Simulated Hack To Test US Government Response

superapecommando writes "Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets. The Bipartisan Policy Center, a Washington-based non-profit established in 2007 by several lawmakers, will host a simulated nation-wide cyber-attack next Tuesday for a group of former administration and national security officials, who will be playing the roles of Cabinet members."

Use it as cover!

So when a real hack happens at the same time, we don't react?

Re:Use it as cover!

[poetmatt]

not only that, but knowing a hack is coming is not exactly realistic.

I'm sure the results will say "we're well prepared for a hack" even though reality proves otherwise.

Re:Use it as cover!

[interactive_civilian]

not only that, but knowing a hack is coming is not exactly realistic.

Indeed. They should launch the simulation without warning on Sunday or Monday and see how prepared they really are. ;)

Re:Use it as cover!

[HungryHobo]

From reading TFA I'm fairly sure no pen-testing will be involved.
By the look of it it's going to be a beurocratic drill rather than a technical one.
No actuall hacking, just a load of suits in a room being given fictional reports of the progress of the "cyber attack" against them.
They pretend to know anything at all about it, they make fictional descisions and then some consultants go over it all afterwards with them and try to guess which chocies wouldn't have been good ones had it been a real situation.

Re:Use it as cover!

[Lumpy]

yes and no.

I did a simulated data disaster at Comcast a decade ago. but I informed only one important key person that I was going to cause a very real data loss event in the billing system. I would back thing up myself, but the backups that IT were running I would silently fail for a WEEK before the event.

at the event horizon I deleted the SQL database, the SQL team yawned and went to restore the database.... Oh crap nothing to restore but week old backups....

They shit themselves and we let them panick for a good hour before we walked in and asked...

What do you mean? you check your backups of critical data daily dont you? how about vertifying the validity of those backups? when was the last time you did a test restore on a backup server to make sure it was right?

I knew they were not backing it up or testing, I used that to my advantage to scare the hell out of them in hopes of getting what I have been telling them for a year through their skulls.

It also proved my point to the IT director that his "teams" were NOT ready for this.

I'll bet you $1000.00 they STILL dont test the backups, and rarely check to see if they are running.

Re:Use it as cover!

[SeekerDarksteel]

"The internet is DOWN!!"

Which one?

Simulated?

[ircmaxell]

A "Simulated" attack? So basically people wandering around pretending that power just went out? I understand that holding fire drills is good and all, but why not try lighting a controlled fire and seeing how everyone reacts? And never announce a drill. Otherwise, it's simply not real enough to give you useful information about the response...

Re:Simulated?

[ircmaxell]

Yes, during training, you run "planned drills"... Something exercise a specific skill or scenario. But a planned drill does nothing but test that specific skill. Unplanned drills test the entire system... Basically, a planed drill teaches people how to react. An unplanned drill shows how "prepared" you are, and where you need to focus training. Without the baseline provided by an unplanned drill, how do you know how to focus the planned ones? For something like firefighting, you have past experience (both from the organizers, and from others) to tell you how to do a drill and what it should focus on. But for this, there's no past experience...

Re:Simulated?

[hey!]

That's kind of an extreme position, don't you think?

Just because an unannounced drill is useful, doesn't mean announced drills aren't useful. For one thing, you *can't* do realistic drills of some scenarios. Some reactions to emergencies kill people. Clog the roads with emergency vehicles and panicking people and rush most of your EMTs and ambulances to the "disaster" site and people who need to ride in an ambulance for real suffer. Shutdown the airport for a few hours and somebody might not get his heart transplant.

People and groups learn by being stretched, and of course an unannounced drill stretches people, but sometimes when people are very poorly prepared they don't learn anything from abject failure. If *nothing* works, then you get a useless emotional reaction. If you give people a chance to prepare, you can get them to think about the general parameters of what an effective response would be.

Not everything in a drill people know is coming has to be expected. So you got your workers out there, and then you say, "OK everyone, the UHF radios have stopped working," or "You can't get any blood plasma from Mount Sinai because they're full up with casualties," or "Guess what, this isn't a chemical spill, it's radioactive."

The thing about disasters is that they disrupt normal systems. That's the definition of a disaster. It takes a while to get people trained up to the point where you can throw anything at them and it will be a learning experience.

how will they know?

Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets

Have they been notified? And how is it a simulation if they are or how will they know how to respond or detect it even?

If I imagine this to happen here, to a global bank, this has been a real scenario:

"How did they get those data?"
"Appearantly all our clients have been leaked"
"Oh shits, heads gonna roll! Call serverteam!!"
*Perform security audit, fire 3rd party solution creators, creating a hole through carelessness.*

Now, if you would do a "large scale test", it will in my experience go like this:
:
"Agents complain of slow access, what is up?"
"It's lunchbreak, people are surfing, let them know we're checking it out."
"Agents are still complaining, we have some error logs coming in from website users."
"Ok, lets contact servermaintenance, request a logfile."
"Server maintenance here, we're swamped with requests, I can send it to you tomorrow or the day after soonest."
"We need a stat on the server, things are slow"
"CPU is looking ok, memory is reasonable. Must be some configuration on your side, wait for the logs. Tmorrow."
"Oh, nvm it cleared up. Guess we got a pusblished article in the papers drawing in more folks. Applause for sales. Close the ticket."

Simulation of the results follows

[0racle]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Re:Simulation of the results follows

[TubeSteak]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Did you even RTFS?
They've invited a bunch of "former administration and national security officials" to pretend to be Cabinet members at a simulation they've setup at a hotel.

This is a private company inviting private citizens to do some techno-LARPing.

This will be a nice change from the status quo,

[Minwee]

...where "Political Hacks Interfere With US Government Response".

Neither the attack nor the response is realistic

[BhaKi]

I'm sure the "attack" will be successful enough to give credibility to all the recent hacking-related stories. And the "response" will be successful enough to justify future funding for "Cyber Control Force", "Strategic CyberWar command", etc.

Chinese Sub

[Hadlock]

Does anyone remember this event happening?
 
  http://www.dailymail.co.uk/news/article-492804/The-uninvited-guest-Chinese-sub-pops-middle-U-S-Navy-exercise-leaving-military-chiefs-red-faced.html
 
Yes, that really happened in real life. It also happened in Tom Clancy's book "Executive Orders". Let me summarize the headline for you real quick, The uninvited guest: Chinese sub pops up in middle of U.S. Navy exercise, leaving military chiefs red-faced
 

When the U.S. Navy deploys a battle fleet on exercises, it takes the security of its aircraft carriers very seriously indeed.
At least a dozen warships provide a physical guard while the technical wizardry of the world's only military superpower offers an invisible shield to detect and deter any intruders.
That is the theory. Or, rather, was the theory. Uninvited guest: A Chinese Song Class submarine, like the one that sufaced by the U.S.S. Kitty Hawk
American military chiefs have been left dumbstruck by an undetected Chinese submarine popping up at the heart of a recent Pacific exercise and close to the vast U.S.S. Kitty Hawk - a 1,000ft supercarrier with 4,500 personnel on board.
By the time it surfaced the 160ft Song Class diesel-electric attack submarine is understood to have sailed within viable range for launching torpedoes or missiles at the carrier.
According to senior Nato officials the incident caused consternation in the U.S. Navy.
The Americans had no idea China's fast-growing submarine fleet had reached such a level of sophistication, or that it posed such a threat.
One Nato figure said the effect was "as big a shock as the Russians launching Sputnik" - a reference to the Soviet Union's first orbiting satellite in 1957 which marked the start of the space age.
The incident, which took place in the ocean between southern Japan and Taiwan, is a major embarrassment for the Pentagon. Battle stations: The Kitty Hawk carries 4,500 personnel
The lone Chinese vessel slipped past at least a dozen other American warships which were supposed to protect the carrier from hostile aircraft or submarines.
And the rest of the costly defensive screen, which usually includes at least two U.S. submarines, was also apparently unable to detect it.
According to the Nato source, the encounter has forced a serious re-think of American and Nato naval strategy as commanders reconsider the level of threat from potentially hostile Chinese submarines.
It also led to tense diplomatic exchanges, with shaken American diplomats demanding to know why the submarine was "shadowing" the U.S. fleet while Beijing pleaded ignorance and dismissed the affair as coincidence.
Analysts believe Beijing was sending a message to America and the West demonstrating its rapidly-growing military capability to threaten foreign powers which try to interfere in its "backyard".
The People's Liberation Army Navy's submarine fleet includes at least two nuclear-missile launching vessels.
Its 13 Song Class submarines are extremely quiet and difficult to detect when running on electric motors.
Commodore Stephen Saunders, editor of Jane's Fighting Ships, and a former Royal Navy anti-submarine specialist, said the U.S. had paid relatively little attention to this form of warfare since the end of the Cold War.
He said: "It was certainly a wake-up call for the Americans.
"It would tie in with what we see the Chinese trying to do, which appears to be to deter the Americans from interfering or operating in their backyard, particularly in relation to Taiwan."
In January China carried a successful missile test, shooting down a satellite in orbit for the first time.

...So who's to say something similar won't happen this time, except in cyberspace? Imagine, in the middle of a simulated hack, the Chinese government actually hacks our systems during a military exercise. Knowing what we know now, it's not improbable.

Re:Chinese Sub

[GooberToo]

Except that article is all fluff and lacking any type of intelligence.

Those were regularly scheduled exercises which take place annually in the exact same spot every year. The FACT is, no one in the military was embarrassed. Period. Only the idiot reporters, who improperly frame it as an embarrassment, have been embarrassed.

This is reality. The Chinese, wishing to cause a publicity stunt, hoping that idiots, which are frequently referred to as reporters, will pick up on a stunt are report on it because one, they are idiots, and two, won't actually check fact their story. And so, the Chinese decide to quietly sit in the middle of nowhere waiting for the US military to come along; as they've done every year preceding for who knows how many years. Sure enough, just like every year before, the US Navy comes cruising along in the exact same area. The Chinese pop up and start cruising toward the highest value target available; a US aircraft carrier. Next, idiot reporter states the military is embarrassed because he's too stupid to realize they are not.

The simple truth is, unless they are able to break US military cryptography, which I very seriously doubt, or if they are planning on a preemptive strike whereby China disappears from the face of the Earth, this is in no way, shape, or form, representative of any type of military action possible by the Chinese.

The Chinese do not pose any credible threat to the US Navy in open waters. None. Not one bit. They do, however, pose a threat in regional, shallow waters, which is why the Navy is pushing so hard to improve their sonar capabilities in that environment.

To summarize, the only people embarrassed by the Chinese are idiot reporters and ignorant masses who believe it speaks to China's Naval capabilities. In reality, it was a completely non-news event and reports and people who ignorantly repeat such stories are nothing but sock puppets for the Chinese propaganda machine; which the US Military is now trying to play to obtain yet additional funding.

Re:Chinese Sub

[GooberToo]

sub managed to bypass their sensors.

That's actually easy to do and the expected result for a stationary object resting near or on the bottom. Things that don't don't move and don't make noise are really hard to find. This is especially true where multiple thermoclines exist. Of course, that's also why its not the least bit embarrassing for the US Navy because for it to have any real meaning, the Chinese would have to know where the US Navy would be before hand, during a state of war.

The picture is even more bleak for trying to locate modern diesel subs when operating in their own backyard. These days diesel subs are extremely quiet. And this is exactly why the Navy has been working hard to increase its sonar capabilities. Congress has been pushing back on funding and environmental concerns but as I originally said, I'm sure the Navy will use this to help bolster their position.

The ancient DoS attacks: are they really prepared?

[garompeta]

1) Plant a bomb
Who needs a complicated hack when you can use thermite on key interconnections?

2) Lure an insider
Ancient methods that the CIA is still using to gather foreign "intelligence" from their euphemistically called "Agents" (in their respective countries these Agents would be called traitors).
Who can stop a trusted and authorized user with the right privileges from opening ports from behind the enemy lines (aka. firewalls)... when the "bad guys" get him the proper incentive or coersion?

3) Creative Social Engineering
Are they also be implementing policies to ensure that people are not plugging randomly dispersed usb drives with malware? The guy who delivers the mail, the fedex guy, the cleaning personnel, the cable guy, the Verizon guy. Those are valid strategies for everyday black hat hacking.

Now, that is a realistic scenario. Are they really prepared for that?
If I was planning a full-scale attack to the US infrastructures, the old methods would be the first choices.

I can imagine the following happening:

"Sir, when are they gonna start attacking us? We aren't getting any suspicious traffic"
"Ahem, you already have been hacked, training is over".

In the meantime...

[noddyxoi]

Goldman Sachs and JPM prepare a Short Selling attack in America.