republic if Iran were to use (or, depending on the wording of the threat, even to field) their own nuclear weapons.

Russia has continued to force its belligerence on Western Europe, with focused attempts to de-stabilize the Baltic states, Georgia and Poland, all of which have some degree of Russian-funded groups causing a range of mischief (and often violence).

The US administration re-imposed sanctions on Russia after a falling out with Putin in late 2017 after declaring Putin had not lived up to his end of a new grand bargains. Relations between the Russian and American presidents are bleak.

Islamic State is no more, though a dozen smaller groups are vying for influence in the hinterlands of Syria and Iraq. Al Qaeda remains a threat, but mostly focused on a major catastrophic attack.

#RSAC

FIRST ROUND - BRIEF ASSESSMENT AND RECOMMENDATIONS

#RSAC

SECOND ROUND - BRIEF ASSESSMENT AND RECOMMENDATIONS

#RSAC

THIRD ROUND - BRIEF ASSESSMENT AND RECOMMENDATIONS

#RSAC

Please Remember!

Chatham House rule: “Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed”

#RSAC

DISCUSSION AND CONCLUSION