The U.S. financial and energy sectors are no strangers to foreign government hackers, from Iranian denial-of-service attacks on American banks to Russian reconnaissance of industrial control systems. Less-familiar territory, however, is how companies would work with the U.S. government to respond to a cross-sector cyberattack during a geopolitical crisis.
About 20 private-sector executives and former government officials gathered last month in Washington, D.C., to take a stab at that question.
A tabletop exercise hosted by the Foundation for Defense of Democracies (FDD), a think tank, hashed out what companies and federal agencies might ask of each other in the 72 hours after a disruptive series of computer intrusions.
The fictional scenario involved a confrontation between the United States and China in the Taiwan Strait, which was followed by a cascading cyberattack on multiple U.S. critical infrastructure sectors. The former defense and law enforcement officials in the room discussed with their private-sector counterparts — executives from the banking, electricity, and retail sectors — how a U.S. government and industry response to the cyberattack might play out.
Participants debated everything from the government’s use of private data to attribute cyberattacks to the potential blowback of offensive U.S. operations.
“The private sector is on the front lines of this new battle space,” the FDD’s Samantha Ravich said, describing the impetus for the exercise. “It’s not [private companies’] business to do national security. Unfortunately, national security is being done to them now with cyber-enabled economic warfare.”
U.S. officials have acknowledged that cyberspace is intrinsic to geopolitical conflict. The FDD drill was a recognition that, in order to succeed in such a conflict, the government and private sector need to be in lockstep.
Companies need to be “a lot more involved [and] informed to protect their interests, and know what the government can do for them and what it can’t,” Ravich, a former national security adviser to Vice President Dick Cheney, told CyberScoop.
Participants in the exercise considered how U.S. government attribution of cyberattacks can help companies defend their networks. There was “a good, robust discussion” on the value of spending limited company resources on helping the government trace the origin of an attack, Ravich said. Knowing which foreign government is behind an intrusion can help a company prepare for future activity, she added.
“There were certain categories of authorities that the folks [formerly] in U.S. government brought up that the private sector really wasn’t aware of,” Ravich added. “Why should they? They’re running businesses; they can’t cite chapter and verse of some authority.”
The FDD drill explored what might happen if China’s actions in cyberspace escalated, said retired Gen. Michael Hayden, who attended the exercise. Over the course of the exercise, executives feared the private sector would bear the brunt of escalation and cautioned against retaliatory U.S. government measures against China, Hayden told CyberScoop.
“I’m the one who did the intervention and [said], ‘Look, you got the Chinese kicking ass in the digital domain … and you are telling me you want us not to respond?” recalled Hayden, a former director of the National Security Agency. “I said, ‘There is nobody in the NSC [National Security Council] meeting who is not going to vote to respond to the Chinese.’”
For Hayden, a principal at The Chertoff Group consultancy, the drill showed that “there really is daylight” between the government and private-sector perspective on retaliating in cyberspace.
For others in the room, too, real-world events echoed what they saw in the tabletop exercise.
The same month as the exercise, cybersecurity company ESET published research showing how hackers have targeted energy companies in Poland and Ukraine, a campaign that aligns with Russian geopolitical interests.
News of that hacking campaign resonated with Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, who also attended the FDD exercise.
“That tells me that we are doing the right thing exercising and actually going through the motions to [rehearse] this because it could happen and it is happening,” Nelson told CyberScoop.
The FDD exercise comes as U.S. officials continue to blame the Chinese government for using cyber and traditional espionage to steal U.S. trade secrets. Earlier this month, Department of Justice officials announced a strategy to combat “rapidly increasing” Chinese economic espionage.